You have an Azure subscription that contains a storage account named account1.
You plan to upload the disk files of a virtual machine to account1 from your on-premises network. The on-premises network uses a public IP address space of
131.107.1.0/24.
You plan to use the disk files to provision an Azure virtual machine named VM1. VM1 will be attached to a virtual network named VNet1. VNet1 uses an IP address space of 192.168.0.0/24.
You need to configure account1 to meet the following requirements:
-> Ensure that you can upload the disk files to account1.
-> Ensure that you can attach the disks to VM1.
-> Prevent all other access to account1.
Which two actions should you perform? Each correct selection presents part of the solution.
NOTE: Each correct selection is worth one point.
Click on the arrows to vote for the correct answer
A. B. C. D. E.BE
B: By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action.
Azure portal -
1. Navigate to the storage account you want to secure.
2. Click on the settings menu called Firewalls and virtual networks.
3. To deny access by default, choose to allow access from 'Selected networks'. To allow traffic from all networks, choose to allow access from 'All networks'.
4. Click Save to apply your changes.
E: Grant access from a Virtual Network
Storage accounts can be configured to allow access only from specific Azure Virtual Networks.
By enabling a Service Endpoint for Azure Storage within the Virtual Network, traffic is ensured an optimal route to the Azure Storage service. The identities of the virtual network and the subnet are also transmitted with each request.
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-securityTo upload disk files of a virtual machine to an Azure storage account, you need to configure the storage account to allow access from the network where the files are located. In this scenario, the files are located on an on-premises network with a public IP address space of 131.107.1.0/24, and you want to upload them to an Azure storage account named account1. You also plan to use the disk files to provision an Azure virtual machine named VM1, which will be attached to a virtual network named VNet1.
To configure account1 to meet the requirements, you should perform the following two actions:
Explanation:
A. From the Firewalls and virtual networks blade of account1, add the 131.107.1.0/24 IP address range. This action allows access to the storage account from the on-premises network where the disk files are located. By adding the IP address range 131.107.1.0/24 to the firewall rules of account1, you allow traffic from that IP address range to access the storage account.
B. From the Firewalls and virtual networks blade of account1, select Selected networks. This action specifies that only selected networks are allowed to access the storage account. By selecting this option and adding VNet1 to the list of allowed networks, you ensure that only traffic from VNet1 is allowed to access account1.
C. From the Firewalls and virtual networks blade of account1, add VNet1. This action adds the virtual network VNet1 to the list of allowed networks that can access the storage account. By adding VNet1, you ensure that only traffic from that network can access account1.
D. From the Firewalls and virtual networks blade of account1, select Allow trusted Microsoft services to access this storage account. This option allows Azure services, such as Azure Backup and Azure Site Recovery, to access the storage account. However, it does not address the requirement to allow access from the on-premises network or from VNet1.
E. From the Service endpoints blade of VNet1, add a service endpoint. This action enables VNet1 to access the storage account over a private link. While this can improve security by eliminating the need for traffic to traverse the public internet, it does not address the requirement to allow access from the on-premises network or from other virtual networks.