ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 3 question 55 discussion

Actual exam question from Microsoft's AZ-500
Question #: 55
Topic #: 3
[All AZ-500 Questions]

HOTSPOT -
You have the Azure virtual networks shown in the following table.

You have the Azure virtual machines shown in the following table.

The firewalls on all the virtual machines allow ping traffic.
NSG1 is configured as shown in the following exhibit.

Inbound security rules -


Outbound security rules -

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: Yes -
VM1 and VM3 are on peered VNets. The firewall rules with a source of ASG1 and ASG2 allow 'any' traffic on 'any' protocol so pings are allowed between VM1 and VM3.

Box 2: No -
VM2 and VM4 are on separate VNets and the VNets are not peered. Therefore, the pings would have to go over the Internet. VM4 does have a public IP and the firewall allows pings. However, for VM2 to be able to ping VM4, VM2 would also need a public IP address. In Azure, pings don't go out through the default gateway as they would in a physical network. For an Azure VM to ping external IPs, the VM must have a public IP address assigned to it.

Box 3: Yes -
VM3 has a public IP address and the firewall allows traffic on port 3389.
by gcpbrig01 at March 14, 2021, 2:38 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
gcpbrig01
Highly Voted 4 years, 1 month ago
Suggested answers are correct. VMs if not in peered network, need public ip address to communicate with each other backed up firewall rules that allow access.
upvoted 40 times
rgullini
4 years ago
Agree with your comments and the answers.
upvoted 2 times
...
Cyberbug2021
4 years ago
Peered yes but what about rule 160 - any any deny
upvoted 1 times
BalderkVeit
3 years, 11 months ago
Nothing. box 1 - peering available, rule 130 will allow, so it's yes box 2 - no peering between vnets, so it's no box 3 - RDP is allowed, and it has Public IP, so it's yes.
upvoted 29 times
...
...
makimaki
2 years, 7 months ago
I think the box 2 should be yes. VM4 needs not to send packets as a source. Just replying to packets from VM2 will do. In this case, VM4 can reply without the VM2 public IP address.
upvoted 2 times
pentium75
9 months ago
The VNets are not peered and we don't know if the machines have public IPs at all.
upvoted 1 times
...
...
...
AMMANANA
Highly Voted 3 years, 11 months ago
Answer is YES, YES,YES 1) Since Rule1 allows all traffic from the source of ASG1 and demovm1 is part of ASG1, ICMP traffic would be allowed. 2) Since Rule3 allows all traffic from the source of ASG4 and demovm4 is part of ASG4, ICMP traffic would be allowed. 3) Since demovm3 has a public IP address and the Allow_RDP rule is in place, you can go ahead and connect to the machine from the Internet via Remote Desktop.
upvoted 12 times
CJ32
3 years, 3 months ago
VM2 and VM4 are not peered therefore the traffic would have to go over the internet. VM2 doesnt have a public IP so the traffic ends there
upvoted 8 times
...
nicksu
3 years, 11 months ago
There is no peering between VNET2 & VNET4. The VM4 does have the PIP, but the ICMP from Internet is not allowed
upvoted 8 times
...
...
[Removed]
Most Recent 9 months, 1 week ago
Is this question valid? 1. Can we associate NSG with multiple VMs from different regions? 2. Can we even associate single NSG with multiple VMs from separate VNETs?
upvoted 2 times
...
bxlin
11 months, 2 weeks ago
First of above, VM1 and VM4 are in East US, VM2 and VM3 are in West US. It is not possible to attach NSG1 to all the VMs at the same time. VM and NSG must be in the same region.
upvoted 2 times
bxlin
11 months, 2 weeks ago
therefore, this question makes no sense.
upvoted 2 times
...
...
flafernan
1 year, 5 months ago
In Azure, pings go out through the default gateway, I just tested it. So the answer is: Y-Y-Y
upvoted 1 times
cris_exam
1 year, 3 months ago
What are you talking about man? a link to sustain what you said that would be nice. Until then, my Az Network experience and tests show that, pings are just the same as any other network traffic/commands that flows, that is: if allowed OR if there is a network route path to be able to flow. The default gateway if perhaps is what you are trying to say here, could be referring to the External SDN Load Balancers that are set up for outbound/inbound Internet communication with any given VM and other resource, but it would not be called default gateway, OR perhaps it could be a NAT GW configured instead of LB. Here's a link for reading if anyone is interested, on the left side there are several other concepts explained about how internet inbound/outbound work when having and not having a public IP attached, it's a nice read. https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/default-outbound-access BTW, the given answers are correct: Y N Y
upvoted 2 times
...
...
foobar1985
1 year, 7 months ago
in exam 11/09/2023
upvoted 4 times
...
majstor86
2 years, 2 months ago
YES NO YES
upvoted 4 times
...
mung
2 years, 5 months ago
I though ASG is for only web app not the regular network traffic. I think when you send an ICMP, it shouldn't have any business with ASG.. So N N Y?
upvoted 1 times
mung
2 years, 5 months ago
Nevermind i was wrong
upvoted 1 times
...
mung
2 years, 5 months ago
*thought
upvoted 1 times
...
...
CK9797
2 years, 5 months ago
Passed exam 04/11/22 40 Questions 1 Case Study = 6 Questions 1 Lab = 10 Tasks - You need to be comfortable navigating in Azure Total 56 Questions Some new questions, most are from this site. Big thank you to Exam Topics and everyone for their comments. Rule of thumb, go with the most votes.
upvoted 4 times
...
acexyz
2 years, 10 months ago
# IN EXAM - 30/6/2022
upvoted 5 times
...
WMG
3 years ago
You cannot ping outside of Azure without a public IP address. ICMP works on layer 3. When you don't associate a Public IP address to a VM, when it initiates an outbound connection to Internet, it does a SNAT with a Psudorandom VIP. Since ICMP doesn't have a port, it gets dropped by the platform.
upvoted 3 times
...
Eltooth
3 years, 1 month ago
Yes, No, Yes
upvoted 6 times
...
azcourse
3 years, 6 months ago
answer is .y.y.y Since Rule3 allows all traffic from the source of ASG4 and demovm4 is part of ASG4, ICMP traffic would be allowed
upvoted 2 times
...
SecurityAnalyst
3 years, 8 months ago
# IN EXAM - 31/8/2021
upvoted 5 times
...
rsharma007
3 years, 8 months ago
1. First check whether the Layer 3 or routing exists between source and destination. 2. Check whether NSG policy allows the flow. As per NSG, RDP from any source is allowed inbound and everything else is denied( other allows are from ASGs which are private). VNET to VNET is allowed. VM1 and VM3 are peered VNETs. Routing exist and hence will use their private IPs which are allowed. VM2 and VM4 are not peered and hence will be denied.
upvoted 3 times
...
Sandomj55
3 years, 9 months ago
In Exam 8/4/2021
upvoted 2 times
...
hydrillo
3 years, 10 months ago
Tricky question. It say that all vms allow ping traffic. Nothing is mentioned about rdp. So one should assume that rdp is blocked.
upvoted 2 times
j410aksl
3 years, 7 months ago
Port 3389 is the RDP port.
upvoted 2 times
ITTesters
2 years ago
On the NSG it is, but the case mentions that ICMP is open on the VM firewall, but does not mention 3389/RDP is open/enabled on the VMs.
upvoted 1 times
...
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago