Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam AZ-104 topic 5 question 38 discussion

Actual exam question from Microsoft's AZ-104
Question #: 38
Topic #: 5
[All AZ-104 Questions]

HOTSPOT -
You have an Azure subscription that contains the Azure virtual machines shown in the following table.

You add inbound security rules to a network security group (NSG) named NSG1 as shown in the following table.

You run Azure Network Watcher as shown in the following exhibit.

You run Network Watcher again as shown in the following exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: No -
It limits traffic to VM2, but not VM1 traffic.

Box 2: Yes -
Yes, the destination is VM2.

Box 3: No -
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
mlantonis
Highly Voted 2 years, 10 months ago
Correct Answer: Box 1: No NSG1 limits the traffic that is flowing into 172.16.2.0/24 (Subnet2), which host VM2. Box 2: Yes Since Network Watcher is showing that traffic from VM1 to VM2 is not reaching on the TCP port, that means that NSG1 is applied to VM2. We can understand for sure, that it is not applied to VM1. Box 3: Yes In Network Watcher, you can see that the next hop is the destination VM2. This means that they are part of the same virtual network.
upvoted 204 times
matt_dns
2 years, 2 months ago
I agree box 2 is Yes but not because of anything network watcher is showing, network watcher contradicts the NSG. Rather I read this as another cruel question that simply means the NSG would affect routing for VM2 were it applied, it clearing hasn’t been applied here (unless there’s a subnet NSG we know nothing about which we have to assume there isn’t).
upvoted 6 times
...
_punky_
2 years, 2 months ago
Ans: NNY. Box 2: yes the NSG1 should be applied to VM2 to allow correct communication as it is in exhibit2. But there is problem the VM1 cannot connect to VM2. On last image we can see that VM1 is reachable from VM2. Therefore the conclusion of this is NSG1 hasn't been applied yet.
upvoted 16 times
NalChi
2 years, 1 month ago
I Agree his opinion. NGS1 only allows TCP traffic but its ICMP commnication was succeed : it means VM2 does not applies to NGS1
upvoted 8 times
...
GenjamBhai
1 year, 9 months ago
YYY NSG is limiting/blocking VM1 traffic to VM2 VM1 traffic cannot reach VM2 so NSG inbound rules applied on VM2 VMs in vnet can communicate by default i.e. ICMP working
upvoted 3 times
...
...
Penguinyo
2 years, 2 months ago
Box 2 - what if the 8080 port on VM2 was not open on any service ?
upvoted 7 times
dave160222
1 year, 10 months ago
We can't say for sure if VM2 is listening on tcp port 8080. But if you ignore rule 100, and pretend you did not see it, then you can still answer the question. VM1 can ping VM2 and rule 101 would block ICMP from vm1 to vm2. So the NSG is not applied (and it does not matter what TCP ports VM2 is listening on)
upvoted 2 times
Guest
1 year, 4 months ago
No, rule 101 only applies to tcp traffic, it would not block icmp traffic
upvoted 5 times
...
ValB
3 months ago
Rule 101 is for TCP, not ICMP. TCP and ICMP are different protocols. So rule 101 does not apply to ICMP. However, the question from my side is the following: does NSG block ICMP when there is nothing about ICMP in the shown table? Should we understand that when these rules were added, there is still there the default rule at the end (with 65k priority) that blocks everything? Because if there is, then it should have blocked the ICMP, which would mean that this NSG is not applied to VM2.
upvoted 1 times
ValB
3 months ago
Sorry, correction: actually ICMP is allowed by default within a VNET.
upvoted 1 times
...
...
...
...
Dunkelheit
1 year, 5 months ago
Box 1: Agree Box 2: No - The TCP rule is an inbound rule which states that traffic is allowed to VM2 if it comes from VM1. It has higher priority than the TCP - Deny rule. So if the rule would apply to VM2, the traffic via port 8080 should succeed, IF there is something on VM2 using Port 8080.
upvoted 29 times
deepeshukla
1 year, 1 month ago
Agree with this. It should be NNY
upvoted 12 times
...
...
...
Andersonalm
Highly Voted 3 years, 3 months ago
N - Y - Y
upvoted 43 times
JayBee65
2 years, 9 months ago
Please explain why you say this.
upvoted 2 times
...
signalincode
2 years, 7 months ago
This answer is wrong.
upvoted 3 times
signalincode
2 years, 7 months ago
2nd question asks if NSG is applied to VM2. The NSG allows all TCP traffic from VM1 subnet to VM2 subnet, yet TCP connectivity test on port 8080 is showing unreachable from VM1. The image also shows ICMP traffic is reaching and returning from VM2 to VM1. Therefore, the NSG is not applied to VM2.
upvoted 11 times
Ali1982
2 years, 1 month ago
icmp is not the tcp/udp
upvoted 4 times
...
...
...
...
FatFatSam
Most Recent 2 weeks, 2 days ago
The tricky bit of this question is that it used the connection troubleshoot tool to test connection from VM1 to VM2 on 8080 port, but it didn't say that there is an application running on VM2 that will listen on port 8080. I have tested in a lab. If you do not have an application running on port 8080 in VM2, the connection will always be refused. Box 1: N. As a lot of people already answered there is nothing limiting traffic flow to 172.16.1.0/24 Box 2: No. Whether you have rules 100 and 101 added to the NSG of VM2 NIC or not. It is not the main point. The main point is you need an application in VM2 to response to request from point 80 Box 3 Yes
upvoted 1 times
...
hebbo777
5 months ago
both rules are for TCP Ans: N,N,Y 1. rule is for inbound the traffic is outgoing from VM1 - so doesn't matter and it was succeeded to go 2. if NSG1 applied to VM2; then rule 100 should applied and allow traffic from VM1-VM2 for TCP 808 3. Yes, since both in same VNET they can communicate by default and next hop for ICMP showing VM2
upvoted 3 times
...
emanresu
5 months, 3 weeks ago
My guess N - not applying to VM1 Y - Applying to VM2 Y - Internet Control Message Protocol (ICMP) is a protocol that devices "within a network" use to communicate problems with data transmission.
upvoted 3 times
...
conip
6 months, 2 weeks ago
3rd option - NO its vnet peering so next-hop type in Diagnostic tests is = "VirtualNetworkPerring" but Hopy by hop details shows next hop for VM1 actual IP address of VM2 likewise its directly connected network tested in LAB
upvoted 2 times
...
GoldenDisciple2
7 months, 2 weeks ago
1. No - Inbound rules apply to it's destination which is VM2 (172.16.2.0/24). NSG1 is not actively limiting VM1's traffic only what's is allowed to the destination which is VM2. 2. Yes - Same explanation. 3. Yes - Network Watcher configuration shows a next hop of 172.16.2.4 which is the IP of VM2 so they must be in the same VNet.
upvoted 2 times
...
Josete1106
8 months, 1 week ago
N Y Y is correct!
upvoted 3 times
...
garmatey
11 months, 1 week ago
ok so based on this comment section I will be purely guessing on this question...
upvoted 24 times
GoldenDisciple2
7 months, 2 weeks ago
LMAO hilarious.
upvoted 1 times
...
...
ericZX
11 months, 3 weeks ago
my thinking: NSG1 is working on subnet level. Box1: No, NSG1 is not limiting Subnet1 or VM1's traffic Box2: Yes, VM2's IP is in 172.16.2.0/24 (Subnet2). Regarding the unreachable TCP test, I am assuming there is another Nic level NSG on VM2 (blocking TCP traffic)
upvoted 2 times
...
Goofer
12 months ago
N N Y As per first Network Watcher test, TCP connection from VM1 to VM2 did not succeed. NSG1 specifically allows VM1 subnet to connect to VM2 subnet on TCP. As per second Network Watcher test is working but NSG1 blocks ICMP So NSG1 was NOT applied to VM2 or its subnet. 1) NSG1 if applied to VM1 or its subnet will limit VM1 traffic. It will allow TCP traffic only to VM2 subnet, rest is denied.(ICMP also) 2) NSG1 was not applied to VM2 as per second Network Watcher test, ICMP connection from VM1 to VM2 did succeed. 3) Next hop is VM2 IP which implies they are part of the same vnet.
upvoted 8 times
Hillah
5 months, 2 weeks ago
Well explained
upvoted 1 times
...
quocdunginfo2
9 months ago
I agreed that "Box 2 should be No" because ICMP from VM1 to VM2 succeeded
upvoted 1 times
Mnguyen0503
6 months, 3 weeks ago
As far as we know, there's a chance that vm2 is not set up to listen on port 8080, that's a non well-known port anyway. Icmp is a different story. So 2 can be Y.
upvoted 2 times
...
...
TinyRunner
7 months, 3 weeks ago
Your assumption is taken based on an outbound rule when the problem states thats a inbound rule.
upvoted 1 times
...
...
liza1234
1 year ago
box1: Yes NSG1 limits the traffic to only TCP that's why network watcher status is UNREACHABLE. ICMP is not a TCP traffic. It is also not UDP. Thus, protocol should be set to ANY. ANY basically means allowing ALL traffic. box2: Yes box3: Yes
upvoted 1 times
...
liza1234
1 year ago
correct answer: Y-Y-Y box1: Yes NSG1 limits the traffic to only TCP that's why network watcher status is UNREACHABLE. ICMP is not a TCP traffic. It is also not UDP. Thus, protocol should be set to ANY. ANY basically means allowing ALL traffic. box2: Yes box3: Yes
upvoted 1 times
...
msingh20
1 year, 1 month ago
No - NSG1 only limits traffic to subnet 2 (which vm2 is on) No - If it did apply the connection would succeed as the rule allows the subnet of VM1 to reach the subnet of VM2. No- net watcher confirms this No
upvoted 1 times
...
GBAU
1 year, 1 month ago
Here is my take: Box 1: No Neither of the Inbound rules in the NSG limit traffic to 172.16.1.0/24 subnet where VM1 lives. Box 2: No* Actually not enough information to know either way. Both tests are from Subnet 172.16.1.0/24 to 172.16.2.0/24. Nothing in the NSG1 blocks traffic between the two subnets (given the Allow has a higher priority to the Deny and they are both scoped for the same Ports/Protocol), which is also the same result as if they were in the same VNET with no NSG applied to anything anyway. *I would say No though because the rule is defined to the Subnet, not the IP of the VM, which implies it's designed to apply at the Subnet level. It is grasping at straws but that's all we have. There is no other way to answer this question. Box 3: Yes I don't think anyone disagrees on this.
upvoted 4 times
...
JDWaters
1 year, 1 month ago
Box 1: interesting wording. note that it doesn’t say NGS1 limits traffic “To” VM1 or “From” VM1. It just says “NGS1 limits VM1 Traffic”. I gotta go with YES on this one, but I question whether the folks that came up with this question were more interested in playing word games, than testing our knowledge of Azure. Box 2: Yes Box 3: Yes, I gotta agree with mlantonis. In Network Watcher you can see that the next hop from VM1 is VM2, so…….
upvoted 2 times
...
klexams
1 year, 5 months ago
N NSG is inbound and destination is VM2/subnet2. So doesnt apply to vm1 but does it limit the traffic? No coz the nsg does not apply to anywhere. N. VM1 should reach VM2 if the nsg applies. Y. Next hop reachable is the proof
upvoted 8 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...