Exam AZ-400 topic 4 question 47 discussion

The goal is installing an agent on your cloud VM (could be on prem as well), you need to open only and only port 443 outbound. People are mistaken because they think the goal is deploying an Azure DevOps Server. Here is what Azure DevOps Server is: Developers can work in the cloud using Azure DevOps Services or on-premises using Azure DevOps Server. Azure DevOps Server was formerly named Visual Studio Team Foundation Server (TFS). https://docs.microsoft.com/en-us/azure/devops/user-guide/what-is-azure-devops?toc=%2Fazure%2Fdevops%2Fserver%2Ftoc.json&bc=%2Fazure%2Fdevops%2Fserver%2Fbreadcrumb%2Ftoc.json&view=azure-devops

Gotten this in Jun 2023 exam.

Should be port 443 outbound, this seems to be an old question Azure DevOps Server uses default port 8080, but Pipeline Agents are today at least for the Azure DevOps Services using port 443

NO LAB on 6/21 - 9 am IST - 1 Case study , 6 new Q 1 YES NO series was new - 3 Q - I answered all No , because 2 will No and 1 Y JOB A depends JOB B JOB B on JOB C JOB C on JOB D who is dependent , who can run parallel 3 yes/ no

how many marks is this thing?

The default Inbound NSG rule denies all i-net traffic, while the outbound rule allows it under Rule "AllowInternetOutBound" with priority 65001. Note that this rule refers to 'any' in regards with port, protocol and source, while sets internet for the destination => we have to create a 2nd outbound rule that denies all traffic for service tag=internet and set its priority to be lower than the rule allowing port 443.

Create a new network security group (NSG) named az400-123456789-nsg1 if it doesn't already exist. Configure outbound security rules for the NSG as follows: Name: Allow-Outbound Priority: 100 (or any number lower than 65000) Source: Any Source Port Range: * Destination: Any Destination Port Range: 443 Protocol: TCP Action: Allow Configure inbound security rules to deny all inbound traffic: Name: Deny-Inbound Priority: 65000 (highest priority) Source: Any Source Port Range: * Destination: Any Destination Port Range: * Protocol: * Action: Deny

should only open port 443 by default denies other ports, since it is for azure devops agent and not tfs. "Required options --unattended - agent setup will not prompt for information, and all settings must be provided on the command line --url <url> - URL of the server. For example: https://dev.azure.com/myorganization or http://my-azure-devops-server:8080/tfs" https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/v2-windows?view=azure-devops

I saw this question in my exam lab yesterday and I created an outbound rule allow port 443

Port 443! https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/agents?view=azure-devops&tabs=browser

should be port 443 based on https://docs.microsoft.com/en-us/azure/devops/organizations/security/allow-list-ip-url?view=azure-devops&tabs=IP-V4 We recommend you open port 443 to all traffic on these IP addresses and domains. We also recommend you open port 22 to a smaller subset of targeted IP addresses.

https://docs.microsoft.com/en-us/azure/devops/server/architecture/required-ports?view=azure-devops-2020 Port 8080 would be the answer

I partly agree with Root_Access on one point : The question clearly talk about an installing an AzDO agent on a cloud VM (could be on prem as well), so needed port to connect to AzDO is 443 outbound BUT "The solution must allow ONLY THE REQUIRED outbound port for Azure DevOps and DENY ALL OTHER inbound and outbound access to the Internet." Moreover, default rules on NSG allow outbound traffic to Internet, and this rule cannot be deleted, only overriden : https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#default-security-rules -> you also have to create an outbound rule to 443, and another one with smaller priority number to deny all outbound traffic

The Question mention "The solution must allow only the required outbound port for Azure DevOps ". So it should be port 443. If instead would say Azure DevOps Server (former TFS) then port 8080 would be the answer.

Accordind to this documentation https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/v2-windows?view=azure-devops the the agent url uses port 8080 http://my-azure-devops-server:8080/tfs

The port is 443 - tested!

I think the only port needed for the azure deops agent is 443 (Tested) But we've asked to deny everything else, one this is done we have to open for the RDP or SSH port to connect in order to install the agent. So for me: Inbound : 100 RDP/SSH 3389/22 Allow 110 0.0.0.0/0 * Deny Outbound: 100 * 443 Allow 110 0.0.0.0/0 * Deny