You have an Azure subscription that contains a storage account named account1.
You plan to upload the disk files of a virtual machine to account1 from your on-premises network. The on-premises network uses a public IP address space of
131.107.1.0/24.
You plan to use the disk files to provision an Azure virtual machine named VM1. VM1 will be attached to a virtual network named VNet1. VNet1 uses an IP address space of 192.168.0.0/24.
You need to configure account1 to meet the following requirements:
-> Ensure that you can upload the disk files to account1.
-> Ensure that you can attach the disks to VM1.
-> Prevent all other access to account1.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Click on the arrows to vote for the correct answer
A. B. C. D. E.AE
A: By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action.
Azure portal -
1. Navigate to the storage account you want to secure.
2. Click on the settings menu called Firewalls and virtual networks.
3. To deny access by default, choose to allow access from 'Selected networks'. To allow traffic from all networks, choose to allow access from 'All networks'.
4. Click Save to apply your changes.
E: Grant access from a Virtual Network
Storage accounts can be configured to allow access only from specific Azure Virtual Networks.
By enabling a Service Endpoint for Azure Storage within the Virtual Network, traffic is ensured an optimal route to the Azure Storage service. The identities of the virtual network and the subnet are also transmitted with each request.
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-securityTo meet the requirements stated in the question, you need to perform the following two actions:
To ensure that you can upload the disk files to account1, you need to allow access from the on-premises network to the storage account. This can be done by configuring the firewall settings for the storage account as follows:
So, the correct answer options are A and C.
To prevent all other access to account1 and only allow access to the disks from the virtual machine, you can add a virtual network service endpoint to the storage account. This will allow traffic from the virtual network to access the storage account, while blocking all other traffic. To do this, follow these steps:
This will add a virtual network service endpoint to the storage account that allows access only from the specified virtual network, while blocking all other traffic.
So, the correct answer options are A and E.
Note that option B, "Allow trusted Microsoft services to access this storage account," is not required for this scenario, as it allows access from trusted Azure services, such as Azure Backup and Azure Site Recovery, to the storage account. Since you are not using any of these services, this option is not necessary. Option D, "Add VNet1," is also not required, as it only allows access to the storage account from the specified virtual network, but does not restrict access from other networks.