ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-700 All Questions

View all questions & answers for the AZ-700 exam
Go to Exam

Exam AZ-700 topic 3 question 48 discussion

Actual exam question from Microsoft's AZ-700
Question #: 48
Topic #: 3
[All AZ-700 Questions]

You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains a subnet named Subnet1.

You deploy an instance of Azure Application Gateway v2 named AppGw1 to Subnet1. You create a network security group (NSG) named NSG1 and link NSG1 to Subnet1.

You need to ensure that AppGw1 will only load balance traffic that originates from VNet1. The solution must minimize the impact on the functionality of AppGw1.

What should you add to NSG1?

  • A. an outbound rule that has a priority of 4096 and blocks all internet traffic
  • B. an inbound rule that has a priority of 4096 and blocks all internet traffic
  • C. an inbound rule that has a priority of 100 and blocks all internet traffic
  • D. an outbound rule that has a priority 100 and blocks all internet traffic
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Bigfatdavey at Sept. 8, 2023, 9:26 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Lazylinux
Highly Voted 1 year, 7 months ago
Selected Answer: B
B is Honey The given answer is correct, read more here https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-faq the part =>How do I use Application Gateway V2 with only private frontend IP address? Dont worry about the private the principal remains same for the public IP - pay attention to the images of NSG rules. Also as handy note, remember this classic good firewall rule practice. General rules should be low priority, and specific rules should be high priority. The more general, the lower. The more specific, the higher. The most general rule we have in firewalls is “block everything we don’t allow”; in other words, we are creating a white list of exceptions with the previously mentioned rules. So port 4096 is correct
upvoted 12 times
stormtraining
6 months ago
"You need to ensure that AppGw1 will only load balance traffic that originates from VNet1"... So, what if there are rules with lower priority allowing inbound from internet??? You need to create it with a priority 100... ANSWER is C
upvoted 1 times
...
Velidot100
1 year, 7 months ago
Thank you for elaborating. At first, I thought priority number 100 was the correct answer. But your explanations makes sense.
upvoted 2 times
...
...
Bigfatdavey
Highly Voted 1 year, 8 months ago
should be an inbound rule that has a priority of 100 and blocks all internet traffic
upvoted 7 times
Lazylinux
1 year, 7 months ago
WRONG if so will block legitimate traffic - Golden rule use low Priority number for specific custom rule and high number like 4096 for General custom rule to avoid blocking legitimate traffic
upvoted 2 times
xRiot007
4 weeks ago
You need to block ALL internet traffic. Answer is C
upvoted 1 times
xRiot007
3 weeks, 5 days ago
Correction: we should block all internet traffic but with lower priority. If the rule has the highest priority it will mess up with other coms. As Lazy said above, the general block should have a lower priority, so you can create exceptions easily if needed.
upvoted 1 times
...
...
getafix
2 months, 3 weeks ago
you're WRONG
upvoted 1 times
...
singhaj
1 year ago
They are not talking about any other legitimate traffic but blocking internet access so it should be c. an inbound rule that has a priority of 100 and block all internet traffic.
upvoted 1 times
...
...
...
AlainChk
Most Recent 9 months, 2 weeks ago
Why should we create a rule to block internet traffic. Isn't this rule par of the NSG Defaults?
upvoted 2 times
...
Webesciaki
1 year, 4 months ago
Selected Answer: B
explanation IMHO is: 1) we need to allow "GatewayManager" service tag which is diff per region but in general it is public IP range. Internet service tag - "The address range includes the Azure-owned public IP address space so we would block GatewayManager if we left block Internet on 100
upvoted 1 times
Webesciaki
1 year, 3 months ago
actually that needs update: "Network security groups associated to an Application Gateway subnet no longer require inbound rules for GatewayManager, and they don't require outbound access to the Internet. The only required rule is Allow inbound from AzureLoadBalancer to ensure health probes can reach the gateway" https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-private-deployment?tabs=portal#network-security-group-control
upvoted 1 times
...
...
Tyler
1 year, 8 months ago
4096 is right. if the rule has 100, then it blocks everything, even you have allowed rule after it, that rule will not work.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago