Exam AZ-500 topic 4 question 24 discussion

Just tested in Lab environment: 1. In case if rule 100 is deleted manually the access will not work. So the answer is - YES 2. RDP is not blocked because rule 100 is in place and we should consider it as it is. - NO 3. Azure Bastion host is not enabling RDP from the internet. This is the key feature of Bastion - allowing access to VMs which does not have a public IP address. So the answer is - NO

Now... question 2... For me, is "NO" also, because RDP is allowed, that the machine dont have a public IP means you cant access from internet, does not means you cant access. and question 3 ... for me would be "YES" Why? just because a well configured bastion host, will allow you to connect from the internet to the bastion, and then from there, to the machine by using the private IP (as stated on question 2, RDP is allowed, but just internally, so the bastion will solve this)

1.Deleting the security rule that has priority of 100 will revoke the approved JIT access request. The "approved" JIT access request. So RDP access is already granted for 3hours (Time range). So I would answer NO. As the JIT configuration itself is still there in Security center (defender) the rule only has been removed from the NSG.

Unclear questions. First issue, we know that NSG2 is applied, but we don't know anything about it. Does it have default settings or not? Question 1 - Deleting the rule "will revoke the approved access request" (!). What does this mean? Deleting the rule WILL prevent access (= access will no longer work, even though it has been requested and approved). But it will NOT 'revoke the approved access request' as such; JIT logs will still show that the access has been requested and approved. Question 2 - "Remote Desktop access is blocked" ... for whom? It is currently allowed due the JIT request. Question 3 - Bastion - that depends how the Bastion host is exposed. And it would only work as long as JIT request is active. I'd go for YES-NO-YES, but there's too much unknown here.

From the article below //The proper way to remove Security Center's JIT policy is to go the Security Center portal -> Azure Defender -> "Just-in-time VM access" under the Advances protection and remove the policy from the configured VM. Removing the NSG rule alone will not do the trick as JIT has recover option.// https://learn.microsoft.com/en-us/answers/questions/417961/disable-jit-in-security-center So Answer for Q1 - NO I think Q2 asks in general if RDP access is blocked or not. Once JIT expires or if it is not considered, it is indeed blocked, so - YES Q3 Bastion hosts allow you to connect to VMs without public IPs from the internet, however since RDP is blocked in general, the answer - NO

Just a poorly written question with a lot of information missing. Really a garbage work if this is what is actually in the exam.

JIT rule 100 will be deleted automatically after 3 hours

I think the bastion question is YES too. Look at his architecture https://learn.microsoft.com/en-us/azure/architecture/solution-ideas/articles/multilayered-protection-azure-vm

Explanation: 1. In case if rule 100 is deleted manually the access will not work. So the answer is - YES 2. RDP is not blocked because rule 100 is in place and we should consider it as it is. - NO 3. Azure Bastion host is not enabling RDP from the internet. This is the key feature of Bastion - allowing access to VMs which does not have a public IP address. So the answer is - NO

Hi Everyone!! Join ET and get actual and valid study material: https://examstopics.quora.com/ and pass your exam in first attempt. Study Smart Not Hard

1. In case if rule 100 is deleted manually the access will not work. So the answer is - YES 2. RDP is not blocked because rule 100 is in place and we should consider it as it is. - NO 3. Azure Bastion host is not enabling RDP from the internet. This is the key feature of Bastion - allowing access to VMs which does not have a public IP address. So the answer is - NO

Answer is Y Y N

1. No : Editing the NSG will not revoke the approved JIT request though it may affect the access. 2. No: RDP is not blocked as Rule 1001 still exists and it allows any any. Meaning it can allow devices from peered VNETs (not from internet as no public IP). 3. Yes: Azure Bastion can allow access to VMs without public IP if the user has access to Azure Portal.

Y, N, Y The DENY takes over and denies RDP access. RDP access is not blocked because the first rule ALLOWS it. A BASTION HOST will allow you to connect to the VM over the internet by behaving as a JUMP BOX that you can RDP from internally.

you have to consider each of this questions individually , the answer for all 3 will be NO If you have configured a Just-In-Time (JIT) access rule in your Network Security Group (NSG) to allow RDP access to a VM for a specific duration, such as 3 hours, and you approve a user's request for access, the user will continue to have access until the specified duration ends, regardless of whether you remove the rule from the NSG.

Need not worry about NSG2 as a NSG tied to NIC takes precedence over a NSG tied to a subnet. In this case, NSG2 is a distractor in this question.

2nd question is "yes" because of deny for rdp connection. I assume it doesn't matter about priority https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks