CD. E is a configuration on VNET1 not the Storage account.

When performing C you also have to select a network (= Vnet1) and it will create a service endpoint. Also "Allow Trusted Microsoft services" is already selected by default. This means that C also performs tasks A and E. Also the on-premise address range has to be added, so D is needed. This means C (first) and D (second) have to be performed.

D and E are correct, since by default a storage account accepts public traffic. and since VMs are having private ip, it cant directly contact storage account. so we add service endpoint

My answer is C & E Believe on-prem IP range can be added w/o choosing 'Selected Networks'

From Udemy. Answer is CD. Explanation Correct Answer(s): To upload the disk files to account1 from the on-premises environment, you need to whitelist the on-premises IP range. Virtual machine disk traffic (including mount and unmount operations, and disk IO) is not affected by network rules. Wrong Answers: From the Firewalls and virtual networks blade of account1, select Allow trusted Microsoft services to access this storage account. – This option is to provide access to Microsoft services like Backup. From the Firewalls and virtual networks blade of account1, add VNet1 – You cannot add a VNET, you can select existing networks. From the Service endpoints blade of VNet1, add a service endpoint – This will enable services in VNet1 to access azure services with backbone.

C , D and E ...has to be done , a specific subnet has been given in the question for a reason.

Can anyone explain how does D/E achieved this "Ensure that you can upload the disk files to account1." From what I understand, it is also required to upload to the storage from onprem. Doing D/E restricts the storage account from public.

The given answer is correct i guess D,E https://docs.microsoft.com/en-us/azure/virtual-machines/windows/resize-vm

Answer is C & D ✑ Ensure that you can upload the disk files to account1. --> C ✑ Ensure that you can attach the disks to VM1. --> this is not affected by the firewall rules ✑ Prevent all other access to account1. --> D Virtual machine disk traffic (including mount and unmount operations, and disk IO) is not affected by network rules. REST access to page blobs is protected by network rules. https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security

If you look a the explanation, it pretty much points to C + D

This one was confusing me like a lot of people so I built in my lab as a test First to modify Firewall to "Selected Networks" You must choose a Virtual Network otherwise your setting is pointless. When you choose a VNET it AUTO adds a service endpoint for you. In the same screen we add the IP range of the onprem environment and tick allow trusted Microsoft services This means if you go by order of what we did it is as follows: D. From the Firewalls and virtual networks balde of account1, select Selected networks. A. From the Firewalls and virtual networks blade of account1, add VNet1. C. From the Firewalls and virtual networks blade of account1, add the 131.107.1.0/24 IP address range. B. From the Firewalls and virtual networks blade of account1, select Allow trusted Microsoft services to access this storage account. If we have only two it makes it very hard because all 4 need to be done and you could do D and A or D and C or D and B but without the rest we have done nothing

I think the answer in the correct order is : D - Selected networks C - Provide the address range

C, D, E are correct. D - To configure the firewall settings to secific networks and IP Address range and to prevent all other network access. C - To upload the disks from the specific On-Premis network to Storage account in Azure. D - To use the disks in Storage account to provision VM which is using VNet1 with a specific address range. So, while adding Virtual Network in Storage account Firewall settings, it will prompt to enable Service Endpoints for the VNet Subnets. Without that we can't add VNet from a VM.

100% C,D Have to configure this all the time at work

I vote for C, D..... service end point is used by a service to access storage. For a VM to access hard disk files in storage account, endpoint is not required.

C/D are the answers both are from the firewall and virtual networks section. they are trying to trick us on this question same as the others.

I think we have to do first D than C . even E is required however i guess below 3 option given after IP range can bypass the option E . otherwise i think D,E,C all are required to comply with all 3 requirement of question. Allow trusted Microsoft services to access this storage account Allow read access to storage logging from any network Allow read access to storage metrics from any network