What should you use to prevent traffic from an Azure virtual network from being routed to an Azure Storage account via the internet?
What should you use to prevent traffic from an Azure virtual network from being routed to an Azure Storage account via the internet?
To prevent traffic from an Azure virtual network from being routed to an Azure Storage account via the internet, you should use a service endpoint. Virtual Network (VNet) service endpoints provide secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Service endpoints allow private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet, thus avoiding routing through the internet.
A is correct, because with the security rules of NSG you can permit /deny traffic inbound /outbound.
The only reason that I paid for this subscription was your comments. You are really the added value to this page. For sure it will help me pass the exam. Thank you.
both A and D are correct. Just getting pissed at the wrong answers posted. We paid for the subscription and being presented wrong answers and its up to us to check and verify it.
D is correct "Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet." https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
In summary, configure network rules for your storage account to restrict access to specific networks or resources, and use NSGs to block internet-bound traffic from your Azure virtual network. This combination ensures secure communication between your virtual network and the storage account while preventing unnecessary exposure to the internet.
It's a Server Endpoint
Filter Azure service traffic with policies, over service endpoints, and filter rest of the Internet or Azure traffic via appliances or Azure Firewall.
Correct A. With NSG traffic goes through internet.
Correct D *********
NSG like Firewall filter the traffic
Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?toc=%2Fazure%2Fvirtual-network%2Ftoc.json&tabs=azure-portal#grant-access-from-a-virtual-network
To prevent traffic from an Azure virtual network from being routed to an Azure Storage account via the internet, you should use a service endpoint. Azure virtual networks enable you to create a private network in the cloud. Azure Storage is a cloud-based storage solution provided by Microsoft Azure.
I think the right answer is C - Azure VPN Gateway, since the question refers to prevent traffic for an Azure Virtual Network via the internet, so the kewy word here is Internet, since a definition for a VPN Gateway is this: VPN gateway sends encrypted traffic between your virtual network and your on-premises location across a public connection (this is Internet)
reading the question very carefully, says that should you use to prevent traffic from an Azure virtual network from being routed to an Azure Storage account. Clearly talks about a connection between 2 Azure resources, in one hand we have Azure Virtual Network meanwhile in the other hand we have an Azure Storage Account. So checking the definition for NSG it says: You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For that reason, I change my answer to A - Network Security Group. Check it out this link: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
I think the hint is "prevent" as an active statement. Of course, a service endpoint is also good, but the NSG can prevent the internet access, where a service endpoint may still permit a public endpoint as well.
The following networks don’t have service endpoints enabled for 'Microsoft.Storage'.
An NSG can be associated with a VM network interface controller (NIC) and a subnet (but not a VNet);
I WILL GO FOR D .. I BELIEVE A IS A RED HERRING