AZ-104 Question #727: Real Exam Question with Answer & Explanation

Question

Your on-premises network contains a VPN gateway. You have an Azure subscription that contains the resources shown in the following table. You need to ensure that all the traffic from VM1 to storage1 travels across the Microsoft backbone network. What should you configure?

Options

• Aa network security group (NSG)
• Bprivate endpoints
• CMicrosoft Entra Application Proxy
• DAzure Virtual WAN

Explanation

To ensure traffic from an Azure VM to an Azure Storage account traverses the Microsoft backbone network, private endpoints should be configured.

Common mistakes.

• A. A network security group (NSG) filters network traffic based on rules, but it does not dictate the routing path to Azure platform services over the Microsoft backbone network.
• C. Microsoft Entra Application Proxy provides secure remote access to on-premises web applications for users, which is unrelated to connecting an Azure VM to an Azure storage account.
• D. Azure Virtual WAN is a networking service for large-scale branch-to-Azure connectivity and global networks, but it is not the specific mechanism to enable private, backbone-only access for an Azure VM to a PaaS service.

Concept tested. Secure private access to Azure PaaS services using Private Endpoints

Reference. https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview

No community discussion yet for this question.