ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam
Go to Exam

Exam AZ-104 topic 5 question 83 discussion

Actual exam question from Microsoft's AZ-104
Question #: 83
Topic #: 5
[All AZ-104 Questions]

HOTSPOT -
You have a network security group (NSG) named NSG1 that has the rules defined in the exhibit. (Click the Exhibit tab.)

NSG1 is associated to a subnet named Subnet1. Subnet1 contains the virtual machines shown in the following table.

You need to add a rule to NSG1 to ensure that VM1 can ping VM2. The solution must use the principle of least privilege.
How should you configure the rule? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
by speed2fast at Sept. 28, 2021, 8:29 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
speed2fast
Highly Voted 3 years, 9 months ago
Answer is wrong. We need to undo the DENY_PING rule with the principle of least privilege. Direction: Outbound Source 10.1.0.10 (VM1) Destination: 10.1.0.11 (VM2) Priority: 110
upvoted 442 times
Fananico
3 years, 8 months ago
I test it your answer is current
upvoted 10 times
...
michaelmorar
3 years, 2 months ago
Agree, allowing ANY/ANY is the very antithesis of the principle of least privilege.
upvoted 10 times
...
theOldOne
3 years, 9 months ago
What about inbound? Keep the rest the same.
upvoted 2 times
SilverFox22
3 years, 9 months ago
The inbound/outbound threw me a bit as well. "rules in inbound direction affect traffic that is being initiated from external sources, such as the Internet or another VM, to a virtual machine. Outbound security rules affect traffic sent from a VM." The ICMP traffic is being sent from VM1, so outbound.
upvoted 13 times
...
dc2k79
2 years, 8 months ago
its stateful, if allowed an outbound connection, the response traffic is automatically allowed.
upvoted 6 times
...
nsknexus478
3 years, 9 months ago
Both the VMs are from the same Vnet. So inbound is allow by default within the n/w.
upvoted 12 times
awssecuritynewbie
2 years, 9 months ago
that is exactly what i wanted to say! it is kept the same!
upvoted 3 times
...
...
...
nsknexus478
3 years, 9 months ago
I was thinking the same. The given answer threw the least privilege out of window.
upvoted 7 times
...
Load full discussion...
...
Quantigo
Highly Voted 3 years, 9 months ago
Correct answer: Direction: Outbound Source 10.1.0.10 (VM1) Destination: 10.1.0.11 (VM2) Priority: 110 the given solution is not correct.
upvoted 44 times
theOldOne
3 years, 9 months ago
What about inbound? Keep the rest the same.
upvoted 4 times
yolap31172
3 years, 5 months ago
Since VM1 and VM2 are in the same subnet, NSG would apply both inbound and outbound rules to traffic. Your inbound rule could let the ICMP request reach VM2, but existing outbound rule would prevent it from going out of VM1 in the first place. Having an outbound rule with priority 110 overrides the existing Deny rule.
upvoted 26 times
naveedpk00
1 year, 4 months ago
thanks you are a legend.
upvoted 2 times
...
FlaShhh
1 year, 5 months ago
well explained
upvoted 1 times
...
...
...
...
marek_jazz
Most Recent 1 month, 3 weeks ago
this clarified things for me: "Azure by default allows inbound ICMP from VirtualNetwork if no deny rule is set — and in this case, there's no inbound ICMP deny, so inbound to VM2 will succeed once outbound is allowed."
upvoted 1 times
...
Thomas12345678
2 months ago
Its not defined where the NSG1 is applied.
upvoted 1 times
...
tashakori
1 year, 3 months ago
Direction: Outbound Source 10.1.0.10 (VM1) Destination: 10.1.0.11 (VM2) Priority: 110
upvoted 3 times
...
LovelyGroovey
1 year, 4 months ago
Inbound is correct. ChatGPT said, "The direction is set to “Inbound” because the rule is being applied to traffic that is coming into the network security group (NSG) from VM1 to VM2. In the context of Azure Network Security Groups, “Inbound” refers to traffic that is entering the NSG from another source, while “Outbound” refers to traffic that is leaving the NSG to go to another destination. In this case, since VM1 is initiating the ping to VM2, the traffic is entering the NSG from VM1 (hence, “Inbound”) and going to VM2. This is why the direction of the rule is set to “Inbound”. Remember, the direction of the rule is always from the perspective of the network security group. It’s about where the traffic is coming from and where it’s going to, relative to the NSG."
upvoted 1 times
2d153f5
7 months, 1 week ago
I think ChatGPT is kidding you. ;)
upvoted 1 times
...
...
rnd3131
1 year, 5 months ago
direction is outbound because sourceprefix is virtualnetwork
upvoted 1 times
...
Josete1106
1 year, 11 months ago
This is correct! Direction: Outbound Source 10.1.0.10 (VM1) Destination: 10.1.0.11 (VM2) Priority: 110
upvoted 4 times
...
Jzx
2 years, 3 months ago
Ping doest work if you mention only one direction.. ie VM1-->VM2 ping contains icmp echo request VM1---->VM2 & ICMP echo response VM2----> VM1 so its biderectional.. the given answer makes more sense...
upvoted 2 times
tech07
2 years ago
NSG rules are stateful
upvoted 3 times
...
...
Andrew04
2 years, 3 months ago
I've tested on my tenant: Outbound rule Source 10.0.0.10 (VM1) Dest 10.0.0.11 (VM2) Priority 110 Protocol ICMP it works!
upvoted 4 times
...
vbohr899
2 years, 4 months ago
Cleared Exam today 26 Feb, This question was there in exam.
upvoted 8 times
...
Zeppoonstream
2 years, 6 months ago
Why is source and destination not 10.1.0.10; 10.1.0.11 ? Dont you need the rule to be vice versa?
upvoted 2 times
Zeppoonstream
2 years, 5 months ago
Edit: Ok got it. Its about the handshake. Only one connection is needed. You dont need to ensure that a inbound rule exists, because the traffic is already allowed by the outbound rule.
upvoted 2 times
...
...
Archie1206
2 years, 8 months ago
ping need to be two way, so the source and destination should both be 10.1.0.10/10.1.0.11. and direction outbound
upvoted 1 times
...
klexams
2 years, 8 months ago
to override the existing rule DENY_PING: Inbound 10.1.0.10 10.1.0.11 110
upvoted 2 times
...
klexams
2 years, 8 months ago
inbound/outbound is allowed within VNET, BUT rule 111 stop the outbound. So we need a higher priority rule to allow this outbound for VM1 ping to VM2. And with principle of least privilege in mind. Answer is: Outbound 10.1.0.10 10.1.0.11 110
upvoted 9 times
...
pkkalra
2 years, 10 months ago
as speed2fast said. Direction: Outbound Source 10.1.0.10 (VM1) Destination: 10.1.0.11 (VM2) Priority: 110 Please note that the rule won't block outbound response from VM2. NSGs allow or deny the establishment of a TCP connection. Once a connection is established, traffic can flow both ways as needed without obstruction. NSGs will not end active TCP connections either.
upvoted 3 times
...
ZacAz104
2 years, 10 months ago
cant believe they got this wrong sounds stupid you have to mention source ip destination less priority Direction: Outbound Source 10.1.0.10 (VM1) Destination: 10.1.0.11 (VM2) Priority: 110
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel