Configure Azure Firewall for Accessing Storage Account
Question
You have a resource group named RG1 that contains the following:
-> A virtual network that contains two subnets named Subnet1 and AzureFirewallSubnet
-> An Azure Storage account named contososa1
-> An Azure firewall deployed to AzureFirewallSubnet
You need to ensure that contososa1 is accessible from Subnet1 over the Azure backbone network.
What should you do?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.C
Storage firewall rules apply to the public endpoint of a storage account. You don't need any firewall access rules to allow traffic for private endpoints of a storage account. The process of approving the creation of a private endpoint grants implicit access to traffic from the subnet that hosts the private endpoint.
Note: Storage accounts have a public endpoint that is accessible through the internet. ou can also create Private Endpoints for your storage account, which assigns a private IP address from your VNet to the storage account, and secures all traffic between your VNet and the storage account over a private link. The
Azure storage firewall provides access control access for the public endpoint of your storage account. You can also use the firewall to block all access through the public endpoint when using private endpoints. Your storage firewall configuration also enables select trusted Azure platform services to access the storage account securely.
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-securityThe correct answer for this question is C. Implement a virtual network service endpoint.
Explanation:
To allow access from a subnet to a storage account over the Azure backbone network, you need to implement a virtual network service endpoint.
A virtual network service endpoint provides a direct connection between the subnet and the Azure service, such as a storage account, over the Azure backbone network. This allows traffic to flow directly between the subnet and the service, without needing to go over the public internet. This provides increased security and reliability for traffic between the subnet and the service.
Option A, Modify the Firewalls and virtual networks settings for contososa1, is incorrect. This option does not address the requirement to allow access over the Azure backbone network.
Option B, Create a stored access policy for contososa1, is incorrect. A stored access policy is used to manage shared access signatures for a storage account, but it does not address the requirement to allow access over the Azure backbone network.
Option D, Remove the Azure firewall, is incorrect. The Azure firewall provides network security for the subnet, and removing it would not allow access to the storage account over the Azure backbone network.
Therefore, option C is the correct answer. By implementing a virtual network service endpoint, you can allow access to the storage account from Subnet1 over the Azure backbone network.
