HOTSPOT -
You have an Azure virtual network that contains the subnets shown in the following table.
In.NSG1, you create inbound rules as shown in the following table.
NSG2 has only the default rules configured.
You have the Azure virtual machines shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Box 1: Yes -
VM3 is Subnet2. NSG2 applies. The default rule will allow communication.
Box 2: No -
VM1 & VM2 is in Subnet1. NSG1 applies. Only traffic on ports 80 and 443 will be allowed. Connection on port 9090 will be denied.
Note: Priority: A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.
Box 3: No -
VM1 is in Subnet1. NSG1 applies. Only traffic on ports 80 and 443 will be allowed. Connection on port 9090 will be denied.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
should be N,N, Y 1) Inbound rule on subnet1 will deny 2) Inbound rule on subnet2 will deny 3) No rule on VM3 so it would allow connections
correct.
N,N,Y correct
N,N,Y Agree, and I tested it in the LAB using ICMP
3) In correct reason: VM3 is on subnet2 which has NSG2 applied. "NSG2 has only the default rules configured." Default rules allow traffic within the vNET, this is why the answer is YES.
N, inbound rule on subnet one will deny Y, Communication within the same subnet does not go through an NSG, so nothing blocking Y, Standard rules do not block vNet to vNet communication unless explicit.
2) is wrong "It's important to note that security rules in an NSG associated to a subnet can affect connectivity between VM's within it."
<For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, if there's one, and then the rules in a network security group associated to the network interface, if there's one."" That means NNY, I reccommend you pass AZ-900 Microsoft Azure Fundamentals Certification . AZ700 is not for you homie.
that was hard = )
Savage but true..
Maybe you are not a modern sapien but a neanderthal due to your behavior. You don't need to mention whether the NSG is bound the interface. Even the NSG is bound to subnet-level, the hosts under the subnet will be impacted by the nsg rules. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#intra-subnet-traffic
VM3, which is part of Subnet 2, can not connect to port 8080 on VM1, because we have inbound rule that denies all ports accept port 80 and 443. so, the answer is No! VM1 and VM2 are on the same subnet and by default inbound rules within a virtual network are allowed, however we NSG with a lower priority(200) over riding the default allowed rule which is priority 65000. So the Answer is NO! VM1 is on Subnet 1 and VM3 is on Subnet 2, and outbound communication by default between subnets in the same virtual network is allowed and the question states NSG2 has only the default rules configured. so the answer is YES! N N Y
N,N,Y Lab confirmed: Virtual Network 200 * Deny rule blocks both: -VM1 to VM2 -VM3 to VM1 Remove that rule and connectivity is restored Good to know, as I had thought the NSG applied to a SN only worked on the ingress and egress of the SN, but it also can work within the SN itself. Maybe I am remembering back to my AWS networking, or just imagining things. I don't think anyone is disputing VM1->VM3 = Y
I think the best answer is N,N,N the first two are already very clear, about the last one, it is said that the NSG2 has default rules, nothing is said about port 9090 released, so, based on this, access would be denied. Anyone else agree?
I'm sorry guys I read again the question is the right answer is N,N and Y communication between subnets is released by default, NSG2 is using default rules.
should be NYN 1. Inbound rule on subnet1 will deny 2.By default, virtual machines in the same subnet can communicate based on a default NSG rule allowing intra-subnet traffic. (https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#intra-subnet-traffic) 3. VM3 has default rule as the text states. DenyAllInbound is the default vor NSG. See here: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
i agree NYN
It should be N,N, Y
NNY 1 and 2 Inbound rule deny because of NSG 1 assigned to Subnet 1 and Default Inbould Rule is allowVnet any to any so, Vm1 can connect to Vm3 by default
3) NSG Default inbound rule include DenyAllInBound rule. So this answer is No.
NNY * Inbound rule on subnet1 will deny * Inbound rule on subnet2 will deny - remember the scope is the whole vNET * No rule on VM3 and default rule allows for vNET communication without restrictions
NNY "If you add a rule to NSG1 that denies all inbound and outbound traffic, VM1 and VM2 won't be able to communicate with each other." https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#intra-subnet-traffic
NNY Ref for #2: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#intra-subnet-traffic
1. N — VM3 is trying to access VM1 through port 8080 and port 8080 not in allowed port list of NSG1 2. N — VM1 and VM2 tryin to talk with each other. Even though the are on the same subnet the NSG1 deny rule will include port 9090 3. Y — VM1 and VM3 can have connection NSG1 will not affect any outbound connection. NSG 1 is applied inbound and which means it affect connections that comes Subnet 1 only. The only allowed port is http (80) and https (443) and the rest is blocked. Any connection going out side of Subnet 1 is allowed. VM1 and VM2 will be affected by NSG1 because they are under Subnet1. NG2 will not affect anything because only default rules are configured.
The answer should be N N Y
I re-created this in a lab and can confirm that the VMs could not communicate with one another even though they are in the same subnet. As others have discussed and provided the link for... NSGs are still used for intra-subnet communication. Answer is NNY
I would go with N,N,Y as described,"By default, virtual machines in the same subnet can communicate based on a default NSG rule allowing intra-subnet traffic. If a rule is added to *NSG1 that denies all inbound and outbound traffic, VM1 and VM2 will no longer be able to communicate with each other." With NSG1 having custom rules, intra-communication is defined by the rules.
N,N,Y .... NSG1 is incomplete there is no reference to Destination...(assumed it is Subnet1)