ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-700 All Questions

View all questions & answers for the AZ-700 exam
Go to Exam

Exam AZ-700 topic 4 question 54 discussion

Actual exam question from Microsoft's AZ-700
Question #: 54
Topic #: 4
[All AZ-700 Questions]

You have an Azure subscription that contains a virtual machine named VM1 and a network security group (NSG) named NSG1. NSG1 has the default rules configured. VM1 runs Windows Server 2022 and contains a single NIC named NIC1. NIC1 is associated with NSG1.

You need to prevent access to the Azure Instance Metadata Service (IMDS) REST API on VM1. The solution must minimize administrative effort.

What should you add to NSG1?

  • A. an outbound rule that blocks traffic to an IP address.
  • B. an inbound rule that blocks traffic to an IP address.
  • C. an inbound and outbound rule that blocks traffic to an application security group.
  • D. an outbound rule that blocks traffic to a service tag.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by maciek8131 at Nov. 29, 2024, 5:31 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
tc0369
1 month, 1 week ago
Selected Answer: A
I would go with A Service tag is used for group of IPs for the same service, eg, Azure Storage, etc. Traffic to IMDS wont leave VM, and with the fix ip as 169.254.169.254.
upvoted 2 times
...
manhattan
3 months, 2 weeks ago
Selected Answer: D
it should be D but not 100% sure you can block traffic with outbound rule - service tag to this service "azureplatformIMDS" but this article shows a specific IP that IMDS service runs queries IMDS is a REST API that's available at a well-known, non-routable IP address (169.254.169.254) https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=windows so theoretically you can block the IP too
upvoted 1 times
xRiot007
3 weeks ago
If there is only 1 IP to block, I would choose the outbound rule with an IP - it's the same administrative effort as choosing a service tag, because you still create and manage 1 rule, but it's less risk because it's more explicit.
upvoted 1 times
...
...
NK203
4 months, 3 weeks ago
Selected Answer: D
Default rule already block all the inbound traffic.
upvoted 2 times
xRiot007
3 weeks ago
This is outbound traffic.
upvoted 1 times
...
...
maciek8131
5 months ago
Selected Answer: D
Correct
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago