ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 3 question 46 discussion

Actual exam question from Microsoft's AZ-500
Question #: 46
Topic #: 3
[All AZ-500 Questions]

HOTSPOT -
You have a network security group (NSG) bound to an Azure subnet.
You run Get-AzNetworkSecurityRuleConfig and receive the output shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: able to connect to East US 2
The StorageEA2Allow has DestinationAddressPrefix {Storage/EastUS2}

Box 2: allowed -
TCP Port 21 controls the FTP session. Contoso_FTP has SourceAddressPrefix {1.2.3.4/32} and DestinationAddressPrefix {10.0.0.5/32}
Note:
The Get-AzureRmNetworkSecurityRuleConfig cmdlet gets a network security rule configuration for an Azure network security group.
Security rules in network security groups enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group
by JohnCrawford at Oct. 21, 2019, 8:12 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
JohnCrawford
Highly Voted 4 years, 6 months ago
The second part of your answer is incorrect. The FTP traffic is coming from 1.2.3.4/32 and going to 10.0.0.10/32. The NSG rule for port 21 allows traffic from 1.2.3.4 to 10.0.0.5 NOT 10.0.0.10. 10.0.0.5/32 equates to a single IP address. 10.0.0.5. There is no rule allowing FTP traffic to 10.0.0.10.
upvoted 164 times
rgullini
3 years ago
This is correct. But I also thing is typo. Nevertheless, if it is not a typo the answer for second point is "dropped"
upvoted 11 times
...
GraceCyborg
3 years, 2 months ago
i believe its a typo..
upvoted 7 times
...
...
gboyega
Highly Voted 3 years, 10 months ago
should be 1. ABLE TO CONNECT TO EAST US2 2. DROPPED (because the cidr notation is a /32 which means only one IP, which is different from the IP in the rule. so the packet would be dropped.
upvoted 45 times
...
wardy1983
Most Recent 6 months, 1 week ago
Box 1: able to connect to East US 2 The StorageEA2Allow has DestinationAddressPrefix Storage/EastUS2 Box 2: DROPPED because the cidr notation is a /32 which means only one IP, which is different from the IP in the rule. so the packet would be dropped.
upvoted 2 times
Hot_156
2 months, 3 weeks ago
Direction for the BOX 1 is Outbound. There is not an Inbound rule for the storage account.
upvoted 1 times
...
...
ESAJRR
7 months, 2 weeks ago
1. ABLE TO CONNECT TO EAST US2 2. DROPPED
upvoted 3 times
...
heatfan900
8 months, 1 week ago
east US2 as specified in STORAGE NSG rule Denied since the FTP NSG rule clearly states connections are only allowed to 10.0.0.5/32. That is a single host address.
upvoted 2 times
...
majstor86
1 year, 2 months ago
Box 1: able to connect to East US 2 Box 2: dropped
upvoted 8 times
...
ligu
1 year, 2 months ago
1 - Able to connect to east US2 because priority is 104 2 - dropped because 10.10.0.10/32 is not allow
upvoted 3 times
...
junkm
1 year, 4 months ago
- storage allowed to East US2 - rule sequence is before storage deny rule - FTP is dropped, policy allows traffic to 10.0.0.5 not 10.0.0.10
upvoted 2 times
...
F117A_Stealth
1 year, 6 months ago
1 - is correct. the direction is indeed outbound FROM the subnet TO the Azure storage (hence outbound from the perspective of a NSG attached to the subnet in question). 2. is incorrect, look at the CIDR (/32) is diff. SIMPLE!
upvoted 2 times
...
bacana
1 year, 8 months ago
Both are wrong. 1 - Direction is outbound and not inbound. 2 dropped because IP address
upvoted 1 times
koreshio
1 year, 6 months ago
1 - is correct. the direction is indeed outbound FROM the subnet TO the Azure storage (hence outbound from the perspective of a NSG attached to the subnet in question).
upvoted 2 times
...
...
MoFami
1 year, 10 months ago
In Exam 01/07/2022
upvoted 2 times
...
Alessandro365
1 year, 10 months ago
I think it has a typo, if you look at the explanation of the answers it says the "DestinationAddressPrefix" is 10.0.0.5/32. In this case, the answer to the second question is "Allow". If the IP is really "10.0.0.10/32" as it is in the question, then the answer would be "Dropped".
upvoted 1 times
Alessandro365
1 year, 10 months ago
Answer: 1 - ABLE TO CONNECT TO EAST US2 2 - ALLOW (if IP 10.0.0.5/32) or DROPPED (if IP 10.0.0.10/32)
upvoted 2 times
...
...
RiteshAg
2 years, 3 months ago
Forget about IP range, the priority of denying will overtake the 3rd rule. Therefore, the traffic will be dropped for the 2nd point.
upvoted 9 times
arseyam
1 year, 6 months ago
Denying is targeting storage accounts not FTP
upvoted 1 times
...
...
omw2wealth
2 years, 5 months ago
Super easy, its freestyle question
upvoted 2 times
...
SecurityAnalyst
2 years, 8 months ago
# IN EXAM - 31/8/2021
upvoted 3 times
...
Socgen1
2 years, 8 months ago
In exam on 31/08/2021 - answer is correct
upvoted 4 times
...
aftab7500
2 years, 8 months ago
Second answer is Dropped: Reason is there is only 1 address in IP address range: 10.0.0.5-10.0.0.5.
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago