ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-300 All Questions

View all questions & answers for the AZ-300 exam
Go to Exam

Exam AZ-300 topic 5 question 17 discussion

Actual exam question from Microsoft's AZ-300
Question #: 17
Topic #: 5
[All AZ-300 Questions]

SIMULATION -
Click to expand each objective. To connect to the Azure portal, type https://portal.azure.com in the browser address bar.






When you are finished performing all the tasks, click the "˜Next' button.
Note that you cannot return to the lab once you click the "˜Next' button. Scoring occur in the background while you complete the rest of the exam.

Overview -
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn't matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.
Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.

To start the lab -
You may start the lab by clicking the Next button.
You need to create a virtual network named VNET1008 that contains three subnets named subnet0, subnet1, and subnet2. The solution must meet the following requirements:
✑ Connections from any of the subnets to the Internet must be blocked
✑ Connections from the Internet to any of the subnets must be blocked
✑ The number of network security groups (NSGs) and NSG rules must be minimized
What should you do from the Azure portal?

Show Suggested Answer Hide Answer
Suggested Answer: See solution below.
Step 1: Click Create a resource in the portal.
Step 2: Enter Virtual network in the Search the Marketplace box at the top of the New pane that appears. Click Virtual network when it appears in the search results.
Step 3: Select Classic in the Select a deployment model box in the Virtual Network pane that appears, then click Create.
Step 4: Enter the following values on the Create virtual network (classic) pane and then click Create:
Name: VNET1008
Address space: 10.0.0.0/16
Subnet name: subnet0
Resource group: Create new
Subnet address range: 10.0.0.0/24
Subscription and location: Select your subscription and location.
Step 5: In the portal, you can create only one subnet when you create a virtual network. Click Subnets (in the SETTINGS section) on the Create virtual network
(classic) pane that appears.
Click +Add on the VNET1008 - Subnets pane that appears.
Step 6: Enter subnet1 for Name on the Add subnet pane. Enter 10.0.1.0/24 for Address range. Click OK.
Step 7: Create the third subnet: Click +Add on the VNET1008 - Subnets pane that appears. Enter subnet2 for Name on the Add subnet pane. Enter 10.0.2.0/24 for
Address range. Click OK.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/create-virtual-network-classic
by Krimish at Oct. 3, 2019, 11:38 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Happiman
Highly Voted 5 years, 3 months ago
You need to create a NSG with outbout block using service tag. How can we use service tags to block outbound traffic to the Internet for our virtual machines now? It’s easy. First, you will create the Deny-to-Internet rule: Source: Virtual Network Source Port Range: * Destination: Service Tag Destination Service Tag: Internet Protocol: Any Action: Deny Priority: 4096 Name: Deny-AllInternet
upvoted 26 times
Nikita_1998
4 years, 10 months ago
Correct, tried in the portal. Create Vnet, with 3 subnets, Add outbound rule blocking internet, then attach it (nsg) to the 3 subnets
upvoted 1 times
...
...
mm2
Highly Voted 5 years, 6 months ago
create NSG and block the internet for outgoing connections. The incoming connections always have internet blocked (unless someone will open some ports). If this is a case you need to add incoming rule to block any traffic from internet. Then assign it to subnet/VM
upvoted 16 times
Adrian1405
5 years, 5 months ago
default NSG's security rules blocks internet connection, so i would say that creating the NSG and assigned it to subnet is enough. https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules
upvoted 4 times
Mathew
5 years, 4 months ago
Connections from any of the subnets to the Internet must be blocked so outbound need to add deny internet
upvoted 4 times
...
praveen97
4 years, 9 months ago
Agree with Adrian. When a VM is created, NSG will get created automatically. If it is not present in the lab, then create the NSG. Default Inbound and Outbound security rules will be added automatically once the NSG is created. These has rules to deny all Inbound traffic (Internet) and deny all outbound traffic.
upvoted 1 times
praveen97
4 years, 9 months ago
small correction. We need to create a new Outbound security rule to Deny outbound Internet traffic. Give lowest priority number.
upvoted 1 times
...
...
...
fabianvera19822
4 years, 5 months ago
Only need add outbound rule in default NSG for deny Outbound traffic to internet, Incoming traffic is deny by default
upvoted 1 times
...
...
AhmedAL
Most Recent 4 years, 7 months ago
what happened to the NSG rules
upvoted 1 times
...
Shon20200923
4 years, 7 months ago
there is a default inbound rule(65500) block the all inbound traffic, no need to add a rule for inbound. and there is a default outbound rule(65500) block all outbound traffic. why not to delete the default rule(65001 ALLOW to internet), it's also match the goal and the minimum rules.
upvoted 1 times
...
KCjoe
4 years, 9 months ago
Once you create NSG and associate subnet, you are done. Subnet <-> Internet is blocked by default, based on default rules. Don't need to create any rules
upvoted 1 times
KCjoe
4 years, 9 months ago
Actually no additional rule for inbound, but you need to add outbound rules as be default subnet allows to go to internet (priority 65001)
upvoted 2 times
tundervirld
4 years, 8 months ago
Yes, I did in lab. It's necessary to create a OutBound rule to block internet trafic.
upvoted 1 times
...
TP447
4 years, 8 months ago
You need the Outbound Rule to have an exception as by default, all Outbound access to the Internet is permitted (rule to block this for */All traffic).
upvoted 2 times
...
...
...
nagendra25may
4 years, 11 months ago
I think deny is already there by default in NSG. we can just allow virtual network IP address range under inbound and outbound rule.
upvoted 1 times
...
nagendra25may
4 years, 11 months ago
When we create a Network Security group. There is already default deny for all incoming request on any port and deny for all outgoing request for all ports. Do we still need to add the rules? I am talking about the default rule with priority 65500 .
upvoted 1 times
...
am20
4 years, 11 months ago
1. Create a NSG. 2. Add Outbound Security Rule (By default InBound internet access is denied - Priority 65500) with Source: Either Any or VirtualNetwork Source port: * Destination: Service Tag Destination service tag: Internet Destination port ranges: * Protocol: Any Action: Deny 3. In NSG Subnet associate each subnet
upvoted 8 times
...
AmarKavita
4 years, 11 months ago
THIS IS INTERESTING...I FEEL the above answer does it if you do not create a public ip for your machines then there is no inbound or outbound traffic allowed... i mean why create NSG when they get blocked by default.
upvoted 2 times
gerardjongh
4 years, 11 months ago
That is not true. For instance when you create a VM without a public IP it will still have access to the internet through a random Azure IP by natting. NSG rules will be necessary.
upvoted 2 times
...
...
TYT
5 years ago
Why not create a NSG with one inbound rule and one outbound rule - Service Tag Internet, ports - 0 to 65535 so there won't be any traffic to and fro from the internet? Then associate this NSG with the subnets.
upvoted 1 times
...
qr
5 years, 2 months ago
Btw, no need to use Ports... Just use Service Tags in the NSG Source and Desntination
upvoted 3 times
...
InsomniumBR
5 years, 3 months ago
By default the subnets are isolated from Internet, right? Do we really need a NSG? "The number of network security groups (NSGs) and NSG rules must be minimized"
upvoted 2 times
tundervirld
4 years, 8 months ago
Yes, but not all resources create by default a NSG, so you'll need to create a NSG.
upvoted 1 times
...
...
fda
5 years, 3 months ago
Need to create an NSG and add an outbound rule to block the internet traffic. The NSG default inbound rules block all inbound traffic except from Azure load balancer and VNet traffic. So by default Internet traffic is not allowed. The NGS contains by default a rue that allows Internet traffic. No add a rule to deny the Internet traffic. Assign the NSG to the subnets.
upvoted 4 times
...
bbbb
5 years, 4 months ago
I've found the NSG rules to be a bit random at times when creating/removing them, but effectively you need to define a deny any inbound and outbound rule. Using the source or destination "Service Tag" option and then selecting "Internet" allows you to specify traffic to be blocked only to/from the internet, otherwise you can end up preventing other traffic (e.g. inter-vnet) from working. Make sure you associate the NSG with the vnet/subnets.
upvoted 3 times
Ijaz
5 years, 3 months ago
so we will need to have 2 inbound and 2 outbound rules (port 80 & 443) with service tag "internet"
upvoted 1 times
PDR
5 years, 3 months ago
it would be 1 inbound and 1 outbound rule to block all ports service tag internet? - we are blocking all traffic to / from internet , not just http and https
upvoted 6 times
ipvaid
4 years, 8 months ago
Nothing needs to be added for inbound as by default access from internet is blocked
upvoted 1 times
...
...
...
...
AnshMan
5 years, 4 months ago
create NSG and block allInbound traffic any port potocal and destination Internet. https://www.petri.com/blocking-internet-access-azure-vms
upvoted 3 times
...
chris46
5 years, 4 months ago
But how do you define internet, but 80,443 are not Internet. These are just webpages.
upvoted 2 times
atiff
4 years, 9 months ago
by adding a rule to "Deny" all outgoing traffic for "Service Tag" "Internet"
upvoted 1 times
...
...
Krimish
5 years, 7 months ago
create a NSG and add inbound and outbound rule to block internet traffic. In NSG you need to define port 80,443 and protocol TCP. Now associate this NSG to all subnets.
upvoted 7 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago