ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 3 question 46 discussion

Actual exam question from Microsoft's AZ-500
Question #: 46
Topic #: 3
[All AZ-500 Questions]

HOTSPOT -
You have a network security group (NSG) bound to an Azure subnet.
You run Get-AzNetworkSecurityRuleConfig and receive the output shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: able to connect to East US 2
The StorageEA2Allow has DestinationAddressPrefix {Storage/EastUS2}

Box 2: allowed -
TCP Port 21 controls the FTP session. Contoso_FTP has SourceAddressPrefix {1.2.3.4/32} and DestinationAddressPrefix {10.0.0.5/32}
Note:
The Get-AzureRmNetworkSecurityRuleConfig cmdlet gets a network security rule configuration for an Azure network security group.
Security rules in network security groups enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group
by JohnCrawford at Oct. 21, 2019, 8:12 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
JohnCrawford
Highly Voted 4 years, 9 months ago
The second part of your answer is incorrect. The FTP traffic is coming from 1.2.3.4/32 and going to 10.0.0.10/32. The NSG rule for port 21 allows traffic from 1.2.3.4 to 10.0.0.5 NOT 10.0.0.10. 10.0.0.5/32 equates to a single IP address. 10.0.0.5. There is no rule allowing FTP traffic to 10.0.0.10.
upvoted 164 times
rgullini
3 years, 3 months ago
This is correct. But I also thing is typo. Nevertheless, if it is not a typo the answer for second point is "dropped"
upvoted 11 times
...
GraceCyborg
3 years, 5 months ago
i believe its a typo..
upvoted 7 times
...
...
gboyega
Highly Voted 4 years, 1 month ago
should be 1. ABLE TO CONNECT TO EAST US2 2. DROPPED (because the cidr notation is a /32 which means only one IP, which is different from the IP in the rule. so the packet would be dropped.
upvoted 46 times
...
rvln7
Most Recent 4 weeks ago
FTP connections from 1.2.3.4 to 10.0.0.10/32 are dropped. The rule allows FTP from 1.2.3.4/32 to 10.0.0.5/32, not 10.0.0.10/32. So the connection to 10.0.0.10/32 doesn’t match this rule and will be implicitly denied unless another rule allows it.
upvoted 1 times
...
wardy1983
9 months, 1 week ago
Box 1: able to connect to East US 2 The StorageEA2Allow has DestinationAddressPrefix Storage/EastUS2 Box 2: DROPPED because the cidr notation is a /32 which means only one IP, which is different from the IP in the rule. so the packet would be dropped.
upvoted 2 times
Hot_156
5 months, 3 weeks ago
Direction for the BOX 1 is Outbound. There is not an Inbound rule for the storage account.
upvoted 1 times
...
...
ESAJRR
10 months, 1 week ago
1. ABLE TO CONNECT TO EAST US2 2. DROPPED
upvoted 3 times
...
heatfan900
11 months, 1 week ago
east US2 as specified in STORAGE NSG rule Denied since the FTP NSG rule clearly states connections are only allowed to 10.0.0.5/32. That is a single host address.
upvoted 2 times
...
majstor86
1 year, 5 months ago
Box 1: able to connect to East US 2 Box 2: dropped
upvoted 8 times
...
ligu
1 year, 5 months ago
1 - Able to connect to east US2 because priority is 104 2 - dropped because 10.10.0.10/32 is not allow
upvoted 3 times
...
junkm
1 year, 7 months ago
- storage allowed to East US2 - rule sequence is before storage deny rule - FTP is dropped, policy allows traffic to 10.0.0.5 not 10.0.0.10
upvoted 2 times
...
F117A_Stealth
1 year, 8 months ago
1 - is correct. the direction is indeed outbound FROM the subnet TO the Azure storage (hence outbound from the perspective of a NSG attached to the subnet in question). 2. is incorrect, look at the CIDR (/32) is diff. SIMPLE!
upvoted 2 times
...
bacana
1 year, 10 months ago
Both are wrong. 1 - Direction is outbound and not inbound. 2 dropped because IP address
upvoted 1 times
koreshio
1 year, 9 months ago
1 - is correct. the direction is indeed outbound FROM the subnet TO the Azure storage (hence outbound from the perspective of a NSG attached to the subnet in question).
upvoted 2 times
...
...
MoFami
2 years, 1 month ago
In Exam 01/07/2022
upvoted 2 times
...
Alessandro365
2 years, 1 month ago
I think it has a typo, if you look at the explanation of the answers it says the "DestinationAddressPrefix" is 10.0.0.5/32. In this case, the answer to the second question is "Allow". If the IP is really "10.0.0.10/32" as it is in the question, then the answer would be "Dropped".
upvoted 1 times
Alessandro365
2 years, 1 month ago
Answer: 1 - ABLE TO CONNECT TO EAST US2 2 - ALLOW (if IP 10.0.0.5/32) or DROPPED (if IP 10.0.0.10/32)
upvoted 2 times
...
...
RiteshAg
2 years, 6 months ago
Forget about IP range, the priority of denying will overtake the 3rd rule. Therefore, the traffic will be dropped for the 2nd point.
upvoted 9 times
arseyam
1 year, 9 months ago
Denying is targeting storage accounts not FTP
upvoted 1 times
...
...
omw2wealth
2 years, 8 months ago
Super easy, its freestyle question
upvoted 2 times
...
SecurityAnalyst
2 years, 11 months ago
# IN EXAM - 31/8/2021
upvoted 3 times
...
Socgen1
2 years, 11 months ago
In exam on 31/08/2021 - answer is correct
upvoted 4 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel