Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam AZ-104 topic 5 question 68 discussion

Actual exam question from Microsoft's AZ-104
Question #: 68
Topic #: 5
[All AZ-104 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.

You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150.
Does this meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: A ūüó≥ÔłŹ
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Bursuc03
Highly Voted 2 years, 12 months ago
The rule with priority 200 blocks all inbound trafic. That involves the Azure Load Balancer health probe directed to the VM. That results in VM2 being considered unhealthy and the LB does not route traffic to it (hence the issue). By placing a rule with the priority 150 that allows the AzureLoadBalancer traffic tag, VM2 is discovered as functional/healthy, the LB directs traffic to it => problem solved.
upvoted 160 times
djhyfdgjk
2 months, 2 weeks ago
LB Health Probe can be configured with TCP protocol, which is allowed by NSG
upvoted 1 times
...
nzalex1
2 years, 6 months ago
Thanks, true. The issue here is deeper than it looks and the issue is broken health probes by rule 200, you are right
upvoted 4 times
...
suryamk
1 year, 11 months ago
rule with priority 200 is only blocking 442 inbound connection and not all the traffic.
upvoted 5 times
Durden871
1 year, 2 months ago
Health probes can be port 80 or 443. I'm not overly experienced in this field (hence why I'm using this after using labs and courses), but my presumption here is that we're making the assumption the probe is using port 443. 443 is allowed from the public IP of the client, but it's not going to be the IP of the load balancer. The load balancer will show up as unhealthy and fail if it can't communicate.
upvoted 3 times
...
...
magichappens
2 years, 1 month ago
How would this solve the problem of a NIC that seems to be detached from the VM?
upvoted 5 times
...
...
darsy2001
Highly Voted 2 years, 11 months ago
the "attach network interface" button is available. I have tested this in lab and this button only appears clikable when the vm is stopped. Should this be the problem in the whole series of questions?
upvoted 37 times
mbravo
2 years, 11 months ago
"The effective network security configurations for VM2 are shown" - this doesn't mean that the NSG is attached to the VM. From the show exhibit, it is clear that this NSG is attached to a subnet which renders your comment obsolete.
upvoted 2 times
orion1024
2 years, 8 months ago
why ? if VM is off no traffic is ever going to get there.
upvoted 4 times
boyzz
2 years ago
doesn't mean that the "other" VM (VM1) also has the same attach network interface option enabled as it is off.. the screenshot clearly shows only VM2 and not VM1 and we definitely cannot afford to think VM1 is off too. So the AzLB rule in NSG takes precedence
upvoted 1 times
...
...
s9p3r7
2 years, 11 months ago
how so?! if the VM is powered off that mean the whole NSG rules stuff is misleading, the admin should start the VM before even begin to start NSG rules evaluation
upvoted 7 times
...
...
ukivanlamlpi
1 year, 3 months ago
i don't think a VM can create without network interface
upvoted 1 times
...
...
aikooo
Most Recent 1 month, 1 week ago
I think answer is A
upvoted 1 times
...
RemmyT
1 month, 2 weeks ago
The question appears in several case studies. Suggested possible solutions: NO - You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a cost of 64999. - You modify the priority of the Allow_131.107.100.50 inbound security rule. - You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150. - You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a priority of 64999. YES - You delete the BlockAllOther443 inbound security rule. - You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a priority of 150. In this case traffic from the AzureLoadBalancer is blocked (port 443). There is no cost concept associated with a security rule, only priority. Cost refers to multiple networking routes with different cost (depending on bandwidth, delay, load, ,max MTU). In the context of routing protocols, "metric" or "cost" refers to a value used to determine the best path to a destination within a network.
upvoted 1 times
...
RemmyT
1 month, 2 weeks ago
There is no cost concept associated with a security rule in Azure, only priority. Cost refers to multiple networking routes with different cost (depending on bandwidth, delay, load, ,max MTU). YES: ‚ÄĘ You delete the BlockAllOther443 inbound security rule. ‚ÄĘ You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a priority of 150. In this case traffic from the AzureLoadBalancer is blocked (port 443).
upvoted 2 times
...
bobothewiseman
1 month, 4 weeks ago
Selected Answer: B
Network interface is not attached. It means the vm is currenltly i stopped state
upvoted 2 times
...
Blueee
2 months, 2 weeks ago
Selected Answer: A
A is correct, as rules at from top down and it will hit the allowed rule (150) and exit, before hitting the deny (200)
upvoted 1 times
...
jhodax
2 months, 2 weeks ago
Selected Answer: A
Answer A When an Azure Load Balancer get created, it will probe backend to detect if the backend service is healthy or not, the probe packet is sent from source address "AzureLoadBalancer", the IP address of "AzureLoadBalancer" is always 168.63.129.16. https://msazure.club/addendum-of-azure-load-balancer-and-nsg-rules/ What is happening here is the LB Health Probe of TCP 443 to VM1 & VM2 are getting blocked by Rule 200 so it thinks both VM1 and VM2 are down. Hence App1 is failing as the LB won't direct any 443 traffic anywhere as it considers all Hosts are down. Make a new rule above 200 or move rule 65001 up to <200, so the Health Probe will start working again, it will find a health host and start to direct 443 traffic from 131.107.100.50 to it. App1 is alive!
upvoted 2 times
...
belyo
3 months, 2 weeks ago
Selected Answer: A
funniest part is default rule 65001 AllowAzureLoadBalancerInBound does the same job, however you cannot change the priority or delete it, so it renders it useless... so described proposal should work technically also deleting the rule with 200 priority should also work [this answer come in earlier in question set]
upvoted 1 times
...
amsioso
5 months ago
YES Azure Load Balancer probes: Allow incoming traffic from the source as the AzureLoadBalancer service tag. This rule is created by default for NSGs. You must not override it with a manual Deny rule to ensure smooth operations of your application gateway. https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#inbound-rules
upvoted 1 times
...
nchebbi
6 months ago
Selected Answer: A
From the exibit we can see that the NSG is applied only to the subnet (it's not applied to none of the network interfaces of VM1 nor VM2). 1. the first rule is required for standard LB as they are closed by default in order to allow traffic to flow to the backend pool resources, unless you have NSG on the VM NIC or subnet. (basic SKU is open by default.) See Ref1 Standard SKU should be used, as Basic SKUis tipycally for testing ONLY, see Ref1. 2. The security rule we add is allow the LoadBalancer to check the health of theVMs, the LB is marking them as unhealthy, though not sending traffic to them, that's why it's failing.See Ref2 Ref1: https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/azure-load-balancer-security-baseline Ref2: https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview#probe-source-ip-address
upvoted 1 times
nchebbi
6 months ago
From Ref1: " The Standard Load Balancer is designed to be secure by default and part of a private and isolated Virtual Network. It is closed to inbound flows unless opened by network security groups to explicitly permit allowed traffic, and to disallow known malicious IP addresses. Unless a network security group on a subnet or NIC of your virtual machine resource exists behind the Load Balancer, traffic is not allowed to reach this resource." Ref1: "Note: Using a Standard Load Balancer is recommended for your production workloads and typically the Basic Load Balancer is only used for testing since the basic type is open to connections from the internet by default and doesn't require network security groups for operation."
upvoted 1 times
...
...
MOSES3009
6 months, 1 week ago
Selected Answer: A
traffic flow => IP 131.107.100.50 -> LB (whatever IPs) -> Servers IPs. Rule 1 take care on first half of the flow. Rule 2 denied second half of the flow. This is why is required one rule between 1 and 2, as an exception if you want, that will allow second half of the flow = one rule to allow access from LB to server/s.
upvoted 1 times
...
Tayhull2023
8 months, 1 week ago
Okay so the answer of the load balancer needing to be at priority 150 / allow makes sense to me except that the deny is only for 443, couldn't the load balancer just be using 80? This question has me stumped even after reading all the references.
upvoted 2 times
...
Alex1184
9 months ago
It specifies the Load Balancer rules have been created correctly. Part of the set-up of rule 100 would be to specify the Health Probe...so rule 200 cannot be blocking it. I think the answer here must be No, certainly creating a rule that allows all Traffic makes no sense, when Rule 100 appears to do what you need....
upvoted 2 times
...
nomanmalik101
9 months ago
what the hell? every second question has confusion. Why are we not able to get the exact answers even after paying a huge amount?
upvoted 5 times
...
Josete1106
10 months ago
Answer is N!
upvoted 2 times
...
pri32
11 months, 4 weeks ago
Selected Answer: B
Don't able to find any concept of setting up the cost to set the priority. If the statement is re[laced with the priority of 150 then it can be yes but in current scenario it is no.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...