- A
Azure service endpoints
Why wrong: Service endpoints extend the VNet identity to Azure services, but traffic still reaches the public endpoint of the storage account. While service endpoints keep traffic on the Microsoft backbone, they do not provide a private IP address; the storage account remains accessible via its public IP address, which is not desired when the policy explicitly forbids any traffic traversing the public internet. Additionally, service endpoints do not natively support on-premises access to the storage account via a Site-to-Site VPN without additional configuration.
- B
Azure Private Link (using a private endpoint)
A private endpoint creates a network interface with a private IP address in the VNet. Traffic to the storage account goes over the Microsoft backbone without ever leaving the VNet or touching the public internet. Because the storage account appears inside the VNet, on-premises access via Site-to-Site VPN is naturally possible. This meets both requirements.
- C
Azure VPN Gateway connection to the storage account
Why wrong: An Azure VPN Gateway provides encrypted connectivity between on-premises and an Azure VNet. However, it does not secure the storage account itself. Without a private endpoint, the storage account still uses a public endpoint, and traffic from the VNet to the storage account would leave the VNet over the public internet (or via Microsoft backbone if service endpoints are configured).
- D
Azure route tables
Why wrong: Route tables control custom routing within a VNet. While they can force traffic to use a specific next hop (e.g., a firewall or VPN appliance), they cannot change the fact that the storage account's public endpoint is reachable over the internet. Route tables do not provide private connectivity to Azure PaaS services.
Quick Answer
The answer is Azure Private Link, configured with a private endpoint. This is correct because a private endpoint assigns a private IP address from your virtual network directly to the Azure Blob Storage account, ensuring all traffic between the VNet and storage stays within the Microsoft backbone network and never traverses the public internet. For the on-premises requirement, a Site-to-Site VPN connection that terminates in the same VNet can reach the private endpoint, keeping the storage account accessible without exposing it publicly. On the AZ-900 exam, this question tests your understanding of how Private Link enforces network isolation for PaaS services, often appearing as a scenario where you must choose between Service Endpoints (which still use Microsoft’s backbone but are less secure) and Private Endpoints. A common trap is selecting Service Endpoints, but remember: Private Endpoints give the resource its own private IP inside your VNet. Memory tip: “Private IP = Private Link” — if the policy says “never traverse the public internet,” think private endpoint.
AZ-900 Describe Azure architecture and services Practice Question
This AZ-900 practice question tests your understanding of describe azure architecture and services. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A company stores sensitive customer data in an Azure Blob Storage account. The company's security policy requires that all data traffic between the virtual network (VNet) and the storage account must never traverse the public internet. Additionally, the storage account must remain accessible from an on-premises data center through a Site-to-Site VPN connection. Which Azure feature should the company configure on the storage account?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue:
"never"Why it matters: Absolute qualifier. True only if the statement has zero exceptions — be cautious of options that seem obvious but break down in edge cases.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Azure Private Link (using a private endpoint)
Azure Private Link with a private endpoint is correct because it assigns a private IP address from the VNet to the storage account, ensuring all traffic between the VNet and the storage account stays within the Microsoft Azure backbone network and never traverses the public internet. Additionally, the storage account can still be accessed from an on-premises data center via a Site-to-Site VPN connection that terminates in the same VNet, as the private endpoint is reachable over the VPN.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Azure service endpoints
Why it's wrong here
Service endpoints extend the VNet identity to Azure services, but traffic still reaches the public endpoint of the storage account. While service endpoints keep traffic on the Microsoft backbone, they do not provide a private IP address; the storage account remains accessible via its public IP address, which is not desired when the policy explicitly forbids any traffic traversing the public internet. Additionally, service endpoints do not natively support on-premises access to the storage account via a Site-to-Site VPN without additional configuration.
- ✓
Azure Private Link (using a private endpoint)
Why this is correct
A private endpoint creates a network interface with a private IP address in the VNet. Traffic to the storage account goes over the Microsoft backbone without ever leaving the VNet or touching the public internet. Because the storage account appears inside the VNet, on-premises access via Site-to-Site VPN is naturally possible. This meets both requirements.
Clue confirmation
The clue word "never" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Azure VPN Gateway connection to the storage account
Why it's wrong here
An Azure VPN Gateway provides encrypted connectivity between on-premises and an Azure VNet. However, it does not secure the storage account itself. Without a private endpoint, the storage account still uses a public endpoint, and traffic from the VNet to the storage account would leave the VNet over the public internet (or via Microsoft backbone if service endpoints are configured).
- ✗
Azure route tables
Why it's wrong here
Route tables control custom routing within a VNet. While they can force traffic to use a specific next hop (e.g., a firewall or VPN appliance), they cannot change the fact that the storage account's public endpoint is reachable over the internet. Route tables do not provide private connectivity to Azure PaaS services.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often confuse Azure service endpoints with private endpoints, thinking both provide the same level of isolation, but service endpoints still expose the public endpoint and do not guarantee that traffic from on-premises over a VPN stays off the public internet.
Detailed technical explanation
How to think about this question
Azure Private Link uses a private endpoint, which is a network interface with a private IP from the VNet, and traffic is sent over the Microsoft backbone using the Azure Private Link service, which leverages the Microsoft peering infrastructure. This ensures that even if the storage account's public endpoint is disabled, the private endpoint remains accessible, and on-premises traffic routed through a VPN gateway into the VNet can reach it without ever leaving Azure's network. A common subtlety is that the private endpoint must be in the same region as the storage account, and DNS resolution must be configured to resolve the storage account's FQDN to the private IP.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Describe Azure architecture and services — study guide chapter
Learn the concepts, then practise the questions
- →
Describe Azure architecture and services practice questions
Targeted practice on this topic area only
- →
All AZ-900 questions
1,031 questions across all exam domains
- →
Microsoft Azure Fundamentals AZ-900 study guide
Full concept coverage aligned to exam objectives
- →
AZ-900 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related AZ-900 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Describe cloud concepts practice questions
Practise AZ-900 questions linked to Describe cloud concepts.
Describe Azure architecture and services practice questions
Practise AZ-900 questions linked to Describe Azure architecture and services.
Describe Azure management and governance practice questions
Practise AZ-900 questions linked to Describe Azure management and governance.
AZ-900 Azure services practice questions
Practise AZ-900 questions linked to AZ-900 Azure services.
AZ-900 pricing and support practice questions
Practise AZ-900 questions linked to AZ-900 pricing and support.
AZ-900 security and compliance practice questions
Practise AZ-900 questions linked to AZ-900 security and compliance.
AZ-900 governance practice questions
Practise AZ-900 questions linked to AZ-900 governance.
Practice this exam
Start a free AZ-900 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this AZ-900 question test?
Describe Azure architecture and services — This question tests Describe Azure architecture and services — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Azure Private Link (using a private endpoint) — Azure Private Link with a private endpoint is correct because it assigns a private IP address from the VNet to the storage account, ensuring all traffic between the VNet and the storage account stays within the Microsoft Azure backbone network and never traverses the public internet. Additionally, the storage account can still be accessed from an on-premises data center via a Site-to-Site VPN connection that terminates in the same VNet, as the private endpoint is reachable over the VPN.
What should I do if I get this AZ-900 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Are there clue words in this question I should notice?
Yes — watch for: "never". Absolute qualifier. True only if the statement has zero exceptions — be cautious of options that seem obvious but break down in edge cases.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: Jun 11, 2026
This AZ-900 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-900 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.