ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam
Go to Exam

Exam AZ-104 topic 5 question 68 discussion

Actual exam question from Microsoft's AZ-104
Question #: 68
Topic #: 5
[All AZ-104 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.

You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150.
Does this meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Moyuihftg at May 2, 2021, 1:26 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Bursuc03
Highly Voted 4 years ago
The rule with priority 200 blocks all inbound trafic. That involves the Azure Load Balancer health probe directed to the VM. That results in VM2 being considered unhealthy and the LB does not route traffic to it (hence the issue). By placing a rule with the priority 150 that allows the AzureLoadBalancer traffic tag, VM2 is discovered as functional/healthy, the LB directs traffic to it => problem solved.
upvoted 169 times
djhyfdgjk
1 year, 3 months ago
LB Health Probe can be configured with TCP protocol, which is allowed by NSG
upvoted 1 times
...
nzalex1
3 years, 8 months ago
Thanks, true. The issue here is deeper than it looks and the issue is broken health probes by rule 200, you are right
upvoted 4 times
...
suryamk
3 years ago
rule with priority 200 is only blocking 442 inbound connection and not all the traffic.
upvoted 5 times
Durden871
2 years, 3 months ago
Health probes can be port 80 or 443. I'm not overly experienced in this field (hence why I'm using this after using labs and courses), but my presumption here is that we're making the assumption the probe is using port 443. 443 is allowed from the public IP of the client, but it's not going to be the IP of the load balancer. The load balancer will show up as unhealthy and fail if it can't communicate.
upvoted 3 times
...
...
magichappens
3 years, 2 months ago
How would this solve the problem of a NIC that seems to be detached from the VM?
upvoted 8 times
...
Load full discussion...
...
darsy2001
Highly Voted 4 years ago
the "attach network interface" button is available. I have tested this in lab and this button only appears clikable when the vm is stopped. Should this be the problem in the whole series of questions?
upvoted 40 times
mbravo
4 years ago
"The effective network security configurations for VM2 are shown" - this doesn't mean that the NSG is attached to the VM. From the show exhibit, it is clear that this NSG is attached to a subnet which renders your comment obsolete.
upvoted 2 times
orion1024
3 years, 9 months ago
why ? if VM is off no traffic is ever going to get there.
upvoted 4 times
boyzz
3 years, 1 month ago
doesn't mean that the "other" VM (VM1) also has the same attach network interface option enabled as it is off.. the screenshot clearly shows only VM2 and not VM1 and we definitely cannot afford to think VM1 is off too. So the AzLB rule in NSG takes precedence
upvoted 1 times
...
...
s9p3r7
4 years ago
how so?! if the VM is powered off that mean the whole NSG rules stuff is misleading, the admin should start the VM before even begin to start NSG rules evaluation
upvoted 7 times
...
...
ukivanlamlpi
2 years, 4 months ago
i don't think a VM can create without network interface
upvoted 1 times
...
...
Nathan12345
Most Recent 4 months ago
Selected Answer: B
The cost of 150 is irrelevant.
upvoted 1 times
...
[Removed]
7 months, 4 weeks ago
Selected Answer: B
B is correct You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a PRIORITY of 150.
upvoted 2 times
...
Dankho
8 months, 1 week ago
Selected Answer: B
There is no stinking cost in Azure
upvoted 1 times
...
87dffd4
11 months, 1 week ago
Selected Answer: B
Suggested solution reads "....and has a cost of 150". There is no concept of cost, only concept of priority. Therefore the correct answer is 'No'.
upvoted 2 times
...
VICEROY
11 months, 3 weeks ago
Selected Answer: A
add a higher priority for loadbalancer
upvoted 1 times
...
CharlesS76
1 year ago
Selected Answer: B
NIC is not attached to the VM, answer is B!
upvoted 1 times
...
aikooo
1 year, 2 months ago
I think answer is A
upvoted 1 times
...
RemmyT
1 year, 2 months ago
The question appears in several case studies. Suggested possible solutions: NO - You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a cost of 64999. - You modify the priority of the Allow_131.107.100.50 inbound security rule. - You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150. - You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a priority of 64999. YES - You delete the BlockAllOther443 inbound security rule. - You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a priority of 150. In this case traffic from the AzureLoadBalancer is blocked (port 443). There is no cost concept associated with a security rule, only priority. Cost refers to multiple networking routes with different cost (depending on bandwidth, delay, load, ,max MTU). In the context of routing protocols, "metric" or "cost" refers to a value used to determine the best path to a destination within a network.
