Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us [email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Microsoft Discussions

Exam AZ-104 topic 5 question 68 discussion

Actual exam question from Microsoft's AZ-104
Question #: 68
Topic #: 5
[All AZ-104 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.

You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150.
Does this meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
by Moyuihftg at May 2, 2021, 1:26 p.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
Bursuc03
Highly Voted 2 years, 6 months ago
The rule with priority 200 blocks all inbound trafic. That involves the Azure Load Balancer health probe directed to the VM. That results in VM2 being considered unhealthy and the LB does not route traffic to it (hence the issue). By placing a rule with the priority 150 that allows the AzureLoadBalancer traffic tag, VM2 is discovered as functional/healthy, the LB directs traffic to it => problem solved.
upvoted 151 times
lormar72
2 months, 2 weeks ago
But before is applied the rule 100 and fails, you must explain that, the only reason is that the packet is not ariving at all to the Loadbalancer. So adding another rule not solve the problem
upvoted 1 times
Batiste2023
3 weeks, 6 days ago
There is one rule that is necessary - and it's not covered by the first rule here. See: https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#required-security-rules YES is correct!
upvoted 1 times
alexandrud
6 days, 3 hours ago
I think is YES. I had it in the exam today and we can exclude that the machine is stopped. In the exam the "Attach network interface" was grayed out (Passed with 909. Than you everyone btw, especially mlantonis). My answer was YES today.
upvoted 2 times
...
...
...
JayBee65
2 years, 5 months ago
Very good, the first answer that explains the correct reason for the failure
upvoted 10 times
biglebowski
2 years, 5 months ago
The question is about connections "from 131.107.100.50". Why do you try to fix it by adding LB traffic? We don't know the IP of LB. Let's focus on 131.107.100.50 only.
upvoted 5 times
rawrkadia
2 years, 5 months ago
The load balancer is the reason the traffic is being blocked. Read the OP this chain replies to it explains it about as simply and clearly as possible.
upvoted 3 times
GabeCanada
2 years, 5 months ago
The answer is correct. 1- The fact the VM2 is offline does not mean anything, question states App1 is hosted on VM1 too so we can't assume both are offline (that's the exact reason a LB is deployed in the first place so you can shut down one VM and keep services running). 2- The question is displaying the NSG (required if using LB) so we can verify the rules, it will show up the same way if looked from VM1 so offline VM is irrelevant. 3- Rule 1 allows 443 from an specific IP, rule 2 deny all including LB 4- its suggested by the question a new rule that will allow LB traffic on 443 as well, before the deny which makes the answer correct. This could be done by moving rule 2 down just below the LB allow any rule.
upvoted 12 times
garmatey
7 months, 2 weeks ago
"Rule 1 allows 443 from an specific IP" Yea, and that specific IP is failing to connect to App1, even though the highest priority rule is supposed to be specifically allowing it. So it seems like the issue is with something else besides the rules since the highest priority rule is specifically allowing a connection that is failing. What am I missing?
upvoted 3 times
...
...
...
...
...
rupayan87
1 year ago
agree, the NSG is attached to subnet as can be seen in exhibit, hence either of the VMs are unhealthy for the LB due to rule 200.
upvoted 3 times
...
nzalex1
2 years, 1 month ago
Thanks, true. The issue here is deeper than it looks and the issue is broken health probes by rule 200, you are right
upvoted 4 times
...
Load full discussion...
...
darsy2001
Highly Voted 2 years, 6 months ago
the "attach network interface" button is available. I have tested this in lab and this button only appears clikable when the vm is stopped. Should this be the problem in the whole series of questions?
upvoted 35 times
ukivanlamlpi
10 months ago
i don't think a VM can create without network interface
upvoted 1 times
...
mbravo
2 years, 6 months ago
"The effective network security configurations for VM2 are shown" - this doesn't mean that the NSG is attached to the VM. From the show exhibit, it is clear that this NSG is attached to a subnet which renders your comment obsolete.
upvoted 2 times
orion1024
2 years, 2 months ago
why ? if VM is off no traffic is ever going to get there.
upvoted 4 times
boyzz
1 year, 7 months ago
doesn't mean that the "other" VM (VM1) also has the same attach network interface option enabled as it is off.. the screenshot clearly shows only VM2 and not VM1 and we definitely cannot afford to think VM1 is off too. So the AzLB rule in NSG takes precedence
upvoted 1 times
...
...
s9p3r7
2 years, 5 months ago
how so?! if the VM is powered off that mean the whole NSG rules stuff is misleading, the admin should start the VM before even begin to start NSG rules evaluation
upvoted 7 times
...
...
...
nchebbi
Most Recent 3 weeks, 1 day ago
Selected Answer: A
From the exibit we can see that the NSG is applied only to the subnet (it's not applied to none of the network interfaces of VM1 nor VM2). 1. the first rule is required for standard LB as they are closed by default in order to allow traffic to flow to the backend pool resources, unless you have NSG on the VM NIC or subnet. (basic SKU is open by default.) See Ref1 Standard SKU should be used, as Basic SKUis tipycally for testing ONLY, see Ref1. 2. The security rule we add is allow the LoadBalancer to check the health of theVMs, the LB is marking them as unhealthy, though not sending traffic to them, that's why it's failing.See Ref2 Ref1: https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/azure-load-balancer-security-baseline Ref2: https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview#probe-source-ip-address
upvoted 1 times
nchebbi
3 weeks, 1 day ago
From Ref1: " The Standard Load Balancer is designed to be secure by default and part of a private and isolated Virtual Network. It is closed to inbound flows unless opened by network security groups to explicitly permit allowed traffic, and to disallow known malicious IP addresses. Unless a network security group on a subnet or NIC of your virtual machine resource exists behind the Load Balancer, traffic is not allowed to reach this resource." Ref1: "Note: Using a Standard Load Balancer is recommended for your production workloads and typically the Basic Load Balancer is only used for testing since the basic type is open to connections from the internet by default and doesn't require network security groups for operation."
upvoted 1 times
...
...
MOSES3009
4 weeks ago
Selected Answer: A
traffic flow => IP 131.107.100.50 -> LB (whatever IPs) -> Servers IPs. Rule 1 take care on first half of the flow. Rule 2 denied second half of the flow. This is why is required one rule between 1 and 2, as an exception if you want, that will allow second half of the flow = one rule to allow access from LB to server/s.
upvoted 1 times
...
Tayhull2023
2 months, 4 weeks ago
Okay so the answer of the load balancer needing to be at priority 150 / allow makes sense to me except that the deny is only for 443, couldn't the load balancer just be using 80? This question has me stumped even after reading all the references.
upvoted 2 times
...
Alex1184
3 months, 3 weeks ago
It specifies the Load Balancer rules have been created correctly. Part of the set-up of rule 100 would be to specify the Health Probe...so rule 200 cannot be blocking it. I think the answer here must be No, certainly creating a rule that allows all Traffic makes no sense, when Rule 100 appears to do what you need....
upvoted 1 times
...
nomanmalik101
3 months, 3 weeks ago
what the hell? every second question has confusion. Why are we not able to get the exact answers even after paying a huge amount?
upvoted 4 times
...
Josete1106
4 months, 3 weeks ago
Answer is N!
upvoted 2 times
...
pri32
6 months, 2 weeks ago
Selected Answer: B
Don't able to find any concept of setting up the cost to set the priority. If the statement is re[laced with the priority of 150 then it can be yes but in current scenario it is no.
upvoted 2 times
...
lulek
6 months, 2 weeks ago
fact1: Traffic arrives to VMs from LB with LB IP address (not the end client ip) (not 131.107.100.50) fact2: LB lives in it's own subnet, so in order to communicate with any VM it has to cross subnets => the NSG rules kick in: The first rule is always skipped as the source is never: 131.107.100.50, but IP of LB The second rule kicks in and denies the access. So, if we add the suggested rule in between it will work => traffic from LB IP will be allowed on 443 Answer: A The VM2 might be actually stopped. The connection should work anyway, because VM1 might be UP (we don't know the actual state of it, so assuming that both VMs are down is an unjustified assumption) The bottom line is that the existing rules block traffic for LB IP.
upvoted 4 times
...
Eugene77
7 months ago
Very tricky question that cannot have correct answer at all. With knowing nothing about LB, another VMs, subnets and all NSG used in this configuration nobody can ensure that required connection will work.
upvoted 3 times
...
Goofer
8 months, 2 weeks ago
Selected Answer: B
Answer is no 'Allows any traffic FROM the AzureLoadBalancer'. Wrong way. You need traffic TO the loadbalancer BlockAlltOher443 blocks traffic to the loadbalancer
upvoted 1 times
...
djgodzilla
8 months, 2 weeks ago
Selected Answer: B
Guys, wake up . The network interface is detached (see top left options of the page). this is why the VM isn't reachable
upvoted 7 times
hebbo777
1 month, 2 weeks ago
my friend, this attach network interface to add additional NIC only, it doesn't mean the NIC detached!
upvoted 1 times
...
monroesteffie
7 months, 1 week ago
what is the correct ans yes or no
upvoted 1 times
solomwn
5 months, 3 weeks ago
if is detached , then is no
upvoted 1 times
...
...
...
bsaksham
8 months, 2 weeks ago
Azure evaluates network security group (NSG) rules in ascending order by priority value, with lower numbers taking precedence over higher numbers. When a traffic flow matches a rule with a deny action, the traffic is blocked and the NSG evaluation stops. Therefore, the allow rule with a priority of 100 will not be applied if there is a matching deny rule with a higher priority of 200. So NO!!
upvoted 1 times
...
cillo2000
9 months ago
It has to be B: "You verify that the Load Balancer rules are configured correctly." Why would you need another rule if the rules are verified as correct? Anyway: Adding the rule of priority of 150 just removes the effectiveness of the "BlockAllOther443" rule. There is some other issue causing the problem - maybe the "attach network interface" option being available, as mentioned by others.
upvoted 2 times
...
ukivanlamlpi
10 months ago
I don't think VM can create without network interface (but i can explain why add network interface button is enable), the VM2 is associated to VM2-NIC1. i also don't think the NIC public IP can be blank. another problem is the NSG link to another network interface subnet11. all above can't re-produce, the only thing to look at is the inbound port rules, but it is nothing wrong. such a question, i always rate 'B'
upvoted 1 times
ukivanlamlpi
10 months ago
I don't think VM can create without network interface (but i can't explain why add network interface button is enable), the VM2 is associated to VM2-NIC1. i also don't think the NIC public IP can be blank. another problem is the NSG link to another network interface subnet11. all above can't re-produce, the only thing to look at is the inbound port rules, but it is nothing wrong. such a question, i always rate 'B'
upvoted 1 times
...
...
zellck
10 months ago
Selected Answer: A
A is the answer. https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview#design-guidance For Load Balancer's health probe to mark up your instance, you must allow this IP address in any Azure network security groups and local firewall policies. By default, every network security group includes the service tag AzureLoadBalancer to permit health probe traffic.
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel