1. An administrator manages an Azure Files share mounted on several Azure VMs. The VMs are in a virtual network, and the storage account firewall is configured to allow only that virtual network. Users on the VMs report they can access the share, but on-premises users connecting over a Site-to-Site VPN cannot. What is the MOST likely cause?
- A. The storage account does not have 'Allow trusted Microsoft services' enabled.
- B. The on-premises network is not added as an allowed IP address range or virtual network in the storage account firewall settings.✓ Correct
- C. Azure Files does not support access over Site-to-Site VPN connections.
- D. The Azure Files share requires SMB 3.0 and the on-premises clients are using SMB 2.1.
Explanation
The storage account firewall is configured to allow only the specific Azure virtual network. On-premises clients connecting via Site-to-Site VPN traverse the VPN gateway and arrive at the storage service from the on-premises IP range, which is not in the allowed list. Adding the on-premises IP range (or the gateway subnet if using a private endpoint) to the firewall rules resolves the issue. 'Allow trusted Microsoft services' enables Azure platform services (like Azure Backup) to bypass the firewall — it does not help on-premises clients. Azure Files does support access over Site-to-Site VPN; this is a supported and common connectivity pattern. SMB version mismatch could prevent mounting, but the scenario states on-premises users cannot access the share at all, which points to a network/firewall issue rather than an SMB protocol negotiation failure.