SC-100 Question #58: Real Exam Question with Answer & Explanation

Question

Your company plans to provision blob storage by using an Azure Storage account. The blob storage will be accessible from 20 application sewers on the internet. You need to recommend a solution to ensure that only the application servers can access the storage account. What should you recommend using to secure the blob storage?

Options

• Aservice tags in network security groups (NSGs)
• Bmanaged rule sets in Azure Web Application Firewall (WAF) policies
• Cinbound rules in network security groups (NSGs)
• Dfirewall rules for the storage account
• Einbound rules in Azure Firewall

Explanation

{"question_number": 7, "correct_answer": "D", "explanation": "Azure Storage account firewall rules allow you to whitelist specific public IP addresses or CIDR ranges. Since the 20 application servers are on the internet (not on an Azure VNet), you add their public IP addresses to the storage account's firewall allowlist, blocking all other internet traffic. This is the most direct and minimal solution. Service tags in NSGs (A) control traffic to/from Azure services at the VNet level-they don't restrict access to a storage account from the internet based on specific IPs. WAF managed rule sets (B) protect web applications, not blob storage. NSG inbound rules (C) protect VNet resources, not public-facing storage endpoints. Azure Firewall inbound rules (E) could work but introduce unnecessary complexity and cost compared to the built-in storage firewall.", "generated_by": "claude-sonnet", "llm_judge_score": 4}

No community discussion yet for this question.