Exam AZ-104 topic 3 question 16 discussion

A,C IS THE CORRECT ANSWER

Too many mixed answers here. Decided to spend hours reading MS Docs! K, let's settle this one once and for all. Technically all answers are correct, however you can only choose 2. So here we go: B, C, D depends on A. And B is selected by default btw (once you do A). E has to be done for the disk to be used by VM1. So the correct answer is A and E. A which will cover B C D. And E as explained above. Hope this helps!

A and C are correct. But D is not incorrect. Its the third step. I believe either combination will be correct since the question did not ask for a sequence

Correct: AC A. From the Networking blade of account1, select Selected networks. This action restricts access to the storage account to only the specified networks or IP ranges, meeting the requirement to prevent all other access. B. From the Networking blade of account1, select Allow trusted Microsoft services to access this storage account. While this enables trusted Microsoft services to access the account, it is not required for this scenario, as VM1 is in the same subscription. C. From the Networking blade of account1, add the 131.107.1.0/24 IP address range. This allows the on-premises network to upload the disk files. D. From the Networking blade of account1, add VNet1. This is unnecessary if a service endpoint is used for VNet1 to access the storage account. E. From the Service endpoints blade of VNet1, add a service endpoint. This is not required because the requirement can be met by other configurations.

select Selected networks, it's just the first step to implement the C and D. Option C: From the Networking blade of account1, add the 131.107.1.0/24 IP address range: This action allows your on-premises network to upload the disk files to the storage account by specifying the IP address range of your on-premises network. Option D: From the Networking blade of account1, add VNet1: This ensures that the virtual network (VNet1) can access the storage account, which is necessary for attaching the disks to VM1.

C will allow access from on-prem D will allow access from VM1 A- is only hals of the solutuion. After slecting selcted network you have to complte C and D. E will allow asscess to all storage accounts from Vnet1 unless limitted by a service end point policy

oh, and if the VHD is converted to a managed disk (as it should be), it would not be accessible from the internet.

if you assume it is using SMB to connect to a file share to "provision" the VM. It could be A,C or A,E. But even then it is missing steps... A,C - need to add the subnet A,E - need to add end point policy

WRONG A & C are correct

What if for this type of question i check all answers? Did someone try this?

A: bcoz we need to prevent access from all n/w . Enabling this setting by default enables the setting to allow trusted azure services (option B). C: will create firewall rule to allow on-prem n/w to access the storage account and upload disk. Specifically, option D is not needed bcoz attaching the disk to vm is done by azure resource manager via backbone n/w. So allow trusted services option which is enabled as part of option A is sufficient to attach the disk.

A and C Allow Azure services on the trusted services list to access this storage account is select by default when you change from "Enabled from all networks" to "Enabled from selected virtual networks and IP addresses"

Configuring access from on-premises networks Go to the storage account that you want to secure. Select Networking. Check that you've chosen to allow access from Selected networks. To grant access to an internet IP range, enter the IP address or address range (in CIDR format) under Firewall > Address Range. To remove an IP network rule, select the delete icon ( ) next to the address range. Select Save to apply your changes.

IMHO it should be C&D, before you need do C&D you need for sure to do option A, but here they are asking to actions to meet the requirements, AC or AD alone won't acheive the requirements. Explanations: C is mandatory to have access from on-premises, it should be set in the firewall section D is required to have access to VNet1 to attached the disk to your VM, if you try to add that VNET1 to the Virtual Networks section (if there isn't any service endpoints already created) it will create it. Here's a message I get when I try to add VNET "The following networks don’t have service endpoints enabled for 'Microsoft.Storage.Global'. Enabling access will take up to 15 minutes to complete. After starting this operation, it is safe to leave and return later if you do not wish to wait." So option E is required as well but it will be created automatically when you add the VNet1

I tested it on 11/12/2023 - A & C are correct. This question could also come in a lab simulation where they will tell you to allow the access to storage account from a specific CIDR.

I think I decided on every combination at some point, but I agree its AC now. A few people below mentioned that the question is badly written. It would help if C mentioned Add an IP range in the Firewall section, which is what you need to do. As the text underneath Firewall says "Add IP ranges to allow access from the internet or your on-premises networks", which is what you want to achieve. Allow access from the public range so that you can copy up the VM image. https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal

I go for A,C. D does not make sense. Why would you add a Service Endpoint after enabling Selected Virtual Networks option from Networking of Storage Account if you are not going to add IP Address.