upvoted 13 times
...
RemmyT
1 year, 2 months ago
There is no cost concept associated with a security rule in Azure, only priority. Cost refers to multiple networking routes with different cost (depending on bandwidth, delay, load, ,max MTU). YES: • You delete the BlockAllOther443 inbound security rule. • You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a priority of 150. In this case traffic from the AzureLoadBalancer is blocked (port 443).
upvoted 4 times
...
bobothewiseman
1 year, 3 months ago
Selected Answer: B
Network interface is not attached. It means the vm is currenltly i stopped state
upvoted 2 times
...
Blueee
1 year, 3 months ago
Selected Answer: A
A is correct, as rules at from top down and it will hit the allowed rule (150) and exit, before hitting the deny (200)
upvoted 1 times
...
jhodax
1 year, 3 months ago
Selected Answer: A
Answer A When an Azure Load Balancer get created, it will probe backend to detect if the backend service is healthy or not, the probe packet is sent from source address "AzureLoadBalancer", the IP address of "AzureLoadBalancer" is always 168.63.129.16. https://msazure.club/addendum-of-azure-load-balancer-and-nsg-rules/ What is happening here is the LB Health Probe of TCP 443 to VM1 & VM2 are getting blocked by Rule 200 so it thinks both VM1 and VM2 are down. Hence App1 is failing as the LB won't direct any 443 traffic anywhere as it considers all Hosts are down. Make a new rule above 200 or move rule 65001 up to <200, so the Health Probe will start working again, it will find a health host and start to direct 443 traffic from 131.107.100.50 to it. App1 is alive!
upvoted 3 times
...
belyo
1 year, 4 months ago
Selected Answer: A
funniest part is default rule 65001 AllowAzureLoadBalancerInBound does the same job, however you cannot change the priority or delete it, so it renders it useless... so described proposal should work technically also deleting the rule with 200 priority should also work [this answer come in earlier in question set]
upvoted 1 times
...
amsioso
1 year, 6 months ago
YES Azure Load Balancer probes: Allow incoming traffic from the source as the AzureLoadBalancer service tag. This rule is created by default for NSGs. You must not override it with a manual Deny rule to ensure smooth operations of your application gateway. https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#inbound-rules
upvoted 1 times
...
nchebbi
1 year, 7 months ago
Selected Answer: A
From the exibit we can see that the NSG is applied only to the subnet (it's not applied to none of the network interfaces of VM1 nor VM2). 1. the first rule is required for standard LB as they are closed by default in order to allow traffic to flow to the backend pool resources, unless you have NSG on the VM NIC or subnet. (basic SKU is open by default.) See Ref1 Standard SKU should be used, as Basic SKUis tipycally for testing ONLY, see Ref1. 2. The security rule we add is allow the LoadBalancer to check the health of theVMs, the LB is marking them as unhealthy, though not sending traffic to them, that's why it's failing.See Ref2 Ref1: https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/azure-load-balancer-security-baseline Ref2: https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview#probe-source-ip-address
upvoted 1 times
nchebbi
1 year, 7 months ago
From Ref1: " The Standard Load Balancer is designed to be secure by default and part of a private and isolated Virtual Network. It is closed to inbound flows unless opened by network security groups to explicitly permit allowed traffic, and to disallow known malicious IP addresses. Unless a network security group on a subnet or NIC of your virtual machine resource exists behind the Load Balancer, traffic is not allowed to reach this resource." Ref1: "Note: Using a Standard Load Balancer is recommended for your production workloads and typically the Basic Load Balancer is only used for testing since the basic type is open to connections from the internet by default and doesn't require network security groups for operation."
upvoted 1 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel