ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-103 All Questions

View all questions & answers for the AZ-103 exam
Go to Exam

Exam AZ-103 topic 4 question 43 discussion

Actual exam question from Microsoft's AZ-103
Question #: 43
Topic #: 4
[All AZ-103 Questions]

SIMULATION -
Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.
When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g, copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn't matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.
Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
You may now click next to proceed to the lab.


You need to create a virtual network named VNET1008 that contains three subnets named subnet0, subnet1, and subnet2. The solution must meet the following requirements:
✑ Connections from any of the subnets to the Internet must be blocked.
✑ Connections from the Internet to any of the subnets must be blocked.
✑ The number of network security groups (NSGs) and NSG rules must be minimized.
What should you do from the Azure portal?

Show Suggested Answer Hide Answer
Suggested Answer: See solution below.
Step 1: Click Create a resource in the portal.
Step 2: Enter Virtual network in the Search the Marketplace box at the top of the New pane that appears. Click Virtual network when it appears in the search results.
Step 3: Select Classic in the Select a deployment model box in the Virtual Network pane that appears, then click Create.
Step 4: Enter the following values on the Create virtual network (classic) pane and then click Create:

Name: VNET1008 -

Address space: 10.0.0.0/16 -

Subnet name: subnet0 -

Resource group: Create new -
Subnet address range: 10.0.0.0/24
Subscription and location: Select your subscription and location.
Step 5: In the portal, you can create only one subnet when you create a virtual network. Click Subnets (in the SETTINGS section) on the Create virtual network
(classic) pane that appears.
Click +Add on the VNET1008 - Subnets pane that appears.
Step 6: Enter subnet1 for Name on the Add subnet pane. Enter 10.0.1.0/24 for Address range. Click OK.
Step 7: Create the third subnet: Click +Add on the VNET1008 - Subnets pane that appears. Enter subnet2 for Name on the Add subnet pane. Enter 10.0.2.0/24 for
Address range. Click OK.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/create-virtual-network-classic
by 1337Troll at March 20, 2020, 8:35 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
samizdat
Highly Voted 5 years, 2 months ago
One NSG with one inbound SR and one Outbound SR https://www.petri.com/blocking-internet-access-azure-vms. Attach each subnet to this NSG
upvoted 12 times
Nikunj
5 years, 2 months ago
We don't need any inbound rule for NSG as DenyAll rule will be present by default. We need to add the outbound rule though.
upvoted 25 times
Omnipitus
4 years, 12 months ago
and associate the NSG to the subnets
upvoted 4 times
...
Shades
4 years, 11 months ago
This looks right because in Inbound we already have 'DenyAllInbound' but in Outbound we have 'AllowInternetoutbound' with a priority of 65001. We need to create a deny rulw with low prioroty
upvoted 2 times
...
...
...
1337Troll
Highly Voted 5 years, 2 months ago
In the solution there is a NSG missing, which can be tied to the subnets, so one NSG is sufficient
upvoted 7 times
...
NickyDee
Most Recent 4 years, 5 months ago
OK, I ended up doing the following 1. Create the vnet and the 3 subnets 2. Create One NSG and associate the 3 subnets in the Vnet created 3. Create one outbound rule as follows: Priority: 1000 Name: Block Internet Access Port: * Protocol: Any Source: Virtual Network Destination: Service Tag - Internet Action: Deny Save
upvoted 4 times
...
NickyDee
4 years, 5 months ago
Create just the vnet and the 3 subnets. NO NSG is needed. Having no NSG will prevent internet traffic. Minimum number of NSGs here is ZERO.
upvoted 1 times
...
dkjwr
4 years, 7 months ago
Why do we need a NSG? The subnets are all private with 10.x.x.x IPs, which cannot be routed over the Internet anyway.
upvoted 1 times
...
nfett
5 years ago
create an NSG with an outbound deny all which contains the range of the IP addresses if contiguous in one rule for any outbound access port. inbound will be denied by default. in case the subnets provided are non-contiguous than create individual outbound rules for them. use only one NSG.
upvoted 2 times
...
FranklinAlagala
5 years ago
Create one NSG Rule each for Inbound and Outbound with the lowest priority and use Service Tags to identify the Internet.
upvoted 1 times
...
S458855
5 years ago
1 setup vnet with 3 subnets. 2 create NSG associate to 3 subnets 3 Inbound rule of NSG set below -Priority 4000 -Source Internet -Destination Virtual Network -Action Deny 4 Outbound rule of NSG set below -Priority 4000 -Source Virtual Network -Destination Internet -Action Deny
upvoted 6 times
NickyDee
4 years, 5 months ago
The default inbound rules allow for traffic only from another Vnet or a load balancer. The last default inbound rule is an explicit deny from any source, port, and protocol to any destination so that covers blocking internet inbound. You only need one outbound rule: Create one outbound rule as follows: Priority: 1000 Name: Block Internet Access Port: * Protocol: Any Source: Virtual Network Destination: Service Tag - Internet Action: Deny Save Do you agree?
upvoted 1 times
...
...
klopper
5 years, 1 month ago
Can't we just delete the NSG so the DenyAll rule applies for inbound AND outbound traffic?
upvoted 1 times
gsbence
5 years, 1 month ago
If there is no NSG associated to a subnet or a nic at all, then you won't have any filtering.
upvoted 1 times
...
...
Nhan
5 years, 1 month ago
Only one NGS is needed, and configure it block incoming and outgoing port 80
upvoted 1 times
gsbence
5 years, 1 month ago
Internet access is not only about HTTP web browsing
upvoted 1 times
...
viplov
4 years, 11 months ago
dude block 443 as well
upvoted 1 times
...
...
Nhan
5 years, 1 month ago
Create a vent with 3 subnet, create a NGS and associate it with the vnet then configure the rule in the NGS
upvoted 1 times
...
roydeen
5 years, 1 month ago
"In the portal, you can create only one subnet when you create a virtual network" not true, you can add many subnets during vnet creation
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel