Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam AZ-104 topic 5 question 39 discussion

Actual exam question from Microsoft's AZ-104
Question #: 39
Topic #: 5
[All AZ-104 Questions]

You have the Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address.
The virtual machines host several applications that are accessible over port 443 to users on the Internet.
Your on-premises network has a site-to-site VPN connection to VNet1.
You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accessed by the Internet users.
What should you do?

  • A. Modify the address space of the local network gateway
  • B. Create a deny rule in a network security group (NSG) that is linked to Subnet1
  • C. Remove the public IP addresses from the virtual machines
  • D. Modify the address space of Subnet1
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by using the RDP or
SSH protocol over the site-to-site VPN connection. You don't have to allow direct RDP or SSH access over the internet.
Reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
mlantonis
Highly Voted 2 years, 10 months ago
Correct Answer: B You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by using the RDP or SSH protocol over the site-to-site VPN connection. You have to deny direct RDP or SSH access over the internet through an NSG. Reference: https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
upvoted 90 times
...
jmartinezm
Highly Voted 3 years, 5 months ago
Definitely B. A makes no sense
upvoted 35 times
...
tashakori
Most Recent 1 week, 1 day ago
B is right
upvoted 1 times
...
MorningCoffee
6 months ago
None of these answers make any sense. The subnet is a private IP range. You would have to associate the NSG with each NIC for the rules to affect the public IP address assigned to each NIC on each VM. Also, you'd probably use a Firewall if you weren't retarded.
upvoted 1 times
...
FlowerChoc1
11 months, 2 weeks ago
Cleared the exam on 04/12/2023. This question came up. Make sure to read the comments in the discussion. It's really helpful.
upvoted 4 times
...
djgodzilla
1 year ago
Selected Answer: B
exp: removing Public IPs will prevent the applications access on port 443 to users on the internet which is a requirement. Deny rule is a more appropriate solution
upvoted 1 times
...
DeBoer
1 year, 1 month ago
Selected Answer: B
Yes, it's B. Obviously. But these MS answers re: NSGs are seriously leading newer folks into dangerous territory: you DO NOT create Deny rules for specific ports. Instead, DENY everything - and only open what you NEED. Anything else is a disaster waiting to happen - especially in this scenario with machines directly facing the internet... TL/DR: answer B for the test but do the right thing in a real environment
upvoted 6 times
...
djgodzilla
1 year, 2 months ago
B - but I don't think it's that straightforward. I might be wrong , but I see it more like : adding 2 rules 1. high prio allow RDP from gateway CIDR 2. (above prio -1 )deny RDP from internet.
upvoted 2 times
...
EmnCours
1 year, 7 months ago
Selected Answer: B
Correct Answer: B
upvoted 1 times
...
Jey117
1 year, 9 months ago
Selected Answer: B
- You wake up. - VNet1 contains a subnet named Subnet1. - Subnet1 contains three Azure virtual machines. - Each virtual machine has a public IP address. - You drink some coffee. - The virtual machines host several applications that are accessible over port 443 to users on the Internet. - You make a sandwidch. - Your on-premises network has a site-to-site VPN connection to VNet1. - You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network. - You travel to the moon for vacations. - You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. - When you are back you receive a medall. - You figure out how to overcome speed of light. - The solution must ensure that all the applications can still be accessed by the Internet users.
upvoted 8 times
...
Lazylinux
1 year, 9 months ago
Selected Answer: B
I Luv Honey Because it is B
upvoted 3 times
...
cloudera
1 year, 9 months ago
Selected Answer: B
Correct answer is: Deny direct RDP or SSH access through an NSG. You do need public IPs for the VMs mainly because internet users need to be able to reach the VM via TCP 443. If LB is in place/mentioned, the VM won't necessarily need public IP.
upvoted 3 times
...
patoalcorta
2 years, 9 months ago
Definitely B. Why would anyone think of A?
upvoted 4 times
...
raulgar
3 years ago
B is correct, configure a nsg rule.C can't be because vm need access through internet
upvoted 2 times
...
tux_alket
3 years ago
I would say B is the correct Answer
upvoted 3 times
...
allray15
3 years ago
Tested - B correct and only place where you can allow source which can connect to RDP.
upvoted 2 times
...
mg
3 years ago
Answer is correct. Create a deny rule in NSG connected to subnet1
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...