Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam AZ-104 topic 5 question 83 discussion

Actual exam question from Microsoft's AZ-104
Question #: 83
Topic #: 5
[All AZ-104 Questions]

HOTSPOT -
You have a network security group (NSG) named NSG1 that has the rules defined in the exhibit. (Click the Exhibit tab.)

NSG1 is associated to a subnet named Subnet1. Subnet1 contains the virtual machines shown in the following table.

You need to add a rule to NSG1 to ensure that VM1 can ping VM2. The solution must use the principle of least privilege.
How should you configure the rule? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Reference:
https://www.thomasmaurer.ch/2019/09/how-to-enable-ping-icmp-echo-on-an-azure-vm/

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
speed2fast
Highly Voted 2 years, 2 months ago
Answer is wrong. We need to undo the DENY_PING rule with the principle of least privilege. Direction: Outbound Source 10.1.0.10 (VM1) Destination: 10.1.0.11 (VM2) Priority: 110
upvoted 360 times
techrat
1 year, 8 months ago
I can confirm it's speed2fast is correct. it's on my exam yesterday, I passed with score 923 and got 100% correct on all of the network related questions.
upvoted 18 times
...
Fananico
2 years, 1 month ago
I test it your answer is current
upvoted 8 times
...
Takloy
1 year, 12 months ago
This is what I had in mind. I thought I'm going nuts when I saw the answer. Admin should change it.
upvoted 30 times
...
mdwSysOps
9 months, 2 weeks ago
this is the correct answer
upvoted 2 times
...
...
Quantigo
Highly Voted 2 years, 2 months ago
Correct answer: Direction: Outbound Source 10.1.0.10 (VM1) Destination: 10.1.0.11 (VM2) Priority: 110 the given solution is not correct.
upvoted 37 times
theOldOne
2 years, 2 months ago
What about inbound? Keep the rest the same.
upvoted 2 times
yolap31172
1 year, 10 months ago
Since VM1 and VM2 are in the same subnet, NSG would apply both inbound and outbound rules to traffic. Your inbound rule could let the ICMP request reach VM2, but existing outbound rule would prevent it from going out of VM1 in the first place. Having an outbound rule with priority 110 overrides the existing Deny rule.
upvoted 15 times
...
...
...
Josete1106
Most Recent 4 months, 2 weeks ago
This is correct! Direction: Outbound Source 10.1.0.10 (VM1) Destination: 10.1.0.11 (VM2) Priority: 110
upvoted 3 times
...
Jzx
8 months ago
Ping doest work if you mention only one direction.. ie VM1-->VM2 ping contains icmp echo request VM1---->VM2 & ICMP echo response VM2----> VM1 so its biderectional.. the given answer makes more sense...
upvoted 2 times
tech07
5 months, 1 week ago
NSG rules are stateful
upvoted 3 times
...
...
Andrew04
8 months, 3 weeks ago
I've tested on my tenant: Outbound rule Source 10.0.0.10 (VM1) Dest 10.0.0.11 (VM2) Priority 110 Protocol ICMP it works!
upvoted 3 times
...
vbohr899
9 months, 1 week ago
Cleared Exam today 26 Feb, This question was there in exam.
upvoted 8 times
...
Zeppoonstream
11 months, 1 week ago
Why is source and destination not 10.1.0.10; 10.1.0.11 ? Dont you need the rule to be vice versa?
upvoted 2 times
Zeppoonstream
10 months, 3 weeks ago
Edit: Ok got it. Its about the handshake. Only one connection is needed. You dont need to ensure that a inbound rule exists, because the traffic is already allowed by the outbound rule.
upvoted 2 times
...
...
Archie1206
1 year, 1 month ago
ping need to be two way, so the source and destination should both be 10.1.0.10/10.1.0.11. and direction outbound
upvoted 1 times
...
klexams
1 year, 1 month ago
to override the existing rule DENY_PING: Inbound 10.1.0.10 10.1.0.11 110
upvoted 2 times
...
klexams
1 year, 1 month ago
inbound/outbound is allowed within VNET, BUT rule 111 stop the outbound. So we need a higher priority rule to allow this outbound for VM1 ping to VM2. And with principle of least privilege in mind. Answer is: Outbound 10.1.0.10 10.1.0.11 110
upvoted 6 times
...
pkkalra
1 year, 2 months ago
as speed2fast said. Direction: Outbound Source 10.1.0.10 (VM1) Destination: 10.1.0.11 (VM2) Priority: 110 Please note that the rule won't block outbound response from VM2. NSGs allow or deny the establishment of a TCP connection. Once a connection is established, traffic can flow both ways as needed without obstruction. NSGs will not end active TCP connections either.
upvoted 3 times
...
ZacAz104
1 year, 2 months ago
cant believe they got this wrong sounds stupid you have to mention source ip destination less priority Direction: Outbound Source 10.1.0.10 (VM1) Destination: 10.1.0.11 (VM2) Priority: 110
upvoted 1 times
...
EmnCours
1 year, 3 months ago
Direction: Outbound Source 10.1.0.10 (VM1) Destination: 10.1.0.11 (VM2) Priority: 110
upvoted 1 times
...
F117A_Stealth
1 year, 3 months ago
Correct answer: Direction: Outbound Source 10.1.0.10 (VM1) Destination: 10.1.0.11 (VM2) Priority: 110
upvoted 2 times
...
gg905
1 year, 6 months ago
If you do Priority 111, will it overwrite the existing deny rule?
upvoted 1 times
...
Dobby25
1 year, 8 months ago
Received this on my exam today 19/03/2022
upvoted 3 times
...
ajayasa
1 year, 8 months ago
this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...