ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-103 All Questions

View all questions & answers for the AZ-103 exam
Go to Exam

Exam AZ-103 topic 4 question 37 discussion

Actual exam question from Microsoft's AZ-103
Question #: 37
Topic #: 4
[All AZ-103 Questions]

You have an Azure subscription that contains a virtual network named VNET1. VNET1 contains the subnets shown in the following table.

Each virtual machine uses a static IP address.
You need to create network security groups (NSGs) to meet following requirements:
✑ Allow web requests from the internet to VM3, VM4, VM5, and VM6.
✑ Allow all connections between VM1 and VM2.
✑ Allow Remote Desktop connections to VM1.
Prevent all other network traffic to VNET1.

What is the minimum number of NSGs you should create?

  • A. 1
  • B. 3
  • C. 4
  • D. 12
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
Note: A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet).
NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager).
Each network security group also contains default security rules.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules
by BobRofl at March 10, 2020, 5:53 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Myfeltf65
Highly Voted 5 years, 2 months ago
Answer is A. 1 Only 1 NSG is needed. On an NSG you can provide comma-separated list of IP addresses or ranges. By default all computers within a VNET can talk with each other There is no connectivity between VNets by default
upvoted 37 times
praveen97
4 years, 11 months ago
Agree. We need one NSG and multiple rules for each subnet.
upvoted 3 times
...
...
varo82
Highly Voted 5 years, 1 month ago
I tried to azure portal, I can associate NSG to multiple subnet so I think that should be 1
upvoted 16 times
...
Ahkhan
Most Recent 1 year, 7 months ago
The answer is 1. You can associate an NSG to multiple subnets.
upvoted 1 times
...
datts
4 years ago
Very controversial. In my opition, can be achieved with 1 subnet but not good practice in real world: Reason: Say you build VM7 later and put it in Subnet 2 or 3. That means you need to remember to edit the NSG rule each time you add a VM. Can get quite messy if you are a big organization. Now if you had a NSG for each subnet, you can define all the VM that gets created in this subnet gets the rule applied. No need to go back to update the NSG rule. So how many NSG should you create? I would think 3 even though you can do it with one.
upvoted 2 times
JayBee65
4 years ago
It asks for the minimum number, which you say is 1. So why answer 3???
upvoted 2 times
...
...
Seema_exam
4 years, 2 months ago
How many you "Should" create. Not how many you "can". I guess everyone is arguing over the second one.
upvoted 1 times
...
PolitoMex
4 years, 3 months ago
This answer could be correct because it is part of a Case: Litware must meet the following technical requirements: Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances. Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office. Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office. I mean without the case for me the answer should be 3, but with this extra info maybe is 4
upvoted 2 times
...
Flex1981
4 years, 5 months ago
In exam 12/01/2021
upvoted 4 times
...
gargaditya
4 years, 5 months ago
1 NSG!  Note that NSG can have multiple rules with specific IPs defined  See when is clubbing possible  default action is deny traffic I. Allow web requests from the internet to VM3, VM4, VM5, and VM6. NSG1: -from * to VM3 Public IP //port 80 or 443 //protocol tcp //Action Allow//Direction Inbound -from * to VM4 Public IP// same as above -From * to VM5 Public IP//same as above -From * to VM6 Public IP//same as above Apply to Subnet 2 and Subnet3 VM3 ,VM4 ,VM5 and VM6 (reason for not choosing subnet 2 and 3 is due to point 4 below)
upvoted 2 times
gargaditya
4 years, 5 months ago
II. Connection within subnet1 allowed by default unless rules at VM level to block Now, RDP to VM1 should be allowed: From * to VM1 public IP //port 3389//protocol tcp //Action Allow//Direction Inbound This can be clubbed under same NSG1->applied at Subnet1 (will also prevent web requests to these Vms in subnet by default) (if applied at VM1 level then we need more inbound/outbound rules to allow traffic inbound and outbound VM1//also VM2 with no NSG would then accept web requests) The above at subnet1 helps prevent any inbound to vm 1 or 2/outbound to VM3,4,5,6 (since subnet to subnet communication is allowed by default).
upvoted 2 times
gargaditya
4 years, 5 months ago
III. VNET level prevention done using firewall as NSG can only be applied at VM NIC or Subnet level IV. Further, if want to prevent any other VM to VM communicationdefault action is to block traffic and NSG applied at VM3/4/5/6 would not allow inbound or outbound connections amongst them So 1 NSG does it, surprisingly even I said 3 as the answer before penning it down !!
upvoted 1 times
...
...
...
NickyDee
4 years, 5 months ago
all these VMs are in the same vnet, and have static IP addresses. It is plausible to me that ONE NSG can be used in this situation. You can add all three subnets to the NSG and add rules for each VM destination needed.
upvoted 2 times
...
abu3lia
4 years, 5 months ago
The answer is correct 100%. Reason: The last request which "Prevent all other network traffic to VNET1" means you need the default NSG on the 3 Subnets (3xNSGs). Since VM3, 4, 5 and 6 share the same requirements, you can edit the Subnet NSG (and this meets the 1st reequipment). For the second requirement: No need to change the default subnet NSG as communication between VMs in the same subnet is allowed by the default rules (1x NSG required for VM2) and you apply it on the NIC to meet the next requirement. For the 3rd one: You need a separate NSG and apply it to the NIC and allow RDP traffic through it. (1xNSG). Total = 4
upvoted 2 times
abu3lia
4 years, 5 months ago
Correcting the typos: The answer is correct 100%. Reason: The last request which "Prevent all other network traffic to VNET1" means you need the default NSG rules, but will create 2 NSGs for Subnet2 and 3 (will explain why later) this = 2xNSGs. - Since VM3, 4, 5 and 6 share the same requirements, you can edit the Subnet NSG and attach it to the VMs' NICs (and this meets the 1st requirement). - For the second requirement: No need to change the default NSG rule as communication between VMs in the same subnet is allowed by the default rules (1x NSG required for VM2) and you apply it on the NIC to avoid conflict with the next requirement. - For the 3rd requirement: You need a separate NSG and apply it to the NIC of VM1 which will have RDP traffic allowed through it. (1xNSG). Total = 4
upvoted 1 times
JayBee65
4 years ago
Why do you need a separate NSG for 3rd requirement? Even if you did that would only make 2 NSGs!
upvoted 1 times
...
...
...
NickyDee
4 years, 5 months ago
You can associate a single NSG to all three subnets and create rules in the NSG to meet the VM requirements. the fact that the VMs all use static IPs is the key. The answer is A -1 NSG
upvoted 2 times
...
simanastasiya
4 years, 6 months ago
in exam az-104 29nov 2020
upvoted 4 times
...
X_L
4 years, 9 months ago
The actual answer would be 2 (not in the list): 1 NSG assigned to Subnet 2 & 3 (or the 4 NIC's of VM3~6), which allows web requests 1 NSG assigned to Subnet 1 or the NIC of VM1, which allows RDP
upvoted 1 times
pratikshasm6
4 years, 5 months ago
I also think similar
upvoted 1 times
...
sidharthwader
4 years, 1 month ago
I think outbound rule by default we can connect to internet only RDP needs to be done for VM1. Also Vms in same Vnet can talk to each other
upvoted 1 times
...
...
bishtr3
4 years, 9 months ago
It should be 1 only as IP is static Rule 1 Allow Port(80/443) protocol(any or TCP) source(any) destination(subnet 2 and subnet 3 CIDR) Rule 2 Allow Port(any) protocol(any) source(VirtualNetwork) destination(VirtualNetwork) Rule 3 Allow Port(3389) protocol(TCP) source(any) destination(VM1 IP)
upvoted 3 times
...
airairo
4 years, 9 months ago
NO PIC!!! Plz report.
upvoted 1 times
...
AustinY
4 years, 10 months ago
The question says the minimum but not different. Yes, you can use the same NSG with different rules but this would make them different. I'd associate the same NSG to 2 Subnets with similar requirements, 1 for VM1 and 1 for the VNET. The VMs on the same subnet can communicate. This makes total of 3.
upvoted 1 times
hstorm
4 years, 9 months ago
Sounds like a great idea, but not possible to attach nsg to vnet . Also you can not have more restrictive rules on the subnet than on the nic, so dissallowing rdp on the subnet, and allowing rdp on the nic will not work.
upvoted 1 times
...
...
Shades
4 years, 10 months ago
Came in exam 1st Aug 2020
upvoted 5 times
Constyle
4 years, 10 months ago
did u had any lab in the exam? and how was the exam, am preparing to write soon, thanks
upvoted 2 times
TheRaz
4 years, 10 months ago
no labs from what I can read online due to technical issues...
upvoted 3 times
...
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel