Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam AZ-104 topic 5 question 21 discussion

Actual exam question from Microsoft's AZ-104
Question #: 21
Topic #: 5
[All AZ-104 Questions]

You have an Azure subscription that contains a virtual network named VNET1. VNET1 contains the subnets shown in the following table.

Each virtual machine uses a static IP address.
You need to create network security groups (NSGs) to meet following requirements:
✑ Allow web requests from the internet to VM3, VM4, VM5, and VM6.
✑ Allow all connections between VM1 and VM2.
✑ Allow Remote Desktop connections to VM1.
✑ Prevent all other network traffic to VNET1.
What is the minimum number of NSGs you should create?

  • A. 1
  • B. 3
  • C. 4
  • D. 12
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
Each network security group also contains default security rules.
Note: A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet).
NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager).
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
mlantonis
Highly Voted 2 years, 10 months ago
Correct Answer: A NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager). You can associate zero, or one, NSG(s) to each VNet subnet and NIC in a virtual machine. The same NSG can be associated to as many subnets and NICs as you choose. So, you can create 1 NSG and associate it with all 3 Subnets. - Allow web requests from internet to VM3, VM4, VM5 and VM 6: You need to add an inbound rule to allow Internet TCP 80 to VM3, VM4, VM5 and VM6 static IP addresses. - Allow all connections between VM1 & VM2: You do not need an NSG as communication in the same VNet is allowed by default, without even configuring NSG. - Allow remote desktop to VM1: You need to add an inbound rule to allow RDP 3389 in VM1’s static IP address . - Prevent all other network traffic to VNET1: You do not need to configure any NSG as the there is explicit deny rule (DenyAllInbound) in every NSG.
upvoted 341 times
djhyfdgjk
3 weeks, 5 days ago
Dude, you have no clue what you are talking about. By adding all rules into signle NSG you allow Web Requests and RDP to all VM`s, which is WRONG.
upvoted 1 times
tableton
1 week, 4 days ago
You can create rules only to especific IP adresses
upvoted 1 times
...
...
itgg11
2 years, 1 month ago
A is correct. Initially, I thought 3 NSGs were needed . but I was mixed up rules with NSGs. Only 1 NGS needed
upvoted 9 times
...
Gyanshukla
2 years, 7 months ago
Seriously you are expert :)
upvoted 4 times
...
starseed
2 years, 4 months ago
Guys! Please prefer mlantonis answer
upvoted 13 times
...
...
JohnAvlakiotis
Highly Voted 3 years, 3 months ago
I believe it's wrong. I would go with 1 NSG only. NSGs can associate to multiple subnets. There is no conflict in rules so all can be in 1 NSG. My penny.
upvoted 103 times
djgodzilla
1 year, 2 months ago
You guys seriously think a decent admin would allow such a mess in his network? let's put one NSG for the whole sub while we're at it . if MSFT really put answer A as valid in the exam . Then their sending their certified folks right to the cliff. so much for best practices smh!
upvoted 2 times
NoobieWon
8 months, 2 weeks ago
Cant you have 1000 rules in a single NSG. Each one can reference a Source and a Destination
upvoted 1 times
...
djgodzilla
1 year, 2 months ago
*Subscription
upvoted 1 times
djgodzilla
1 year, 2 months ago
*they're
upvoted 1 times
...
...
MrBlueSky
1 year ago
The knowledge it's testing here is "How many NSGs are needed to accomplish the below?" Not "What is the best practice?" It's gauging your understanding of NSGs
upvoted 3 times
...
...
JohnAvlakiotis
3 years, 3 months ago
Hmm... now that I think of it, the last prereq of deny all other traffic makes it to go for 4.
upvoted 2 times
JohnAvlakiotis
3 years, 3 months ago
Damn!.. I think I will choose 1 NSG, because based on priorities I believe you can answer all the requirements.
upvoted 11 times
canbe20
3 years, 3 months ago
How it's possible with 1 NSG? Web requests for those 4 VMs require 1 NSG and RDP for VM1 requires 1 NSG, so at least 2 are required.
upvoted 1 times
JulienYork
3 years, 3 months ago
They have the STATIC IP, So you will provide the static ips of the vms as destinations and create rules per vm on ONE NSG
upvoted 15 times
RoastChicken
2 years, 8 months ago
You attach a single NSG to each subnet.
upvoted 1 times
...
...
...
...
ASIMIS
2 years, 9 months ago
NO NO NO, by default there will be a deny all at the bottom of all the rules. You dont need to create any deny traffic after adding allow statements. By default there is an implicit deny all at the end. So JohnAvlakiotis is correct.
upvoted 3 times
ASIMIS
2 years, 9 months ago
Sorry i meant to say that your first statement was correct. You only need one NSG with several allow rules.
upvoted 1 times
...
...
...
d0bermannn
2 years, 8 months ago
as one time solution agreed, 1 nsg will work, but in enterprise network rules better to implement: 1 rule =1 service
upvoted 2 times
...
Hafeezzahidi
3 years, 2 months ago
keyword to this question is "Minimum NSG", so you are right
upvoted 6 times
...
...
Dhelailla
Most Recent 4 days, 17 hours ago
Correct answer: 4 As explained in the given link: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules You need 4 NSG because of the needed associations.
upvoted 1 times
...
tashakori
1 week, 1 day ago
1 is correct
upvoted 1 times
...
Libny
2 months, 1 week ago
You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same network security group can be associated to as many subnets and network interfaces as you choose.
upvoted 1 times
...
Arthur_zw
2 months, 1 week ago
ChatGPT (it was prompted correctly with all requirements and understood the task) In summary, you would need three NSGs, each associated with its respective subnet: NSG1 for Subnet1 (VM1 and VM2) Allow all traffic between VM1 and VM2 Allow incoming RDP to VM1 Deny all other inbound and outbound traffic NSG2 for Subnet2 (VM3 and VM4) Allow incoming web traffic (HTTP/HTTPS) to VM3 and VM4 Deny all other inbound and outbound traffic NSG3 for Subnet3 (VM5 and VM6) Allow incoming web traffic (HTTP/HTTPS) to VM5 and VM6 Deny all other inbound and outbound traffic
upvoted 1 times
...
Rayza31
4 months, 4 weeks ago
The fact that the answers provided in the solution section are wrong makes this very difficult to study for.
upvoted 1 times
...
zzreflexzz
11 months ago
on exam 4/29/23
upvoted 1 times
...
Durden871
1 year ago
lol 4?! ET really wants you to get this question wrong. You need 1. I understand people saying 3. The 4th ask applies to all VMs, so why even have a separate policy for it?
upvoted 1 times
...
GBAU
1 year, 1 month ago
Depends on how many NSGs already existed? Assuming ZERO Answer A (1) Lets call it NSG1 -Add Rule Priority 100 ANY-> 80/443 to IPs of VM3,4,5,6 Allow -Add Rule Priority 101 ANY-> 3389 to IP of VM1 Allow -Default Rule Deny Prevents all other inbound connections Apply it to all Subnets Job Done
upvoted 3 times
...
Mo22
1 year, 1 month ago
Selected Answer: B
One NSG for the web requests from the internet to VM3, VM4, VM5, and VM6. One NSG for the connections between VM1 and VM2. One NSG for the Remote Desktop connections to VM1. By configuring these NSGs, you can allow the required traffic and prevent all other network traffic to VNET1.
upvoted 3 times
MrBlueSky
1 year ago
Wrong. There's nothing stopping you from putting all the rules into a single NSG and then attaching the one NSG to every subnet.
upvoted 2 times
...
...
CloudNov
1 year, 2 months ago
Should be A: 1, tested in Lab
upvoted 2 times
...
darthfodio
1 year, 3 months ago
The correct answer should include more than 1 NSG. MeasureUp practice questions for this exam include a question with this exact scenario but with 7 VMs. I chose 1 NSG as my answer and got the question wrong. The answer was 3 NSGs. Microsoft also throws a hint in the wording of the question that their expecting more than 1 NSG, by stating "network security groups (NSGs)."
upvoted 1 times
darthfodio
1 year, 3 months ago
Here is the solution explanation by Measure up: You need to create at least three security groups (NSGs). These would include: - One NSG assigned to Subnet(x) and Subnet(y) to allow connections from the internet and deny any other connections. - One NSG assigned to Subnet(n) to allow connections between virtual machines (VMs) and deny any other connections. - One NSG assigned to VM to Deny (or Allow for this scenario) Remote Desktop connections. You can assign the same NSG to multiple subnets. The recommended method to manage network security through NSGs is to use NSGs assigned at the subnet level whenever possible. NSGs should be assigned directly to VMs only as necessary to handle exceptions.
upvoted 1 times
darthfodio
1 year, 3 months ago
References: Create, change, or delete a network security group - https://learn.microsoft.com/en-us/azure/virtual-network/manage-network-security-group?tabs=network-security-group-portal Create, change, or delete a network interface - https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface?tabs=network-interface-portal Network security groups - https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
upvoted 1 times
...
...
...
spike15_mk
1 year, 3 months ago
Correct Answer is 4 NSGs Explanation: You can not associate multiple Subnet to 1 NSG (Subnet Level) 1. NSG1-Subnet2 (VM3 and VM4 Allow web request) 2. NSG2-Subnet3 (VM5 and VM6 Allow web request) 3. NSG3-Subnet1 (VM1 and VM2 Prevent all other network traffic to VNET1) 4.NSG4-NICVM1 (Allow Remote Desktop connections to VM1 not VM2 we must set on NIC)
upvoted 1 times
chikorita
1 year, 1 month ago
i wish there was a DOWNVOTE option
upvoted 4 times
...
...
cassucena
1 year, 4 months ago
I would go for 01 NSG but at the simulated test by Microsoft (enterprise Skills) the answer is B, 03 NSGs.
upvoted 3 times
shoutiv
1 year, 4 months ago
Agree, 3 NSGs. There was explanation if I remember correctly: - First NSG assigned to Subnet 2 and Subnet3 to allow connections from internet and deny other traffic - Second NSG assigned to Subnet1 to allow connections between Vms (1 and 2) and deny other traffic - Third NSG assigned to VM1 to allow RDP
upvoted 1 times
...
...
obatunde
1 year, 6 months ago
Selected Answer: A
You only need to create one NSG and you can associate it with all the three subnets
upvoted 1 times
...
EmnCours
1 year, 7 months ago
Selected Answer: A
Correct Answer: A
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...