Ensure Azure Storage Account Accessibility Between Subnets Using Azure Firewall

Configure Azure Firewall to Enable Access from Subnet1 to contososa1

Question

You have a resource group named RG1 that contains the following:

-> A virtual network that contains two subnets named Subnet1 and Subnet2

-> An Azure Storage account named contososa1

-> An Azure firewall deployed to Subnet2

You need to ensure that contososa1 is accessible from Subnet1 over the Azure backbone network.

What should you do?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

C

Virtual Network (VNet) service endpoints extend your virtual network private address space and the identity of your VNet to the Azure services, over a direct connection. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Traffic from your VNet to the Azure service always remains on the Microsoft Azure backbone network.

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

To enable access to Azure Storage account (contososa1) from Subnet1 over the Azure backbone network, you can use a virtual network service endpoint.

Virtual network service endpoints provide secure and optimized connectivity to Azure services over the Azure backbone network. This connectivity is established between the virtual network and the Azure service without traversing the internet. This reduces the risk of data exfiltration and improves security.

To implement a virtual network service endpoint for the Azure Storage account, you can follow these steps:

  1. Navigate to the Azure portal and select the resource group (RG1) that contains the virtual network and the Azure Storage account.
  2. Select the Azure Storage account (contososa1).
  3. In the left-hand menu, select "Firewalls and virtual networks."
  4. In the "Firewalls and virtual networks" pane, select "Selected networks."
  5. Click on "Add existing virtual network."
  6. Select the virtual network that contains Subnet1 and Subnet2.
  7. Select Subnet1 and click "OK."

After completing these steps, the virtual network service endpoint is enabled for the Azure Storage account, and the Storage account is accessible from Subnet1 over the Azure backbone network.

Option A (Deploy an Azure firewall to Subnet1) is incorrect because it will not provide the required connectivity to the Azure Storage account over the Azure backbone network. An Azure firewall can be used to control network traffic between subnets or between the virtual network and the internet.

Option B (Remove the Azure firewall) is incorrect because the firewall is required to control traffic to and from Subnet2.

Option D (Create a stored access policy for contososa1) is incorrect because it is used to grant access to specific resources in an Azure Storage account. It does not provide the required connectivity to the Storage account from Subnet1.