Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Exam AZ-104 topic 5 question 83 discussion

Actual exam question from Microsoft's AZ-104
Question #: 83
Topic #: 5
[All AZ-104 Questions]

HOTSPOT -
You have a network security group (NSG) named NSG1 that has the rules defined in the exhibit. (Click the Exhibit tab.)

NSG1 is associated to a subnet named Subnet1. Subnet1 contains the virtual machines shown in the following table.

You need to add a rule to NSG1 to ensure that VM1 can ping VM2. The solution must use the principle of least privilege.
How should you configure the rule? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Reference:
https://www.thomasmaurer.ch/2019/09/how-to-enable-ping-icmp-echo-on-an-azure-vm/

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
speed2fast
Highly Voted 2 years, 11 months ago
Answer is wrong. We need to undo the DENY_PING rule with the principle of least privilege. Direction: Outbound Source 10.1.0.10 (VM1) Destination: 10.1.0.11 (VM2) Priority: 110
upvoted 418 times
Fananico
2 years, 10 months ago
I test it your answer is current
upvoted 10 times
...
michaelmorar
2 years, 4 months ago
Agree, allowing ANY/ANY is the very antithesis of the principle of least privilege.
upvoted 9 times
...
theOldOne
2 years, 11 months ago
What about inbound? Keep the rest the same.
upvoted 2 times
dc2k79
1 year, 10 months ago
its stateful, if allowed an outbound connection, the response traffic is automatically allowed.
upvoted 5 times
...
nsknexus478
2 years, 11 months ago
Both the VMs are from the same Vnet. So inbound is allow by default within the n/w.
upvoted 11 times
awssecuritynewbie
1 year, 11 months ago
that is exactly what i wanted to say! it is kept the same!
upvoted 1 times
...
...
SilverFox22
2 years, 11 months ago
The inbound/outbound threw me a bit as well. "rules in inbound direction affect traffic that is being initiated from external sources, such as the Internet or another VM, to a virtual machine. Outbound security rules affect traffic sent from a VM." The ICMP traffic is being sent from VM1, so outbound.
upvoted 10 times
...
...
nsknexus478
2 years, 11 months ago
I was thinking the same. The given answer threw the least privilege out of window.
upvoted 5 times
...
...
Quantigo
Highly Voted 2 years, 11 months ago
Correct answer: Direction: Outbound Source 10.1.0.10 (VM1) Destination: 10.1.0.11 (VM2) Priority: 110 the given solution is not correct.
upvoted 41 times
theOldOne
2 years, 11 months ago
What about inbound? Keep the rest the same.
upvoted 4 times
yolap31172
2 years, 7 months ago
Since VM1 and VM2 are in the same subnet, NSG would apply both inbound and outbound rules to traffic. Your inbound rule could let the ICMP request reach VM2, but existing outbound rule would prevent it from going out of VM1 in the first place. Having an outbound rule with priority 110 overrides the existing Deny rule.
upvoted 23 times
naveedpk00
6 months, 1 week ago
thanks you are a legend.
upvoted 1 times
...
FlaShhh
7 months, 1 week ago
well explained
upvoted 1 times
...
...
...
...
tashakori
Most Recent 6 months ago
Direction: Outbound Source 10.1.0.10 (VM1) Destination: 10.1.0.11 (VM2) Priority: 110
upvoted 2 times
...
LovelyGroovey
6 months, 3 weeks ago
Inbound is correct. ChatGPT said, "The direction is set to “Inbound” because the rule is being applied to traffic that is coming into the network security group (NSG) from VM1 to VM2. In the context of Azure Network Security Groups, “Inbound” refers to traffic that is entering the NSG from another source, while “Outbound” refers to traffic that is leaving the NSG to go to another destination. In this case, since VM1 is initiating the ping to VM2, the traffic is entering the NSG from VM1 (hence, “Inbound”) and going to VM2. This is why the direction of the rule is set to “Inbound”. Remember, the direction of the rule is always from the perspective of the network security group. It’s about where the traffic is coming from and where it’s going to, relative to the NSG."
upvoted 1 times
...
rnd3131
8 months ago
direction is outbound because sourceprefix is virtualnetwork
upvoted 1 times
...
Josete1106
1 year, 1 month ago
This is correct! Direction: Outbound Source 10.1.0.10 (VM1) Destination: 10.1.0.11 (VM2) Priority: 110
upvoted 4 times
...
Jzx
1 year, 5 months ago
Ping doest work if you mention only one direction.. ie VM1-->VM2 ping contains icmp echo request VM1---->VM2 & ICMP echo response VM2----> VM1 so its biderectional.. the given answer makes more sense...
upvoted 2 times
tech07
1 year, 2 months ago
NSG rules are stateful
upvoted 3 times
...
...
Andrew04
1 year, 6 months ago
I've tested on my tenant: Outbound rule Source 10.0.0.10 (VM1) Dest 10.0.0.11 (VM2) Priority 110 Protocol ICMP it works!
upvoted 4 times
...
vbohr899
1 year, 6 months ago
Cleared Exam today 26 Feb, This question was there in exam.
upvoted 8 times
...
Zeppoonstream
1 year, 8 months ago
Why is source and destination not 10.1.0.10; 10.1.0.11 ? Dont you need the rule to be vice versa?
upvoted 2 times
Zeppoonstream
1 year, 8 months ago
Edit: Ok got it. Its about the handshake. Only one connection is needed. You dont need to ensure that a inbound rule exists, because the traffic is already allowed by the outbound rule.
upvoted 2 times
...
...
Archie1206
1 year, 10 months ago
ping need to be two way, so the source and destination should both be 10.1.0.10/10.1.0.11. and direction outbound
upvoted 1 times
...
klexams
1 year, 10 months ago
to override the existing rule DENY_PING: Inbound 10.1.0.10 10.1.0.11 110
upvoted 2 times
...
klexams
1 year, 11 months ago
inbound/outbound is allowed within VNET, BUT rule 111 stop the outbound. So we need a higher priority rule to allow this outbound for VM1 ping to VM2. And with principle of least privilege in mind. Answer is: Outbound 10.1.0.10 10.1.0.11 110
upvoted 8 times
...
pkkalra
2 years ago
as speed2fast said. Direction: Outbound Source 10.1.0.10 (VM1) Destination: 10.1.0.11 (VM2) Priority: 110 Please note that the rule won't block outbound response from VM2. NSGs allow or deny the establishment of a TCP connection. Once a connection is established, traffic can flow both ways as needed without obstruction. NSGs will not end active TCP connections either.
upvoted 3 times
...
ZacAz104
2 years ago
cant believe they got this wrong sounds stupid you have to mention source ip destination less priority Direction: Outbound Source 10.1.0.10 (VM1) Destination: 10.1.0.11 (VM2) Priority: 110
upvoted 1 times
...
EmnCours
2 years ago
Direction: Outbound Source 10.1.0.10 (VM1) Destination: 10.1.0.11 (VM2) Priority: 110
upvoted 1 times
...
F117A_Stealth
2 years ago
Correct answer: Direction: Outbound Source 10.1.0.10 (VM1) Destination: 10.1.0.11 (VM2) Priority: 110
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...