Exam AZ-104 topic 3 question 16 discussion

A,C IS THE CORRECT ANSWER

Too many mixed answers here. Decided to spend hours reading MS Docs! K, let's settle this one once and for all. Technically all answers are correct, however you can only choose 2. So here we go: B, C, D depends on A. And B is selected by default btw (once you do A). E has to be done for the disk to be used by VM1. So the correct answer is A and E. A which will cover B C D. And E as explained above. Hope this helps!

oh, and if the VHD is converted to a managed disk (as it should be), it would not be accessible from the internet.

if you assume it is using SMB to connect to a file share to "provision" the VM. It could be A,C or A,E. But even then it is missing steps... A,C - need to add the subnet A,E - need to add end point policy

WRONG A & C are correct

What if for this type of question i check all answers? Did someone try this?

A: bcoz we need to prevent access from all n/w . Enabling this setting by default enables the setting to allow trusted azure services (option B). C: will create firewall rule to allow on-prem n/w to access the storage account and upload disk. Specifically, option D is not needed bcoz attaching the disk to vm is done by azure resource manager via backbone n/w. So allow trusted services option which is enabled as part of option A is sufficient to attach the disk.

A and C Allow Azure services on the trusted services list to access this storage account is select by default when you change from "Enabled from all networks" to "Enabled from selected virtual networks and IP addresses"

Configuring access from on-premises networks Go to the storage account that you want to secure. Select Networking. Check that you've chosen to allow access from Selected networks. To grant access to an internet IP range, enter the IP address or address range (in CIDR format) under Firewall > Address Range. To remove an IP network rule, select the delete icon ( ) next to the address range. Select Save to apply your changes.

IMHO it should be C&D, before you need do C&D you need for sure to do option A, but here they are asking to actions to meet the requirements, AC or AD alone won't acheive the requirements. Explanations: C is mandatory to have access from on-premises, it should be set in the firewall section D is required to have access to VNet1 to attached the disk to your VM, if you try to add that VNET1 to the Virtual Networks section (if there isn't any service endpoints already created) it will create it. Here's a message I get when I try to add VNET "The following networks don’t have service endpoints enabled for 'Microsoft.Storage.Global'. Enabling access will take up to 15 minutes to complete. After starting this operation, it is safe to leave and return later if you do not wish to wait." So option E is required as well but it will be created automatically when you add the VNet1

I tested it on 11/12/2023 - A & C are correct. This question could also come in a lab simulation where they will tell you to allow the access to storage account from a specific CIDR.

I think I decided on every combination at some point, but I agree its AC now. A few people below mentioned that the question is badly written. It would help if C mentioned Add an IP range in the Firewall section, which is what you need to do. As the text underneath Firewall says "Add IP ranges to allow access from the internet or your on-premises networks", which is what you want to achieve. Allow access from the public range so that you can copy up the VM image. https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal

I go for A,C. D does not make sense. Why would you add a Service Endpoint after enabling Selected Virtual Networks option from Networking of Storage Account if you are not going to add IP Address.

A and E... I get how C looks tempting but since you know A best satisfies the limit access req, you now have to figure how to connect it to the VNET and C will not do that. E will connect it to the VNET.

To meet the requirements, you should perform the following actions: A. **From the Networking blade of account1, select Selected networks**. - By default, Azure Storage accounts are accessible from everywhere. Selecting "Selected networks" restricts the access to the specified networks or IP addresses. C. **From the Networking blade of account1, add the 131.107.1.0/24 IP address range**. - This allows you to upload the disk files from your on-premises network with the specified IP address range.

When I see this question on the exam, I'm going to close my eyes and click 2 answers. Hopefully I get it right. lol

I vote for C and D. If you look at the Networking configuration of a storage account, after selecting “(x) Enabled from selected virtual networks and IP addresses” option, you see that you can add specific virtual networks and public IP address ranges. So, to “Ensure that you can upload the disk files to account1.” from the on premises network you have to select option “C. From the Networking blade of account1, add the 131.107.1.0/24 IP address range.”. To “Ensure that you can attach the disks to VM1.” you need “D. From the Networking blade of account1, add VNet1.”. Of course, before executing actions C and D you must also execute “A. From the Networking blade of account1, select Selected networks.”. But since you can select only two actions I prefer to select the most relevant ones. The option E is not requested by the question since service endpoint enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet, which is a good thing to do, but not requested.