HOTSPOT - You implement the planned changes for ASG1 and ASG2. In which NSGs can you use ASG1, and the network interfaces of which virtual machines can you assign to ASG2? Hot Area:
ASG constraint : All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. (Not a regional constraint)
1) NSG2 only
2) VM3 only
But how is that relevant to the question?
In which NSGs can you use ASG1
Could be used in any nsg I think
The network interfaces of which virtual machines can you assign to ASG2
ASG2 is empty to start with. So any Vm nic as long as it's the first one.
I think all vms in the list
Correct, https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups
"All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in"
Azure is showing only application security groups in the same region as the network interface. If you choose more than one application security group, they must all exist in the same virtual network.
I think second option should be VM3 only because ASG2 is in Central US and only VM3 is in Central US region.
ASGs and the Network Interfaces should be in the same region.
1 - NSG2 and NSG4 - Both are in the same region, so they can be assigned to ASG1
2 - VM3 only - REMEMBER!!!! We are talking about ASG2, which is created in CentralUS! The only VM in the same region is VM3 only
I am adding "REMEMBER!!!" in capital letters because it happened to me that I was confusing ASG1 location with the answer for question 2 which is ASG2 location
Please take this notes and wish me best in the exam that I wish all of you!
When we associate network security groups with subnets and network interface cards(nics) the vnets and nics that we associate nsg to it should be in the same region and subscription as network security groups.
When we create inbound and outbound rule and we want to use ASG there as destination or source, we can only use ASG’s that are in the same region and subscription as Network Security Groups.
Application security groups have the following constraints:
There are limits to the number of application security groups you can have in a subscription, and other limits related to application security groups. For details, see Azure limits.
All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. For example, if the first network interface assigned to an application security group named AsgWeb is in the virtual network named VNet1, then all subsequent network interfaces assigned to ASGWeb must exist in VNet1. You can't add network interfaces from different virtual networks to the same application security group.
If you specify an application security group as the source and destination in a security rule, the network interfaces in both application security groups must exist in the same virtual network.
An example would be if AsgLogic had network interfaces from VNet1 and AsgDb had network interfaces from VNet2. In this case, it would be impossible to assign AsgLogic as the source and AsgDb as the destination in a rule. All network interfaces for both the source and destination application security groups need to exist in the same virtual network.
There is one more not that also is not in the documentation, but this should be If want to add ASG to VM they also should be in the same subscription and region as well.
For the box-1 answer will be NSG-2,NSG-4
For the box-2 answer will be VM3 only
I have implemented the whole infrastructure of this use case. So for this question
1. NSG2 and NSG4 can be added to ASG1. My explanation :
ASG1 contains VM1 (By the way when an ASG is empty it can contain only VMs in the same region); VM1 is in VNET1 in West US, only NSG in the same region than the VNET can associated to subnets in the VNET, so here only NSG2 and NSG4 can be associated to subnets in VNET1, due to that ASG1 can only be used in NSG2 and NSG4.
2. VM3 only
When an ASG is empty it can only contain VMs in the same region so here only VMs in Central US can be added. Then when you add a VM, the next VM should be in the same Vnet than the first VM added. I encourage you to deploy it on Azure to better understand.
1) NSG2 only
2) VM3 only
Tested in lab; even if the documentation does not mention that, I could associate an ASG only to VM's NIC in the same region (tried with command line too); The same goes for NSG, I could select the ASG in security rule editor when they were in the same region
ASG constraint : All network interfaces assigned to an application security group have to exist in the same
virtual network that the first network interface assigned to the application security group is in. (Not a regional
constraint)
1) NSG2 only
2) VM3 only
Showing only application security groups in the same region as the network interface. If you choose more than one application security group, they must all exist in the same virtual network.
1) NSG2 and NSG4
2) VM3 only --> Explanation: ASG2 located in Central US
In Central US we have NSG3
NSG3 is associated to VM3
Thus, the answer is VM3 only.
Correction for 1, the answer should be NSG2 only since ASG1 is already assigned to the Virtual Network that's connected to VM1 and on the same network we have VM2 which has NSG2 associated to it.
ASG constraint: All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in.
Answer:
1) NSG2 only
2) VM3 only
1: NSG2 only
All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in
2: All of them
Why?
You can associate multiple ASG to single VM and ASG is not regional bounded/constrained. Only thing is when you associate ASG to a VM which is for example in VNet1234 the ASG can only stay in that particular vnet. Where the VNet is regional bounded.
So the point in this 2nd question is with which VMs can you associate the free available ASG2. So you can pick one VNet where.
I agree confidently with 1: NSG2 only.
I want to agree with 2: All VM's. Following the logic of your explanation.
One thing I thought that might constrain VM assignment is: "If you specify an application security group as the source and destination in a security rule, the network interfaces in both application security groups must exist in the same virtual network."
I'm not smart enough to tell, but is there anything in the question that suggests the ASG's will be used as a source and destination in a security rule?
https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups
Planned Changes:
Associate the network interface of VM1 to ASG1.
VM1 is associated with VNET1, and Associated with NSG2. Hence, Box1: NSG2 Only (Because ASG1 must be associated with ONLY 1 VNET.
For the second box, According to MS: All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in.
So, if the first ASG (Which is ASG1) is associated with VNET1, then ASG2 also must be associated with VNET1 only. In that case, the Box 2: VM1 and VM2
Based on the above:
Box1: NSG2 Only
Box 2: VM1 and VM2
MS Link: https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups
Look at: Application security groups have the following constraints:
IN ORDER FOR AN NSG TO BE ASSOCIATED TO A VNET THEY MUST BE IN THE SAME REGION. SAME RG IS NOT A REQUIREMENT.
SAME GOES FOR AN NSG/ASG RELATIONSHIP. IN ORDER FOR AN NSG TO USE AN ASG AS PART OF A RULE THEY BOTH MUST BELONG TO THE SAME REGION. AGAIN, THE SAME RG IS NOT REQUIRED.
This section is not available anymore. Please use the main Exam Page.AZ-500 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
JL15546
Highly Voted 3 years, 3 months agoMalikusmanrasheed
1 year, 9 months agoITFranz
3 months agoJL15546
3 years, 3 months agothegs1
3 years, 2 months agoAnarchira
1 year, 11 months agosomenick
2 years, 6 months agodpaz
Highly Voted 3 years, 4 months agowooyourdaddy
3 years, 4 months agoHot_156
Most Recent 2 months agoJimmy500
10 months agoDisco1982
8 months, 2 weeks agoJimmy500
10 months agoJimmy500
10 months agoStrive_for_greatness_kc
1 year, 3 months agoStrive_for_greatness_kc
1 year, 3 months agoManiMessner
1 year, 4 months agopentium75
9 months agowardy1983
1 year, 5 months ago[Removed]
1 year, 6 months ago[Removed]
1 year, 4 months agoFeraso
1 year, 6 months agoFeraso
1 year, 6 months agodatz
10 months, 1 week ago_punky_
1 year, 6 months ago_punky_
1 year, 6 months agononamejames23
1 year, 5 months agoTheProfessor
1 year, 6 months agoTheProfessor
1 year, 6 months agoTheProfessor
1 year, 6 months agoheatfan900
1 year, 7 months agoESAJRR
1 year, 8 months agonaokos
1 year, 8 months agomajstor86
2 years, 2 months agoElpintintun
2 years agoDisparate
2 years, 2 months agoItboss
2 years, 4 months ago