ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-301 All Questions

View all questions & answers for the AZ-301 exam
Go to Exam

Exam AZ-301 topic 6 question 24 discussion

Actual exam question from Microsoft's AZ-301
Question #: 24
Topic #: 6
[All AZ-301 Questions]

You use a virtual network to extend an on-premises IT environment into the cloud. The virtual network has two virtual machines (VMs) that store sensitive data.
The data must only be available using internal communication channels. Internet access to those VMs is not permitted.
You need to ensure that the VMs cannot access the Internet.
Which two options should you recommend? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

  • A. network interface (NIC)
  • B. Source Network Address Translation (SNAT)
  • C. Azure ExpressRoute
  • D. Network Security Groups (NSG)
Show Suggested Answer Hide Answer
Suggested Answer: CD 🗳️
by SilentH at March 31, 2020, 3:42 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
sammy811
Highly Voted 5 years ago
Seems the answer is correct "You use a virtual network to extend an on-premises IT environment into the cloud" .
upvoted 6 times
SIDNEY1
5 years ago
Yeah, this is classic certification exam question. They say - you use a virtual network.. That to me says there's some kind of arrangement (VPN or ExpressRoute) already in place since you've extended on-premises to the cloud. Both provide access to internal channels only even though VPN goes over the wild badlands of the internet. With that in mind, my money is on B and D. But you never know what MS have listed as the correct answer, B or C.
upvoted 6 times
ct84
4 years, 11 months ago
Classic indeed. I have never seen SNAT on a cert exam previously.. for this reason alone (admittedly a slightly weak one), i am inclined to go for the ExpressRoute selection.
upvoted 2 times
...
...
...
j888
Most Recent 4 years, 3 months ago
I still believed NIC and the NSG are the closest answer. You can create NSG restriction on the subnet or specific NIC. Hence this is for 2 x VM and its defense from external access. NIC and NSG still the best answer.
upvoted 2 times
...
AKumar
4 years, 3 months ago
C and D is correct
upvoted 1 times
...
glam
4 years, 3 months ago
C. Azure ExpressRoute D. Network Security Groups (NSG)
upvoted 1 times
...
bc5468521
4 years, 8 months ago
I choose AD
upvoted 1 times
...
az300sr
4 years, 10 months ago
You can use Azure ExpressRoute to create a dedicate and private connection between the on-premise network and the Azure virtual network. This will ensure data on the virtual machines is only available to workloads that run in the on-premise network. They can also use Network Security Groups either on the Azure Virtual Machine Network Interface Card or the subnet to restrict traffic flow to the Internet.
upvoted 1 times
...
swip
4 years, 10 months ago
Answers are correct NSG I think we all agree can set a rule to block outbound traffic. For the other debated answer ... - NIC (The VM must have a NIC seems irrelevant to me, an indeed no one has really touted it as a possible answer) -SNAT my understanding of SNAT or PAT is that it is used to re-write the IP address and port tuple of a private IP and outbound port number to a public IP and port tuple, with the purpose of allowing multiple devices communicate out a single public IP. Doesn't really seem like what they are after ExpressRoute will mean the traffic of the VM's is directed across express route connection (via the BGP advertised routes) to your on premise firewall. I believe they are looking for you to understand you can create a similar restriction as per with the NSG on your on premise firewall, blocking the outbound flow (just a hunch that this is what MS are intending here)
upvoted 2 times
...
Wildsheep
4 years, 10 months ago
I'm wondering if the question may have been misspelled and should read "You need to ensure that the VMs cannot accessed from the Internet", in this case ExpressRoute and NSGs make sense
upvoted 1 times
...
Duva
4 years, 10 months ago
C and D should be correct.. Express Route for internal communication channels and NSG for permitting Internet access to those VMs
upvoted 3 times
...
kabilan_vk
4 years, 10 months ago
I strongly believe A&D because NIC, VNET, NSG are required for this use case and VNET is already available.
upvoted 4 times
...
nepiliki
4 years, 10 months ago
CD is correct. Please see link https://reticent.net.nz/prevent-internet-access-from-azure-virtual-machines/
upvoted 2 times
...
Tino
5 years ago
"Internet access to those VMs is not permitted. You need to ensure that the VMs cannot access the Internet" For a NIC for private communications (AKA VPN) and a NSG to block inbound and outbound internet connectivity
upvoted 3 times
Gkilla
4 years, 10 months ago
By default any Azure virtual machines that have a cloud service with an endpoint will have full outbound internet access. To prevent internet access from Azure virtual machines you can either trust a host level firewall (ie Windows Firewall or Iptables) or you can simply remove the endpoints (which will also remove the ability to get to the machine externally). One issue i’ve found when connecting an Azure VM to an express route network is that all machines have full outbound access even when the cloud endpoints have been removed. This is a different behaviour than when they’re not on express route (as mentioned in the previous paragraph).
upvoted 1 times
...
...
mynk29
5 years ago
Express route is not the right answer, SNAT still make some sense other than NSG https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway-resource
upvoted 3 times
...
yemma
5 years, 1 month ago
I think that the question is which two options should you recommend to prevent VMs from accessing the Internet. So for me the answers are: B. Source Network Address Translation (SNAT) D. Network Security Groups (NSG)
upvoted 2 times
levianthan
4 years, 9 months ago
How does SNAT prevent you to access anything? It just changes the IP that you appear to come from. Since each option is a complete solution, B is wrong as B without D does nothing.
upvoted 3 times
...
...
SilentH
5 years, 3 months ago
Why ExpressRoute?
upvoted 1 times
David_986969
4 years, 7 months ago
Express route doesn´t travel over internet
upvoted 1 times
...
Azure_Chief
4 years, 6 months ago
Because the data has to be exposed to the on prem IT and can't be over the internet. CD is correct.
upvoted 1 times
...
S44int
5 years, 2 months ago
Because "The data must only be available using internal communication channels". ExpressRoute provides a private connection from on-prem to the cloud.
upvoted 30 times
NKnab
4 years, 11 months ago
but look at yemma's explanation. b and d are correct answers
upvoted 1 times
tartar
4 years, 9 months ago
CD is ok
upvoted 1 times
...
...
Wildsheep
4 years, 10 months ago
Having ExpressRoute alone won't stop your VMs from accessing the internet
upvoted 2 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel