ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-140 All Questions

View all questions & answers for the AZ-140 exam
Go to Exam

Exam AZ-140 topic 4 question 22 discussion

Actual exam question from Microsoft's AZ-140
Question #: 22
Topic #: 4
[All AZ-140 Questions]

You have an on-premises network and an Azure subscription. The subscription contains the following:
✑ A virtual network
✑ An Azure Firewall instance
✑ An Azure Virtual Desktop host pool
The virtual network connects to the on-premises network by using a site-to-site VPN.
You need to ensure that only users from the on-premises network can connect to the Azure Virtual Desktop managed resources in the host pool. The solution must minimize administrative effort.
What should you configure?

  • A. a conditional access policy
  • B. an Azure Firewall rule
  • C. a network security group (NSG) rule
  • D. a user-defined route
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by bugdad at April 29, 2022, 7:15 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
bugdad
Highly Voted 3 years, 3 months ago
I think it should be A... AVD is accesable from anywhere
upvoted 7 times
Alessandro365
1 year, 3 months ago
correct, this is the point!! Answer A is correct
upvoted 1 times
...
...
lukiduc9625
Most Recent 6 months, 2 weeks ago
Selected Answer: A
I think, that from given options only CA policy can work. To use mentioned site-to-site VPN connection it should be configured Private Endpoints for AVD - but there is not such info in question text nor such possibilities in answers
upvoted 1 times
...
hwoccurrence
6 months, 3 weeks ago
Selected Answer: A
Conditional Access is considered the simplest, most centralized way to limit Azure Virtual Desktop logons to “on‐premises only.” By defining your on‐premises public IP range as a Named Location in Entra (Azure AD) and creating a CA policy that requires that IP location, you effectively block connections from outside your on‐prem network. While firewall or NSG rules could also be used, they typically require more manual IP/subnet management (and might not easily differentiate “user traffic” from on‐prem vs. “admin traffic” from the internet). Conditional Access is designed exactly for “only let these users sign in from these networks” with minimal overhead.
upvoted 1 times
...
kam247
9 months, 1 week ago
Correct answer is B. They have a site to site VPN configured, first point. Therefore we need to restrict access via private IP range. Although you can restrict access via public IP using network locations in CA, you cannot do this via a private IP range which would be used since they have a site to site vpn. The only option is to use Azure FW which is already configured.
upvoted 2 times
DC095
5 months, 2 weeks ago
There is no mention of RDP shortpath for managed networks being configured. Traffic bound for Azure Virtual desktop does not traverse a site to site by default.
upvoted 1 times
...
...
jeff1988
9 months, 1 week ago
Selected Answer: A
To ensure that only users from the on-premises network can connect to the Azure Virtual Desktop managed resources in the host pool, while minimizing administrative effort, you should configure A. a conditional access policy. Conditional access policies in Azure Active Directory allow you to enforce access controls based on specific conditions, such as the network location. By setting up a conditional access policy, you can restrict access to the Azure Virtual Desktop resources to only those users who are connecting from the on-premises network.
upvoted 3 times
...
Frankmmendoza
1 year, 1 month ago
Selected Answer: C
Based on the requirement to restrict access to AVD resources to users from the on-premises network over a site-to-site VPN connection, configuring a network security group (NSG) rule is the correct and optimal solution. It effectively meets the security requirement while minimizing administrative effort, aligning with best practices for network security in Azure environments.
upvoted 3 times
...
[Removed]
1 year, 3 months ago
Selected Answer: B
Correct answer it is B as there is already an Azure Firewall available. https://github.com/Azure/RDS-Templates/tree/master/AzureFirewallPolicyForAVD It could not be a Conditional Access Policy because the location is referring to public IPs not the private ranges you use on-prem. check this for more info: https://learn.microsoft.com/en-us/entra/identity/conditional-access/location-condition
upvoted 2 times
DC095
5 months, 2 weeks ago
The problem with B is that the additional resources required to send AVD feed subscription traffic over a tunnel (private link services/private endpoint, Private DNS Zone, ect.) are not provisioned in the subscription. So in this scenario, all connections to AVD would hit the public endpoint. A firewall rule won't do anything in this case since the traffic wouldn't flow through it.
upvoted 1 times
...
...
ESAJRR
1 year, 6 months ago
Selected Answer: B
B. an Azure Firewall rule
upvoted 1 times
...
AKov77777
1 year, 9 months ago
Selected Answer: B
B? https://learn.microsoft.com/en-us/azure/firewall/protect-azure-virtual-desktop?tabs=azure
upvoted 2 times
...
Judith1969
1 year, 9 months ago
B? Becasue there is a "An Azure Firewall instance" and question states "The solution must minimize administrative effort."
upvoted 1 times
...
Ishraj
2 years ago
Selected Answer: B
It talks about AVD managed resources. It should be B
upvoted 1 times
...
picho707
2 years, 1 month ago
The key piece of information here is "minimize administrative effort". I do think this is easier to do with CA policy as it gives the administrator more control of the VDI environment.
upvoted 1 times
...
Leocan
2 years, 2 months ago
Selected Answer: A
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
upvoted 1 times
...
PXAbstraction
2 years, 7 months ago
Agreed, should be A. You could theoretically attain the same goal with B, but far less effectively and elegantly.
upvoted 3 times
...
Jakobss
2 years, 8 months ago
Selected Answer: A
To ensure that only users from the on-premises network can connect to the Azure Virtual Desktop managed resources in a host pool, you can use Azure Firewall to restrict access to the Azure Virtual Desktop resources. Azure Firewall allows you to control inbound and outbound network traffic to and from your Azure resources, including Azure Virtual Desktop resources.
upvoted 4 times
...
choy1977
2 years, 8 months ago
This must be A.. can't understand why b has been selected!
upvoted 1 times
picho707
2 years, 1 month ago
This can be easily done with a single firewall rule.
upvoted 2 times
hawkens
1 year, 1 month ago
Identify the On-Premises Network IP Range Configure Azure Firewall Network Rules Ensure VPN Connectivity Step 1: Identify the On-Premises Network IP Range Step 2: Configure Azure Firewall Network Rules Navigate to the Azure Firewall instance in the Azure portal Go to the "Rules" tab and select "Network rule collection" Set the priority (lower numbers have higher priority) Choose "Allow" for the action In the rule collection, add a new rule Set the source address range to the CIDR block of your on-premises network Set the destination address range to the IP addresses of the AVD host pool or the virtual network subnet where the AVD resources reside Set the destination port ranges to the appropriate ports used by AVD (e.g., 3389 for RDP) Set the protocol to "Any" or specify the protocol used by AVD Save the rule collection and ensure it is active. Ensure that the site-to-site VPN connection between your on-premises network and the Azure virtual network is properly configured Check that routing is correctly set up
upvoted 1 times
...
...
...
Luc401
3 years ago
Selected Answer: A
Should be A
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel