You are asked to configure an Azure storage account to be accessible from only one specific Virtual Network in an Azure Virtual Network (VNet). It must not be accessible from any other network or region in use across your company's Azure subscription.
You need to implement this requirement.
What should you do?
You should implement a VNet service endpoint. Service endpoints are used to limit the network access to a specific set of resources. To meet the requirement, you can implement a storage endpoint on an Azure Resource Manager deployed storage account to restrict the access to a specific VNet and exclude access from all other resources including the Internet and on-premises connected resources.
You should not add a network security group. This is used to limit the access to the resources within a VNet by implementing rules such as IP filters and role based access control. It cannot restrict access to a storage account by itself.
You should not deploy Azure Traffic Manager. This is used to control the flow of network traffic into and out of Azure networks. It cannot restrict access to a storage account by itself.
You should not activate the Secure transfer required option. This feature forces all the traffic into and out of the storage account to be secured over HTTPS instead of allowing fallback to HTTP.