Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us [email protected]
Menu
Microsoft Discussions

Exam AZ-103 topic 2 question 16 discussion

Actual exam question from Microsoft's AZ-103
Question #: 16
Topic #: 2
[All AZ-103 Questions]

You have an Azure subscription that contains a storage account named account1.
You plan to upload the disk files of a virtual machine to account1 from your on-premises network. The on-premises network uses a public IP address space of
131.107.1.0/24.
You plan to use the disk files to provision an Azure virtual machine named VM1. VM1 will be attached to a virtual network named VNet1. VNet1 uses an IP address space of 192.168.0.0/24.
You need to configure account1 to meet the following requirements:
✑ Ensure that you can upload the disk files to account1.
✑ Ensure that you can attach the disks to VM1.
✑ Prevent all other access to account1.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A. From the Firewalls and virtual networks blade of account1, add VNet1.
  • B. From the Firewalls and virtual networks blade of account1, select Allow trusted Microsoft services to access this storage account.
  • C. From the Firewalls and virtual networks blade of account1, add the 131.107.1.0/24 IP address range.
  • D. From the Firewalls and virtual networks balde of account1, select Selected networks.
  • E. From the Service endpoints blade of VNet1, add a service endpoint.
Show Suggested Answer Hide Answer
Suggested Answer: DE 🗳️
D: By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action.

