ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-103 All Questions

View all questions & answers for the AZ-103 exam
Go to Exam

Exam AZ-103 topic 16 question 64 discussion

Actual exam question from Microsoft's AZ-103
Question #: 64
Topic #: 16
[All AZ-103 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
✑ A virtual network that has a subnet named Subnet1
✑ Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
✑ A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections
NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
✑ Priority: 100
✑ Source: Any
✑ Source port range: *
✑ Destination: *
✑ Destination port range: 3389
✑ Protocol: UDP
✑ Action: Allow
VM1 connects to Subnet1. NSG1-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You modify the custom rule for NSG-VM1 to use the internet as a source and TCP as a protocol.
Does this meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.
Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection
by akamal at May 11, 2020, 8:48 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
gsbence
Highly Voted 5 years, 1 month ago
Answer is B, because the NSG on the subnet does not allow inbound TCP 3389.
upvoted 9 times
Chape87
5 years, 1 month ago
This is correct. Interface NSG will typically have TCP 3389 enabled by default due to it occuring during vm creation, unless you change settings during creation. subnets usually have no NSG associated unless you go out of the way to do so, which this scenario does. when you create that extra NSG, it wont have an RDP rule, thus blocking inboudn connections. Answer is indeed B. try it out for yourself.
upvoted 2 times
...
NickNamers
5 years, 1 month ago
Default inbound rules for the NSG on the subnet is enabled. RDP is enabled by default for NSG
upvoted 4 times
exam4rtist
5 years, 1 month ago
This is not true. NSGs deny all inbound traffic except from virtual network or load balancers: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules Since the Subnet NSG (the one with the default rules) is evaluated first, it blocks the inbound RDP connection. gsbence is right, the answer is B
upvoted 12 times
praveen97
4 years, 11 months ago
Agree with exam4rtist. By default, Network Security Groups deny all inbound traffic except from virtual network or azure load balancer. https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules A Network Security Group rule to permit RDP (default port for RDP is TCP port 3389) traffic may not be created automatically when we create a VM in Azure. https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection#troubleshoot-using-azure-powershell For inbound traffic, Azure processes the rules in a network security group associated to a subnet first and then the rules in a network security group associated to the network interface. https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#how-traffic-is-evaluated So, as per the case study and query, only NSG-Subnet1 is associated to Subnet1. So this NSG security rules will get executed first. This NSG don't have any custom inbound security rules, so the default inbound security rules in NSG will deny all the inbound traffic which includes RDP connections from internet to VM1. So, the answer is B - NO
upvoted 1 times
...
...
adeyhtech87
2 years, 5 months ago
RDP is not enabled by default at the NSG level. By default, in an NSG for inbound Security rule, this is what it looks like-> Source -> Dest -> Port -> Protocol -> Action VNET -> VNET -> * -> *-> Allow AzureLb -> * -> * -> * -> Allow *-> *>*>* -> Deny
upvoted 1 times
...
...
...
tashakori
Most Recent 1 year, 3 months ago
No is right
upvoted 1 times
...
Shades
4 years, 11 months ago
The answer is incorrect because for inbound connections, NSG at Subnet will be evaluated first. Since it just has default rules, it will deny any RDP request. Hence no RDP Traffic will hit VM NSG
upvoted 2 times
...
[Removed]
5 years, 1 month ago
Subnet1 NSG will block the connection
upvoted 1 times
...
noeperdepoep
5 years, 1 month ago
Answer is B. Subnet NSG is first processed and that the default deny rule will stop the traffic there. https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
upvoted 3 times
ExamGuy01
5 years, 1 month ago
You are correct 'For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, if there is one, and then the rules in a network security group associated to the network interface, if there is one.' https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
upvoted 1 times
...
...
Cloudyuga
5 years, 1 month ago
Given answer is wrong ...Correct answer is B.no because request first goes to NSG -subnet1 and as there is no rule for RDP there it will block the request.
upvoted 2 times
...
akamal
5 years, 1 month ago
it should be B, as from internet, it'll hit the subnet for subnet first which doesn't have RDP allowed
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel