Exam AZ-900 topic 1 question 259 discussion

A Network Security Group (NSG) is sufficient to allow the connection to the virtual machine on port 80 (HTTP) from the Internet. Public IP is part of network configuration. We should mainly focus on the functionality of the Network security groups. For sure, you can allow the connection to the VM through port 80 using NSG. Tutorial from Microsoft that demonstrates the same case (with public IP) and NSG used (no firewall!): https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic

Shouldn't this be "No", you need to make sure there is a public IP first.

There is even an error in the description of the answer it says you can attach a NSG to a virtual network which we know it is not the case

Yes, NSG is a sufficient solution.

A is the answer. A network security group (NSG) is a feature in Azure that allows you to control inbound and outbound network traffic to and from Azure resources. By modifying a NSG and configuring it to allow incoming traffic over HTTP (TCP port 80), you can ensure that a virtual machine named VM1 is accessible from the Internet over HTTP. You can do this by creating a new Inbound security rule in the NSG that is associated with the virtual network interface of the VM1, specifying the source as "Internet" and destination as the IP address of the VM1. This solution meets the goal because by allowing incoming traffic over HTTP, you ensure that VM1 is accessible from the Internet using HTTP protocol.

A makes sense

Yes as the NSG allows you to specify the port 80

https://docs.microsoft.com/en-us/azure/azure-vmware/enable-public-internet-access

Answer should be NO. https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic Enable public internet for Azure VMware Solution workloads https://docs.microsoft.com/en-us/azure/azure-vmware/enable-public-internet-access

You can attach a network security group to a virtual network and/or individual subnets within the virtual network. No. You can't attach a NSG to a Vnet, but only to subnets within the Vnets or NIC. Please update the answer as its misleading.

It Should be No, as NGS is to filter traffic in-between the Azure VM & Firewall is for traffic from/to internet.

NSG or firewall can do this. Since, NSD is present from the options . I chose NSG.

The statement is very vague... but generally yes, modifying NSG in order to allow that traffic would be correct

why not modifying ASG instead ? "Your Azure environment contains multiple Azure virtual machines." NSG : Rules are applied to all resources in the associated subnet. ASG : Rules are applied to all ASGs in the same virtual network. Application security groups Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without manual maintenance of explicit IP addresses. To learn more, see Application security groups.

Not Enough, U need to make sure there are an allow rule on the FIREWALL

Correct answer

The answer is correct. https://docs.microsoft.com/en-us/learn/modules/secure-and-isolate-with-nsg-and-service-endpoints/3-exercise-network-security-groups