Azure portal -
1. Navigate to the storage account you want to secure.
2. Click on the settings menu called Firewalls and virtual networks.
3. To deny access by default, choose to allow access from 'Selected networks'. To allow traffic from all networks, choose to allow access from 'All networks'.
4. Click Save to apply your changes.
E: Grant access from a Virtual Network
Storage accounts can be configured to allow access only from specific Azure Virtual Networks.
By enabling a Service Endpoint for Azure Storage within the Virtual Network, traffic is ensured an optimal route to the Azure Storage service. The identities of the virtual network and the subnet are also transmitted with each request.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
by marek76 at Dec. 2, 2019, 12:13 p.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
abraam31
Highly Voted 3 years, 4 months ago
CD. E is a configuration on VNET1 not the Storage account.
upvoted 23 times
rupayan87
6 months, 1 week ago
Yes but you need to add the service end point in order to be able to connect from the VM in the Vnet.
upvoted 1 times
rupayan87
6 months, 1 week ago
i think you are right.. question has 3 purpose upload from onprem so you need connectivity to pub IP of onprem limit account access so we have to use selected network ability to attach to az VM so you mean we need to add the Vnet IP first and then a service endpoint. We have 2 choices only so C & D
upvoted 1 times
...
...
...
krst
Highly Voted 2 years, 9 months ago
When performing C you also have to select a network (= Vnet1) and it will create a service endpoint. Also "Allow Trusted Microsoft services" is already selected by default. This means that C also performs tasks A and E. Also the on-premise address range has to be added, so D is needed. This means C (first) and D (second) have to be performed.
upvoted 14 times
Fal991l
1 year, 2 months ago
Did you mean when to perform A by selecting a network (VNet1) and it will create a service endpoint by default? So the first answer should be A. Add the 131.107.1.0/24 under "Exceptions: Allow Azure service on the trusted services list to access this storage account" can keep the connection between on-premises with VNet1 securely, which allow user to upload disk files to account1 for further provision. So C is a must. Definitely agree with abraam31. E is a configuration on VNET1 not on account1, which is NOT supposed to be under consideration for this question. But it could be one of the practical solutions in a real project though.
upvoted 1 times
...
...
shdcehfcbj
Most Recent 1 week, 3 days ago
D and E are correct, since by default a storage account accepts public traffic. and since VMs are having private ip, it cant directly contact storage account. so we add service endpoint
upvoted 1 times
...
vinsom
4 weeks, 1 day ago
My answer is C & E Believe on-prem IP range can be added w/o choosing 'Selected Networks'
upvoted 1 times
...
Durden871
2 months, 2 weeks ago
From Udemy. Answer is CD. Explanation Correct Answer(s): To upload the disk files to account1 from the on-premises environment, you need to whitelist the on-premises IP range. Virtual machine disk traffic (including mount and unmount operations, and disk IO) is not affected by network rules. Wrong Answers: From the Firewalls and virtual networks blade of account1, select Allow trusted Microsoft services to access this storage account. – This option is to provide access to Microsoft services like Backup. From the Firewalls and virtual networks blade of account1, add VNet1 – You cannot add a VNET, you can select existing networks. From the Service endpoints blade of VNet1, add a service endpoint – This will enable services in VNet1 to access azure services with backbone.
upvoted 1 times
...
HTD
1 year, 12 months ago
C , D and E ...has to be done , a specific subnet has been given in the question for a reason.
upvoted 1 times
...
PT16
2 years, 5 months ago
Can anyone explain how does D/E achieved this "Ensure that you can upload the disk files to account1." From what I understand, it is also required to upload to the storage from onprem. Doing D/E restricts the storage account from public.
upvoted 1 times
...
vpernankil
2 years, 7 months ago
The given answer is correct i guess D,E https://docs.microsoft.com/en-us/azure/virtual-machines/windows/resize-vm
upvoted 1 times
...
arseyam
2 years, 8 months ago
Answer is C & D ✑ Ensure that you can upload the disk files to account1. --> C ✑ Ensure that you can attach the disks to VM1. --> this is not affected by the firewall rules ✑ Prevent all other access to account1. --> D Virtual machine disk traffic (including mount and unmount operations, and disk IO) is not affected by network rules. REST access to page blobs is protected by network rules. https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
upvoted 7 times
...
jonalejm
2 years, 9 months ago
If you look a the explanation, it pretty much points to C + D
upvoted 2 times
...
Gman80
2 years, 10 months ago
This one was confusing me like a lot of people so I built in my lab as a test First to modify Firewall to "Selected Networks" You must choose a Virtual Network otherwise your setting is pointless. When you choose a VNET it AUTO adds a service endpoint for you. In the same screen we add the IP range of the onprem environment and tick allow trusted Microsoft services This means if you go by order of what we did it is as follows: D. From the Firewalls and virtual networks balde of account1, select Selected networks. A. From the Firewalls and virtual networks blade of account1, add VNet1. C. From the Firewalls and virtual networks blade of account1, add the 131.107.1.0/24 IP address range. B. From the Firewalls and virtual networks blade of account1, select Allow trusted Microsoft services to access this storage account. If we have only two it makes it very hard because all 4 need to be done and you could do D and A or D and C or D and B but without the rest we have done nothing
upvoted 5 times
...
ariahi
2 years, 10 months ago
I think the answer in the correct order is : D - Selected networks C - Provide the address range
upvoted 5 times
...
praveen97
2 years, 10 months ago
C, D, E are correct. D - To configure the firewall settings to secific networks and IP Address range and to prevent all other network access. C - To upload the disks from the specific On-Premis network to Storage account in Azure. D - To use the disks in Storage account to provision VM which is using VNet1 with a specific address range. So, while adding Virtual Network in Storage account Firewall settings, it will prompt to enable Service Endpoints for the VNet Subnets. Without that we can't add VNet from a VM.
upvoted 2 times
...
anon1234
2 years, 11 months ago
100% C,D Have to configure this all the time at work
upvoted 4 times
Hanuman
2 years, 11 months ago
correct
upvoted 2 times
...
HazemYousry
2 years, 11 months ago
I got an error when I added the VNET to the Firewall section - error "NoServiceEndPoint" configured. So (E) is a required in order to do (D)
upvoted 4 times
...
...
Sitender
2 years, 11 months ago
I vote for C, D..... service end point is used by a service to access storage. For a VM to access hard disk files in storage account, endpoint is not required.
upvoted 4 times
...
nfett
2 years, 11 months ago
C/D are the answers both are from the firewall and virtual networks section. they are trying to trick us on this question same as the others.
upvoted 3 times
...
AzureArchitect
3 years ago
I think we have to do first D than C . even E is required however i guess below 3 option given after IP range can bypass the option E . otherwise i think D,E,C all are required to comply with all 3 requirement of question. Allow trusted Microsoft services to access this storage account Allow read access to storage logging from any network Allow read access to storage metrics from any network
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel