Exam AZ-500 topic 5 question 64 discussion

D. Configure DB1 to allow access from only VNET1. I would go with D. How would configuring the NSG that VM1 and VM2 are attached to influence who is allowed to access DB1? You have to configure DB1 in a way that I only allows VM1 & VM2, one possible option would be allowing the VNET1 to access DB1

The correct answer is C. Create an application security group. Explanation: To ensure that only specific VMs (in this case, VM1 and VM2) can access DB1, you can use application security groups (ASGs) in combination with network security group (NSG) rules. Application Security Groups (ASGs) provide a way to group virtual machines and define network security policies based on those groups. Once you define an ASG and associate the VMs (VM1 and VM2) with that ASG, you can then configure NSG rules to allow or deny traffic to or from the ASG.

To support the answer: To ensure that only VM1 and VM2 can access DB1, you can use a combination of Network Security Group (NSG) rules and Application Security Groups (ASGs). Here's how to set it up: 1. Create an Application Security Group: - Create an ASG named "ASG-DB-Access" - Associate VM1 and VM2 with this ASG Modify NSG1 to include the following rules: Create an inbound security rule that allows traffic: Source: ASG-DB-Access Destination: DB1's IP address Service: SQL (port 1433 for SQL Server) Priority: Set a priority higher than any conflicting deny rules Create a deny rule with a lower priority to block all other inbound traffic to DB1 Answer = C

The answer is D.

you can use both - service tags and ASG to create security rules, but the correct answer is C: service tag. not A - because it says about creating a service tag for NSG1, while the rule needs to be configured on DB side B: could work, but IP is by default dynamic and this method is not recommended D: it's not following least priviledge/access principle allowing entire vNet

Assign VM1 and VM2 to an ASG and then create a NSG rule with the ASG

The correct answer is D. Option C suggests creating an application security group (ASG), which is typically used for grouping virtual machines based on application requirements. In this scenario, the main objective is to restrict database access to specific virtual machines (VM1 and VM2). Configuring the firewall settings of the database (DB1) directly to allow access only from the virtual network (VNET1) where VM1 and VM2 reside is a more direct and suitable approach for this specific requirement.

D - It makes sense to restrict from the Cosmos DB perspective. Best possible answer.

On NSG create a rule Source IP Address VM1 and VM2 and Service Tag Azure COSMOS DB Allow Source IP Address Any Service Tag Azure COSMOS DB Deny Now in the COSMOS DB Configure VNET1 in the VNET section You can also use ASGs where you add the NIC of both VM1 and VM2 to simplify the 1st NSG rule

Answer: D Explanation: Configure DB1 to allow access from only VNET1. How would configuring the NSG that VM1 and VM2 are attached to influence who is allowed to access DB1? You have to configure DB1 in a way that I only allows VM1 & VM2, one possible option would be allowing the VNET1 to access DB1

D for me

C seems to me accurate.

Can someone explain how the effect of B and D are different, I am confused?

Cannot be VNET because that would allow access from other virtual machines. Create and ASG.

Literally in the definition of ASG. restrict access to the servers, not the VNet. https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups

The answer is C. (ONLY ACCESS DB1 FROM VM1 AND VM2 IS THE PREMISE OF THE QUESTION) A) does not serve that purpose because anyone in VNET1 can access the DB via the SERVICE TAG rule on the NSG. B) does not serve that purpose because the entire VNET1 would be allowed access to DB1. D) does not serve that purpose because it is another way of allowing the entire VNET1 access to DB1. C) is the only option that allows you to group VM1 and VM2 to an ASG. A rule can then be created on the NSG that references the ASG as the source and allows access to DB1 as destination.

D is not correct. The question clearly states to only allow VM1 and VM2 (not the entire VNET to) Adding an NSG RULE requires you to create two of them. One for each VM as SOURCE and the DB1 as DEST. The correct answer is 'C'. You create an ASG that references both VM1 and VM2 and add create the NSG rule reference it as the SOURCE and DB1 as the DEST.