HOTSPOT - You create NSG10 and NSG11 to meet the network security requirements. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
Suggested Answer:
Box 1: No - NSG10 which is attached to VM1's subnet blocks RDP (port TCP 3389) to 'Any' which means the port is blocked to all destinations.
Box 2: Yes - NSG10 blocks ICMP from VNet4 (source 10.10.0.0/16) but it is not blocked from VM2's subnet (VNet1/Subnet2).
Box 3: No - NSG11 blocks RDP (port TCP 3389) destined for 'VirtualNetwork'. VirtualNetwork is a service tag and means the address space of the virtual network (VNet1) which in this case is 10.1.0.0/16. Therefore, RDP traffic from subnet2 to anywhere else in VNet1 is blocked.
I thin the response should be YES, YES, NO
1) VM1 can establish a RDP session to VM as the filtering is set to inbound even if the rule would have matched ( it would have required outbound)
2) as stated already, this is for vnet4, so no problem, the traffic will be granted
3) the traffic will be dropped by NSG11 set as abound and from the subnet 10.1.0.0/16 to the vnet, so it matches and is dropped.
3 - outbound means from inside of subnet to outside so in my opinion NSG allows RDP connection. If rule would be associated with inbound direction then traffic should be blocked.
So, correct should be YYY
Yes, Yes, No is correct. Make sure you double-check each of the NSG rules, so it's clear!
1. From VM1 to inbound RDP VM2, there are no NSGs blocking this. There is only a custom inbound NSG for VM1, and a custom outbound NSG for VM2-- neither of which will block our connection
2. VM2 outbound NSG has no rules blocking ping (ICMP). Next review the inbound NSG for VM1. There is an priority rule 1000 -- inbound ICMP deny, but the source is pointing to VNET4 (tricky!)
3. Blocked. VM2 NSG has an outbound deny for 3389 RDP.
Y N Y
1: Yes, the RDP block is set to inbound on subnet 1, so from vm1 (outbound) to VM 2 works
2: Yes: subnet 1 has ICMP blocked from virtualnetwork as tag destination, but the source is the subnet-4 range. so VM2 (subnet 2) can still perform RDP
3: Yes. the source IP range of the NSG does not match subnet2, this renders the custom rule useless
Some basics:
1. NSG on NIC always takes precedence over NSG on Subnet.
2. Default setting for NSG is DenyAllInbound. There is one rule for all NSG linked to NIC which says RDP from Internet is allowed, which indicates that default setting for Inbound is active.
What does ist mean? It means that VM1 cannot establish RDP to VM2 which NSG2 only allows RDP from Internet.
Q1: No
For outbound traffic default setting is Allow All. NSG10 (VNET1/Subnet2) denies ICMP only to Vnet4.
Q2: YES
NSG 11 on Vnet1/Subnet2 does not allow outbound for Virtual Network
Also Default for NSG of Vm3 (NIC) is DenyAllInbound.
Q3: NO
So, in my opinion NYN is correct.
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
Carefull with the point 2. yesm you have the DenyAllinbound, but also have AllowVNetInBound with better priority. with the default rules All inbound traffic from the vnet is allowed.
Answer is correct, it will be NYN.
No - Traffic will be dropped by NSG10. Subnet NSG will take precedence over VM interface NSG.
Yes - ICMP is allowed.
No - Traffic will be be dropped by NSG11.
check these two NSGS table
Create an NSG named NSG10 that will be associated to Vnet1/Subnet1 and will have the custom inbound security rules shown in the following table.
Create an NSG named NSG11 that will be associated to Vnet1/Subnet2 and will have the custom outbound security rules shown in the following table.
so the answer is NNN
What about the NSG's connected to the NIC's? There is only 1 rule (inbound), which is to allow RDP from Internet. Won't these block any VM/subnet RDP connections allowed via the subnet NSG?
'The NSGs are associated to the network interfaces on the virtual machines. Each NSG has one custom security rule that allows RDP connections from the internet'
This section is not available anymore. Please use the main Exam Page.AZ-700 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
pinpin06
Highly Voted 2 years, 6 months agoasdasd123123iu
1 year, 2 months agoITrob523
3 weeks, 5 days agoPrutser2
2 years agojeffangel28
2 years, 2 months agopijp
1 year, 2 months agoBon_
Highly Voted 2 years, 2 months agoLieJ0n
Most Recent 6 months, 2 weeks agojakubklapka
1 year, 1 month agoApptech
1 year, 7 months agomabalon
1 year, 2 months agoJennyHuang36
1 year, 8 months agoTJ001
1 year, 9 months agoTJ001
1 year, 9 months agoMahakal_123
1 year, 10 months agowetraining123
1 year, 11 months agowetraining123
1 year, 11 months agoGronow
2 years agoazeem0077
2 years, 2 months agokinder2
2 years, 4 months agoWhatsamattr81
2 years, 5 months agoKay04
2 years, 6 months agopetermogaka91
2 years, 6 months ago