Exam AZ-304 topic 8 question 4 discussion

The answer should be Private Endpoint. Below are requirements for storage account used by app1. Once App1 is migrated to Azure, you must ensure that new data can be written to the app, and the modification of new and existing data is prevented for a period of three years. --immutable stoarge. not applicable in this question On-premises users and services must be able to access the Azure Storage account that will host the data in App1 ---Private Endpoint securely connect to storage accounts from on-premises networks that connect to the VNet using VPN or ExpressRoutes with private-peering. Access to the public endpoint of the Azure Storage account that will host the App1 data must be prevented. -- Private Endpoint secure your storage account by configuring the storage firewall to block all connections on the public endpoint for the storage service.

I'd almost go for A "Private Endpoint" - that is definitely required here, but it is NOT a "Network Connectivity Solution." So answer seems correct, D (Microsoft Peering) - though we already have ExpressRoute.

A is correct. Read "Private connectivity to Azure PaaS services" here: https://azure.microsoft.com/en-us/blog/announcing-azure-private-link/ It Says: "With today’s announcement of Azure Private Link, you can simply create a private endpoint in your VNet and map it to your PaaS resource (Your Azure Storage account blob or SQL Database server). These resources are then accessible over a private IP address in your VNet, enabling connectivity from on-premises through Azure ExpressRoute private peering and/or VPN gateway and keep the network configuration simple by not opening it up to public IP addresses."

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-circuit-peerings#privatepeering

If A is answer then question is then how on-prem will connect to storage service when connectivity is only through ExpressRoute?

vote A.

The solution must meet the security and compliance requirements. Keeping public endpoint enabled is not a secure way. Hence option A comes close to the requirement.

A is correct. Private endpoint is needed to have prevention of App1 data from public.

On exam today 22-Dec-21

This answer is D. The Security and Compliance Requirements section contains the following: On-premises users and services must be able to access the Azure Storage account that will host the data in App1. Access to the public endpoint of the Azure Storage account that will host the App1 data must be prevented. Litware has ExpressRoute connectivity to Azure. So we can configure ExpressRoute peering for virtual networks. You can set up bi-directional connectivity between your core network and Azure virtual networks (VNets). This peering lets you connect to virtual machines and cloud services directly on their private IP addresses. https://docs.microsoft.com/en-us/azure/expressroute/expressroute-circuit-peerings

D ---

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-circuit-peerings Azure public peering has been deprecated -> C is out Microsoft peering is to Microsoft cloud so D is out as well "Access to the public endpoint of the Azure Storage account that will host the App1 data must be prevented" Answer is A

the best answer should be "private peering", B) is not applicable C) Azure public peering is deprecated and replaced by Microsoft peering D) Microsoft Peering is for public IP. Therefore, could not satisfy the private IP storage requirement. A) is the only feasible option left. It is okay because a private endpiont must use private IP and the pre-requisite is private peering. Here is an example https://docs.microsoft.com/en-aus/azure/migrate/replicate-using-expressroute#replicate-data-by-using-an-expressroute-circuit-with-private-peering The expressroute peering is https://docs.microsoft.com/en-us/azure/expressroute/expressroute-circuit-peerings

Remember "you plan to migrate App1 to Azure" so Id almost go for A. private Endpoint