Exam AZ-500 topic 3 question 33 discussion

Sorry, I have to re-post. Correct answer is this. 1) You can only assign 1 NSG to a subnet, and there is only one subnet in the description. So Box 1 is 1 2) Number of rules in NSG can be any, they are processed in sequence. Rule 1: You can have AppGroup3 as the source and AppGroup4 as destination in one rule then allow traffic. Rule 2: You can have Service Tag "Internet" as a source and AppGroup12 as the destination. then allow traffic. Rule 3: YOu can have source as the subnet range and destination as subnet range then deny all traffic, so only above rules will be allowing traffic. SO Box 2 is 3. You still have 3 default rules that allow traffic from VNET, LoadBalancer and deny all other inbound traffic.

Correct answer is this. 1) You can only assign 1 NSG to a subnet, and there is only one subnet in the description. So Box 1 is 1 2) You can have AppGroup3 as the source and AppGroup4 as destination in one rule then deny traffic. That's one rule. You can have Internet tag as a source and AppGroup12 as the destination. That's rule 2. SO Box 2 is 2 .

This is also an option. NSGs: 2 Network Security Rules: 3 1. NSG1 (Associated with NIC1 and NIC2): Rule 1: Source: Internet Destination: AppGroup12 Action: Allow (Other settings as appropriate for your desired ports/protocols) 2. NSG2 (Associated with the Subnet): Rule 2: Source: AppGroup3 Destination: AppGroup4 Action: Allow (Other settings as appropriate) Rule 3: Source: Any Destination: Any Action: Deny

I think it is 1 and 3. First of all, question is 'how many NSGs and rules should you CREATE', so the default rules are excluded from the count. Minimize number of NSGs: All NICs are in same VNet, so create 1 NSG for the VNet Minimize number of rules: Default allows traffic within the VNet, so to 'allow traffic to VM4 from VM3 only' we need two new rules: 1) allow traffic to VM4 from VM3 2) deny other traffic to VM4 Inbound traffic is denied by default, so for "Allow traffic from the Internet to VM1 and VM2 only" we need only 1 rule: 3) allow traffic to VM1 and VM2 (or AppGroup12) from Internet

I think the given answers are correct. You need 2 NSGs. One for the subnet, one for VM4. Allow traffic to VM4 only from VM3, this means you need to block all other traffics, even those within the VNET. You cannot have this rule in the subnet NSG, because then you will have to add many other rules to allow other intra-vnet traffic. So it is better to add this deny all traffic rule in the VM4's NSG. You need 3 rules: (1) allow internet traffic to AppGroup12, in the subnet NSG. (2) in the VM4 NSG, deny all inbound traffic; (3) allow traffic from VM3.

) You can only assign 1 NSG to a subnet, and there is only one subnet in the description. So Box 1 is 1 2) Number of rules in NSG can be any, they are processed in sequence. Rule 1: You can have AppGroup3 as the source and AppGroup4 as destination in one rule then allow traffic. Rule 2: You can have Service Tag "Internet" as a source and AppGroup12 as the destination. then allow traffic. Rule 3: YOu can have source as the subnet range and destination as subnet range then deny all traffic, so only above rules will be allowing traffic. Box 2 is 3. You still have 3 default rules that allow traffic from VNET, LoadBalancer and deny all other inbound traffic. References: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

NSG: 1 Rules: 3 NSG: You can only assign 1 NSG to a subnet, and there is only one subnet in the description. Rules: - The first rule (inbound) is to allow traffic initiated from the internet to ASG12. All traffic initiated from the internet is blocked by default, so in this case, we need to allow it to VM1 and VM2, which are grouped together in ASG12. - The second rule is to allow traffic initiated from VM3 to VM4. - The third rule would be to deny all the connections as we have a default rule "AllowVNetInBound" which will allow the access between the VMs. Create one similar to the default one but with action "deny".

In my opinion, there is one NSG and 1 Security Rule. You need to implement network security to meet the following requirements: ✑ Allow traffic to VM4 from VM3 only. // By default traffic is enabled within the subnet and all of the VMs are under same subnet. So we don't need to create additional rule. ✑ Allow traffic from the Internet to VM1 and VM2 only. // Service Tag: Source Internet and destination the ASG group. ✑ Minimize the number of NSGs and network security rules. There are default deny rules for inbound and outbound traffic. We could create additional rule to deny traffic within the subnet, but that was not asked, importantly, asked to minimize the rules.

The key word here is 'only'. They are asking you to limit the traffic on those conditions. By default there is a rule that allows all traffic from the VNET, so you must deny it in order to achieve the goal.

THE QUESTION CLEARLY STATES HOW MANY YOU NEED TO CREATE. 1 AND 3 IS THE ANSWER. 1 NSG / 3 Rules 1 NSG attached to the subnet1 ------- 1 Rule for TAG (Internet) as source and ASG12 as dest 1 Rule for VM3 to VM4 1 Rule to DENY all other traffic within Subnet1 as the default deny rules are only there to stop un-stateful traffic from outside the vnet. Without this deny rule all VMs will be able to speak to one another which clearly goes against what the question is asking.

ASG-NSG RULE SETUP EXPLANATION: -ONE NSG ASSIGNED TO THE ONE VNET. -TWO RULES ASSIGNED TO THE ONE NSG AGAINST THE ASGs. >THE FIRST RULE (INBOUND) IS TO ALLOW TRAFFIC INITIATED FROM INTERNET TO ASG12. >ALL TRAFFIC INITATED FROM THE INTERNET IS BLOCKED BY DEFAULT SO IN THIS CASE WE NEED TO ALLOW IT TO VM1 AND VM2 WHICH ARE GROUPED TOGETHER IN ASG12. >THE SECOND RULE IS TO DENY TRAFFIC INTIATED BY ASG12 TO VM 4. >THIS WOULD DENY VM1 AND VM2, AGAIN, GROUPED TOGETHER IN ASG12 TO COMMUNICATE WITH VM4. -THE PREMISE OF THE QUESTION IS TO TEST YOUR ABILITIES IN USING ASGs EFFICIENTLY ONE WAY OR THE OTHER. -NOTE, RULES ARE APPLIED BASED ON PRIORITY AND AN OBJECT THAT DOES MATCH RULE SIMPLY MOVES ON TO THE NEXT RULE. IF NO RULE APPLIES THE OBJECT WILL EVENTUALLY MATCH THE DENY OR ALLOW ALL RULE AT THE BOTTOM OF THE LIST WITH THE LOWEST PRIORITY.

NSGs: 1 Network Security Rules: 3

Answer should be 1 & 2 https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups

1 NSG for the subnet 3 rules (one from ASG3 to ASG4 / one from tag:Internet to ASG12 / one for deny any to any)

The point is “how many rules should you create” not “how many rules should be in NSG”. So to allow traffic to VM4 from VM3 only we need to create an inbound rule from VM4 to allow VM3 traffic. And another rule to allow traffic from internet to the VM1 and VM2. So the answer have to be 1 NSG and 2 rules. Again, it is asking you how many rules you must create, so you do not count the default rule that you did not created.

VM3 and VM4 are in the same subnet so they can communicate by default. However, NSG blcok all incoming traffic from the internet by defualt so we need to create a rule to allow the access from the internet. So we only need one rule i guess..?

1 NSG 3 Rules