Your company uses Azure Blob Storage to store sensitive documents. You need to prevent data exfiltration by ensuring that all access to the storage account is through Microsoft's private network. What should you configure?
Traffic goes through Private Link, staying on Microsoft network.
Why this answer
Option C is correct because Azure Private Link with Private Endpoint ensures that traffic to the storage account stays within the Microsoft backbone network. Service endpoints also keep traffic on the Azure backbone but do not prevent exfiltration if the storage account is exposed to the internet. Option A is wrong because service endpoints do not block internet access.
Option B is wrong because firewall rules only restrict IPs, but traffic may still leave Azure backbone. Option D is wrong because network security groups (NSGs) are for subnets, not storage accounts.