Q: 5
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
* A virtual network named Vnet1
* A subnet named Subnet1 in Vnet1
* A virtual machine named VM1 that connects to Subnet1
* Three storage accounts named storage1, storage2. and storage3
You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other
storage accounts.
Solution: You create a network security group (NSG). You configure a service tag for MicrosoftStorage
and link the tag to Subnet1.
Does this meet the goal?
Options
Discussion
Option B, check Microsoft docs or do a quick lab to see how NSG service tags actually work.
Not A, B here. Service tag for Microsoft.Storage applies to all storage accounts in the region, so you can't restrict VM1 just to storage1 with an NSG this way. You'll need more specific controls. Let me know if anyone got it working differently.
Official docs and practice tests cover scenarios like this. B
B The NSG service tag hits all storage in the region, not just one account.
B tbh. Saw a similar question on a practice test and official docs back this up. The NSG service tag is too broad, so not enough for only storage1. Recommend checking the official exam guide for networking scenarios.
Not quite, it's B. Using the Microsoft.Storage service tag in an NSG will allow VM1 access to all storage accounts in that region, not just storage1. This question tries to trip you up there. Pretty sure you'd need storage account firewall restrictions as well to hit the goal. Anyone disagree?
Its B. The Microsoft.Storage tag is a trap, lets through all storage accounts not just storage1.
B here. NSG with the Microsoft.Storage tag lets VM1 reach all storage accounts, not just storage1. To lock it down to one, you'd need storage firewall rules too. Anyone see a way around that?
B tbh, NSG with Microsoft.Storage tag isn't enough for just one storage account.
That's a common catch on these. Service tag for Microsoft.Storage isn’t granular, so it can't just limit to storage1. Pretty sure B fits unless the NSG had IPs or storage1 firewall rules in place. Disagree?
Be respectful. No spam.
