HOTSPOT - In which NSGs can you use ASG1 and to which virtual machine network interfaces can you associate ASG1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Yep, so
NSGs (only in the same region*, West US): NSG1, NSG2 & NSG5 only
*Tested in a lab:
-ASG in Australia SE
-NSG in Australia SE => New inbound rule, source ASG, ASG listed in the drop down box
-NSG in SE Asia => New inbound rule, source ASG, NO ASGs listed in the drop down box to select from
VM (only in the same vNet**): VM2 only
* already assigned to VM1 so limited to Vnet1
https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups
"All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in."
Tested
NSG1, NSG2, and NSG5 only : ASG and NSG must be in the same region
VM2 only : network interfaces attached to an ASG must be in the same vNet.
https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups
NSG1 & NSG2
VM2 Only
NSG5 also is out of the question:
All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. For example, if the first network interface assigned to an application security group named AsgWeb is in the virtual network named VNet1, then all subsequent network interfaces assigned to ASGWeb must exist in VNet1. You cannot add network interfaces from different virtual networks to the same application security group.
ref: https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups
Correct. ASG1 is applied on VM1. VM1’s interface is the first network interface assigned to ASG1, thus all subsequent network interfaces assigned to ASG1 must exist in VNet1. NSG2 exists in VNet1.
I set up this lab scenario. When I go to NSG5 and create an inbound rule, I am able to change the destination to application security group and ASG1 is visible as an option to select. When I try in NSG3 and NSG4, the Destination application security groups drop down is greyed out and says 'No application security groups found'.
When I go to Network under Settings on VM5, the ASG1 application security group is visible as an option to choose. However, when I click save, the operation fails indicating that the ASG is already attached to another device in a separate subnet.
I was successfully able to add VM2 to the ASG, but ASG1 was not even visible to VM3 and VM4.
The questions seems to want to drive home the point that NSGs and ASGs need to be in the same region if you intend to use the ASG in an NSG rule, while VM NICs added to an ASG need to be in the same VNET.
I was initially only NSG1 & NSG2 only, but came across these 2 websites:
https://medium.com/awesome-azure/azure-application-security-group-asg-1e5e2e5321c3
https://petri.com/understanding-application-security-groups-in-the-azure-portal/
Which both state:
Source and Destination in the new rule blade allow you to select any application security group in the same region.
So while their may be not practical use case for using ASG1 in NSG5 in this case, the ASG can be selected by any NSGs in the same region.
The only caveat being:
If you specify an application security group as the source and destination in a security rule, the network interfaces in both application security groups must exist in the same virtual network.
So I would agree that NSG1, NSG2 and NSG5 can use ASG1. And only VM2 can be added to ASG1 due to the NICs needing to be in the same VNET.
I set up this lab scenario. When I go to NSG5 and create an inbound rule, I am able to change the destination to application security group and ASG1 is visible as an option to select. When I try in NSG3 and NSG4, the Destination application security groups drop down is greyed out and says 'No application security groups found'.
When I go to Network under Settings on VM5, the ASG1 application security group is visible as an option to choose. However, when I click save, the operation fails indicating that the ASG is already attached to another device in a separate subnet.
I was successfully able to add VM2 to the ASG, but ASG1 was not even visible to VM3 and VM4.
The questions seems to want to drive home the point that NSGs and ASGs need to be in the same region if you intend to use the ASG in an NSG rule, while VM NICs added to an ASG need to be in the same VNET.
- All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. For example, if the first network interface assigned to an application security group named AsgWeb is in the virtual network named VNet1, then all subsequent network interfaces assigned to ASGWeb must exist in VNet1. You cannot add network interfaces from different virtual networks to the same application security group.
- If you specify an application security group as the source and destination in a security rule, the network interfaces in both application security groups must exist in the same virtual network. For example, if AsgLogic contained network interfaces from VNet1, and AsgDb contained network interfaces from VNet2, you could not assign AsgLogic as the source and AsgDb as the destination in a rule. All network interfaces for both the source and destination application security groups need to exist in the same virtual network.
So, you can apply the ASG to all NSG within the same region :
=> "NSG1, NSG2, and NSG5 only"
But, as VM1 NIC is already in the ASG, you cannot add another NIC from a different VNet:
=> "VM2 only"
I believe the answers are:
NSGS = NSG1, NSG2 and NSG5 only.
My reasoning for this is that an ASG can be used in NSG rules for any NSG within the same region.
Virtual Machines = VM2 only
The ASG can only be attached to NICS within the same virtual network.
I have tested this in my lab.
NSG 1 and NSG2: As per All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. For example, if the first network interface assigned to an application security group named AsgWeb is in the virtual network named VNet1, then all subsequent network interfaces assigned to ASGWeb must exist in VNet1. You cannot add network interfaces from different virtual networks to the same application security group.
Box 1: NSG 1 and NSG 2
Box 2: VM2 , VM1 only
This has been tested on the LAB.
All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. For example, if the first network interface assigned to an application security group named AsgWeb is in the virtual network named VNet1, then all subsequent network interfaces assigned to ASGWeb must exist in VNet1. You cannot add network interfaces from different virtual networks to the same application security group.
https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups#allow-database-businesslogic
Box 1: NSG 1 and NSG 2
Box 2: VM2
All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. For example, if the first network interface assigned to an application security group named AsgWeb is in the virtual network named VNet1, then all subsequent network interfaces assigned to ASGWeb must exist in VNet1. You cannot add network interfaces from different virtual networks to the same application security group.
https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups#allow-database-businesslogic
box1: only vnets 1 and 4 are in westUS, so only NSGs in this region can re-use the existing ASG1
result: NSG1, NSG2 and NSG5
box2:
All network interfaces assigned to an application security group have to exist in the same virtual network that
the first network interface assigned to the application security group is in. For example,
if the first network interface assigned to an application security group named AsgWeb is in the virtual network named VNet1,
then all subsequent network interfaces assigned to ASGWeb must exist in VNet1.
You cannot add network interfaces from different virtual networks to the same application security group.
source:https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups
result:Vm2 only (was already assigned to VM1, which is in vnet1)
This section is not available anymore. Please use the main Exam Page.AZ-700 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
leo87las2
Highly Voted 2 years, 1 month agoGBAU
1 year agodanaohara96
1 month, 2 weeks ago[Removed]
Highly Voted 2 years, 2 months agosomenick
1 year, 7 months agoTanminator
8 months, 1 week agotdienst
2 years, 2 months agoGiorgioLDN
2 years agowooyourdaddy
1 year, 7 months ago[Removed]
1 year, 11 months agowooyourdaddy
1 year, 7 months agowooyourdaddy
1 year, 7 months agobobothewiseman
Most Recent 2 months, 1 week agobobothewiseman
3 months, 2 weeks agojayek
9 months agojakubklapka
1 year, 1 month agoJohnnyChimpo
1 year, 6 months ago_fvt
1 year, 7 months agoMadball
1 year, 9 months agoTJ001
1 year, 9 months agovivikar
1 year, 10 months agowiny
1 year, 11 months agowiny
1 year, 11 months agoPrutser2
2 years agoPradh
2 years, 1 month agoCristoicach91
2 years, 2 months ago