Configure network access to storage accounts

Practice Test

True or False: In Azure, you can restrict network access to your storage account by using a service endpoint.

• True
• False

Answer: True

Explanation: Service endpoints provide a secure way to set up network access to your storage accounts from a subnet within a virtual network.

What does Azure Storage firewall help to configure?

• a) Offline storage
• b) Network access
• c) Password policies
• d) Encryption settings

Answer: b) Network access

Explanation: Azure Storage firewall provides a service that helps to configure the network access to your storage accounts.

Which of the following is not part of configuring network access to a storage account?

• a) Enabling firewalls
• b) Assigning roles
• c) Setting up virtual networks
• d) Enabling Azure Private Link

Answer: b) Assigning roles

Explanation: Assigning roles is not directly related to network access to a storage account. The configuration process typically involves setting up firewalls, virtual networks, and private links.

True or False: Azure Private Link provides a secure way to access Azure Storage over a private network.

• True
• False

Answer: True

Explanation: Azure Private Link allows you to access Azure Storage over a private network connection. It’s part of the service endpoint technology that simplifies the network configuration.

Can Azure Private Link for Azure Storage work with SMB and NFS protocols?

• a) Yes
• b) No

Answer: a) Yes

Explanation: Azure Private Link for Azure Storage supports both SMB (Server Message Block) and NFS (Network File System) protocols.

True or False: The default action when you turn on the firewall for the storage account is to deny all network traffic.

• True
• False

Answer: True

Explanation: When you turn on the firewall for the storage account, the default action is to deny all traffic. You then selectively grant access to approved sources.

Which of the following Azure networking services can be used to control access to Azure Storage?

• a) Azure Private DNS
• b) Azure ExpressRoute
• c) Azure Firewall
• d) All of the above

Answer: d) All of the above

Explanation: All the mentioned services: Azure Private DNS, Azure ExpressRoute and Azure Firewall play a crucial role in managing and controlling access to Azure Storage.

True or False: Azure Storage Service Endpoints do not protect data in transit from an on-premises location to Azure.

• True
• False

Answer: True

Explanation: Service endpoints only secure data inside the Azure network ecosystem. They do not provide security for data in transit from an on-premises location to Azure.

Configuring network access to Azure Storage requires which of the following?

• a) Azure Active Directory
• b) SSL/TLS
• c) Service Endpoint
• d) All of the above

Answer: d) All of the above

Explanation: Azure Active Directory is used for user authentication, SSL/TLS for encryption, and service endpoints for secure and direct network connectivity.

Which property can you use to allow access to your Azure Storage account from a specified public IP range?

• a) Trusted Azure services
• b) Network rules
• c) Firewalls and virtual networks
• d) Private endpoint

Answer: c) Firewalls and virtual networks

Explanation: You utilize “Firewalls and virtual networks” property to specify ranges of allowable public IP addresses that can access your storage account.

Interview Questions

What is the role of Azure Active Directory (AAD) in configuring Network Access to Storage Accounts?

Azure Active Directory (AAD) provides secure access to storage accounts through role-based access control (RBAC). This allows administrators to assign specific permissions to users, groups, and applications at a granular level.

What is the purpose of Network Security Groups (NSGs) for storage accounts in Microsoft Azure?

NSGs provide a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks. These rules can help protect data in Azure Storage Accounts from unauthorized access.

What is a Virtual Network Service Endpoint in Azure?

Service Endpoints in Azure provide secure and direct network connectivity to Azure services over Microsoft’s backbone network. They allow the virtual network resources to directly communicate with the storage accounts.

Is it possible to restrict public access to all networks for a Storage account?

Yes, in the Azure portal, one can set the ‘Allow access from’ option on ‘Networking’ tab under the storage account’s settings to ‘Selected networks’ and leave the ‘Address Range’ box empty. This will prevent all public network access to the storage account.

What is the use of Azure Private Link for Storage Accounts?

Azure Private Link allows secure access over a private network connection between Azure services and clients on your network, hence providing very secure access to Storage Accounts.

Can you modify the default network access rule for a storage account?

Yes, the default allow rules for a storage account can be modified.

What is SAS token in the context of Azure Storage Accounts?

Shared Access Signature (SAS) token is a string of encrypted text that grants users specific permissions to Azure Storage resources. It provides secure delegated access without needing to expose your access key.

What function does Azure Role-Based Access Control (RBAC) play in relation to Storage Accounts?

Azure RBAC plays a crucial role in determining who can access specific resources, what they can do with these resources, and what areas they have access to.

Does disabling public traffic prevent all network traffic to my storage account?

No, disabling public traffic does not prevent all network traffic. Traffic is still allowed from a virtual network if a virtual network service endpoint is configured and data transfer still takes place between Azure resources.

How can I allow traffic from a specific IP address range to my Azure storage account?

Under the networking settings of storage account, you can set the ‘Allow access from’ option to ‘Selected networks’ and then add the specific IP ranges in the ‘Add your address ranges’ box.

Can Private Link be used to connect my on-premise resources to my Azure storage account?

Yes, by utilizing Azure ExpressRoute or VPN, on-premise resources can securely connect to Azure storage accounts over Private Link.

What does ‘Allow trusted Microsoft services’ option do?

‘Allow trusted Microsoft services’ option permits Azure services to bypass IP and Virtual Network ACLs. This is useful for implementing a storage account as a part of a bigger Azure solution.

What are Service SAS and Account SAS in Azure?

Service SAS delegates access to a resource in just one of the Storage services: Blob, Queue, Table, or File. Account SAS delegates access to resources in one or more of the storage services. You have more flexibility and control over how you manage access with Account SAS.

What is the use of ‘Firewalls and virtual networks’ settings in Azure Storage Accounts?

‘Firewalls and Virtual Networks’ settings in Azure Storage Accounts control network access to the storage account. It allows for creating rules to allow traffic only from specific IP addresses or range and certain virtual networks.

Can I give a user read-only access to a Blob in my storage account?

Yes, by granting the Blob Data Reader (Preview) role to the user, you can give them read-only access to Blob data in your Azure Storage accounts.