Question 1mediummultiple choice
Full question →mediummultiple choiceObjective-mapped
Your company has an application running on Azure Virtual Machines that needs to access secrets in Azure Key Vault. You want to restrict network access to the Key Vault so that only the virtual network/subnet containing the VMs can reach it. You also want to ensure that the solution works with the least management overhead. Which configuration should you use?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Distractor review
Configure Key Vault firewall with IP-based rules that allow the VM's public IP address.
IP rules rely on public IP addresses, which may change and are less secure. It also does not leverage the virtual network boundary.
B
Distractor review
Configure a Private Endpoint for the Key Vault in the same virtual network as the VMs.
Private Endpoint provides a private IP from the VNet, but it requires setting up Private DNS zones and has more complexity than service endpoints for this simple scenario.
C
Best answer
Configure Key Vault firewall to allow access from the virtual network and subnet using service endpoints.
Enabling service endpoints on the subnet and adding the VNet/Subnet to the Key Vault firewall rules restricts traffic to only that subnet. It is easy to configure and provides secure network isolation.
D
Distractor review
Use a shared access signature (SAS) to access Key Vault secrets.
SAS tokens are used for Azure Storage, not for Key Vault. Key Vault uses Microsoft Entra ID authentication and access policies or RBAC.
Common exam trap
Common exam trap: usable hosts are not the same as total addresses
Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.
Technical deep dive
How to think about this question
Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.
KKey Concepts to Remember
- CIDR notation defines the prefix length.
- Block size helps identify subnet boundaries.
- Network and broadcast addresses are not usable hosts in normal IPv4 subnets.
- The required host count determines the smallest suitable subnet.
TExam Day Tips
- Write the block size before choosing the subnet.
- Check whether the question asks for hosts, subnets or a specific address range.
- Do not confuse /24, /25, /26 and /27 host counts.
Related practice questions
Related AZ-204 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
An application stores customer invoices in Azure Blob Storage. Deleted blobs must be recoverable for 14 days. What should be enabled?
Question 2
You are deploying a containerized application to Azure Container Instances. The application requires a custom domain name and SSL/TLS termination. You need to configure these features. Which resource should you create alongside the container group?
Question 3
A developer needs to run a Kusto query against application request data to identify 95th percentile latency by operation. Where should the query be run? The architecture review board prefers a managed AWS-native control.
Question 4
You are developing a web app that authenticates users via Microsoft Entra ID. The app needs to read the user's profile and send emails on their behalf. You want to minimize user consent prompts. Which OAuth 2.0 grant type should you use?
Question 5
You are developing an Azure Function that processes messages from an Azure Service Bus queue. The function uses a Service Bus queue trigger and runs on a Consumption Plan. The queue receives a high volume of messages in bursts. You need to ensure that the function scales out to handle the load but does not exceed 10 concurrent instances. Which configuration should you apply?
Question 6
You are monitoring an Azure App Service using Application Insights. You notice that the server response time is high for certain requests. You need to drill down to see which external dependencies (like databases or APIs) are causing the delay. Which Application Insights feature should you use?
FAQ
Questions learners often ask
What does this AZ-204 question test?
CIDR notation defines the prefix length.
What is the correct answer to this question?
The correct answer is: Configure Key Vault firewall to allow access from the virtual network and subnet using service endpoints. — Azure Key Vault's firewall supports virtual network service endpoints, allowing you to restrict access to specific VNets and subnets without exposing a public IP address. This is straightforward to configure directly on the Key Vault networking blade. Private Endpoint (B) is also an option but adds more complexity (Private DNS zones, etc.). IP-based rules (A) would require managing the VM's public IP, which is less secure and more overhead. Shared Access Signatures (D) are used for storage, not Key Vault.
What should I do if I get this AZ-204 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.