ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam
Go to Exam

Exam AZ-104 topic 5 question 132 discussion

Actual exam question from Microsoft's AZ-104
Question #: 132
Topic #: 5
[All AZ-104 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load Balancer.

The effective network security configurations for VM2 are shown in the following exhibit.



You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.

You verify that the Load Balancer rules are configured correctly.

You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.

Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a priority of 150.

Does this meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by RandomNickname at June 23, 2023, 3:44 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
yettie79
Highly Voted 2 years, 1 month ago
Answer is 'NO' B, there is rule in place to allow 131.107.100.50 over TCP port 443 with higher priority of 100. Adding a new rule of priority of 150 will not made any difference.
upvoted 49 times
op22233
1 year, 3 months ago
Many thanks for this comment, the VM is off. I agree there is a rule in place adding a new rule of priority of 150 makes no difference except the VM is powered on
upvoted 4 times
...
SDiwan
1 year, 6 months ago
The existing rule with priority 100 has source ip of the client (131.107.100.50). But the app1 is behind a LB, so the source ip should be of the LB and not the client. So adding, 150 priority will overrule the rule with 200 priority which is curently blocking the requests from LB to App1
upvoted 10 times
...
profesorklaus
1 year, 11 months ago
The rule is added to VM2 which hosts App2
upvoted 1 times
...
...
RandomNickname
Highly Voted 2 years, 1 month ago
Selected Answer: A
Presuming it's the health probe on 443 which is at fault and is required to ensure LB is processing as intended, the given answer is correct. https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview "Azure Load Balancer rules require a health probe to detect the endpoint status. The configuration of the health probe and probe responses determines which backend pool instances receive new connections. Use health probes to detect the failure of an application. Generate a custom response to a health probe. Use the health probe for flow control to manage load or planned downtime. When a health probe fails, the load balancer stops sending new connections to the respective unhealthy instance. Outbound connectivity isn't affected, only inbound."
upvoted 23 times
...
MasterMans
Most Recent 1 month ago
Selected Answer: B
traffic 443 from vm2 needs explicit allow in the NSG
upvoted 1 times
...
Manu1986
1 month, 3 weeks ago
Selected Answer: A
The proposed solution does address the problem. By inserting a specific Allow rule for the AzureLoadBalancer source at a priority (150) that is lower (processed sooner) than the general BlockAllOther443 rule (Priority 200), it ensures that traffic forwarded by the Load Balancer on port 443 is allowed before it gets hit by the deny rule.
upvoted 1 times
...
sysadazure
2 months ago
Selected Answer: B
B. No -There's an explicit Deny rule with priority 100 for traffic from 131.107.100.50 on TCP port 443.
upvoted 1 times
...
generalkamo
2 months, 1 week ago
Selected Answer: B
There is already a rule that allows the traffic with higher priority. Adding another allow rule with a lower priority won't make any difference.
upvoted 1 times
...
marek_jazz
3 months ago
Selected Answer: B
This got me as well... NO There is already a rule with AzureLoadBalancer traffic tag: 65001. Allow everything inbound for traffic tagged as AzureLoadBalancer - which includes health probe traffic. AzureLoadBalancer taffic is not included in 'Any'. The same applied for 'VirtualNetwork' tagged traffic. Confirmed: Health probes are OK So...adding the same allow rule for AzureLoadBalancer with priority 150 will not change anything.
upvoted 1 times
...
70ec7c1
3 months, 1 week ago
Selected Answer: B
This same question comes in many flavors. Regardless, in most of the variations, there is an already existing rule that should allow the necessary traffic. It is a trick question. The VM is powered off.
upvoted 1 times
...
Elsayed2030
7 months, 3 weeks ago
Selected Answer: B
The VM is switched off (Check the: Attach network interface on top of the pic)
upvoted 2 times
...
Calefare
8 months, 1 week ago
Selected Answer: B
yettie: Answer is 'NO' B, there is rule in place to allow 131.107.100.50 over TCP port 443 with higher priority of 100. Adding a new rule of priority of 150 will not made any difference.
upvoted 1 times
...
KR_Bala
8 months, 1 week ago
Selected Answer: B
the solution suggested is already there as a rule with priority 100 and adding the same rule lower priority (150) wont make difference. So answer is B - The solution doesnt meets the goal.
upvoted 2 times
...
d6f865d
8 months, 3 weeks ago
Selected Answer: B
443 doesn't matter as it can use rule 65001 and port 80 for its health probe. Since 80 is open and it still doesn't work I am assuming that the reason for the failure is the NIC is not attached.
upvoted 2 times
...
Neftali
9 months ago
Selected Answer: A
A. Yes Creating an inbound security rule that allows any traffic from the Azure Load Balancer source with a priority of 150 will enable the connections to App1 from the Load Balancer, which is necessary for routing traffic to VM2. Since the Load Balancer forwards traffic to the VMs, this rule will help ensure that connections over TCP port 443 from the specified IP address can be established successfully.
upvoted 1 times
...
755aa96
9 months, 3 weeks ago
Selected Answer: B
There is already a rule in place to allow 131.107.100.50 over TCP port 443 with higher priority of 100
upvoted 1 times
...
Dankho
10 months ago
Selected Answer: B
the source is not the Load Balancer, the source is 131.107.100.50
upvoted 1 times
...
Dankho
10 months ago
One rule needs to go from the source or 131.107.100.50 to the front-end IP of the Load Balancer, it cannot stop at the VNET.
upvoted 1 times
...
Dankho
10 months ago
Selected Answer: A
The traffic gets the VNet no problem because the destination is VirtualNetwork, but it needs to get to the VMs behind the load balancer and it gets denied by the 200 rule. By placing a 150 priority rule just before that 200 rule that says it will accept any destination from from the load balancer effectively says when you hit the load balancer you can go anywhere which is the application hosted on the VMs.
upvoted 1 times
Dankho
10 months ago
I take it back, I think it's B. Adding a rule with a priority of 150 that allows traffic from the AzureLoadBalancer won't resolve the issue, because the traffic is not originating from the Load Balancer—it’s coming from the external IP 131.107.100.50.
upvoted 1 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel