Exam AZ-104 All QuestionsBrowse all questions from this exam
Go to Exam
Question 432

HOTSPOT -

You have a virtual network named VNET1 that contains the subnets shown in the following table:

You have Azure virtual machines that have the network configurations shown in the following table:

For NSG1, you create the inbound security rule shown in the following table:

For NSG2, you create the inbound security rule shown in the following table:

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

    Correct Answer:

    Box 1: Yes -

    The inbound security rule for NSG1 allows TCP port 1433 from 10.10.2.0/24 (or Subnet2 where VM2 and VM3 are located) to 10.10.1.0/24 (or Subnet1 where

    VM1 is located) while the inbound security rule for NSG2 blocks TCP port 1433 from 10.10.2.5 (or VM2) to 10.10.1.5 (or VM1). However, the NSG1 rule has a higher priority (or lower value) than the NSG2 rule.

    Box 2: Yes -

    No rule explicitly blocks communication from VM1. The default rules, which allow communication, are thus applied.

    Box 3: Yes -

    No rule explicitly blocks communication between VM2 and VM3 which are both on Subnet2. The default rules, which allow communication, are thus applied.

    Reference:

    https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

Discussion
JohnAvlakiotis

I believe it should be No, Yes, Yes. The NSG2 on the NIC of VM1 blocks the request that passes through NSG1 which is attached on the subnet. There is no priority bypass between NSGs. Traffic is filtered independently between NSGs.

rusll

I agree, mixing the rules would create a problem : in case we have two rules with the same priority, how would we decide ...

Patesso

Pour le trafic entrant les regles NSG attachees au Reseau sont prioritaires

rcdumps

The NSG2 blocks INBOUND requests, not OUTBOUND, hence VM2 can reach VM1.

JamesDC

Oh Dear!... do you understand VM2 and VM is on different subnets and both NSGs are applicable on subnet1 resources... so, there's no concept of outbound rule... Agree with Jhon, NSG1 is on subnet and NSG2 is on NIC, even VM2 can enter to the sunbet1 but NSG2 will block while going to VM1.

Batiste2023

What you're saying is that for traffic between different subnets within a VNET, inbound rules block outbound connections - is there any source to document this? For now I am not convinced and would go for YYY...

tita_tovenaar

thought so too but it is wrong. Look at the destination addresses. Basically you can imagine that NSG1 covers subnet 1 and NSG2 covers VM1 specifically. Tricky question, but answer is No. VM3 could RDP into VM1, if that makes it more clear.

klexams

NSG2 is on VM1 so it block inbound to VM1.

Bhuw

Think you're correct https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#inbound-traffic

Indy429

This is wrong. "A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities aren't processed. Azure default security rules are given the highest number with the lowest priority to ensure that custom rules are always processed first." So it should be Yes - Yes - Yes. Source: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

bhadrisn

@Indy, NSG1 is at subnet level and NSG2 is at VM level, so, when the traffic flows, NSG1 subnet is evaluated first and then if passed, NSG2 subnet at VM level is evaluated. Here, the number priority doesnt come into picture. So, correct answer is No, Yes, Yes

bhadrisn

typo NSG2 (remove subnet) at VM level

Indy429

You are right, I misread. Thank you

aaa112

1. NO - VM1 has the NSG1 on Subnet1, which allows traffic over port 1433 between Subnet2 and Subnet1. BUT NSG2 also applied on NIC level for VM1 that blocks the traffic on port 1433. Hence No traffic allowed. Answer is NO. 2. YES - For VM2 there are no NSGs applied neither on subnet or NIC level hence all traffic is allowed. 3. YES - For VM3 there are no NSGs applied neither on subnet or NIC level hence all traffic is allowed.

RogerDingo

thanks for confirming.. i came to the same conclusion as you.

monus

yes, NSG at subnet as well as VM has to be open in order to allow traffic

MrJR

Your answer is correct. NYY. Just a small correction. For traffic from VM1 two network security groups apply but both have the default rule AllowVnetOutbound so the outbound traffic to VM2 is allowed. For VM2 no network security group applies so the inbound traffic is allowed as well.

subramani2018

but by default tcp3389 blocked in nsg for vm3 right..

lebeyic620

from internet, not vnet

pcfixok

N N Y Here's what I'm thinking about the 2nd one: Network Security Groups have default rules that you can't remove: DenyAllOutBound and DenyAllInBound. "You can't remove the default rules, but you can override them by creating rules with higher priorities." https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#denyallinbound While the rules of NSG1 and NSG2 don't explicitly block traffic from VM1 to VM2, they do not allow it either. They would still have the default deny all rules at the bottom that can't be removed. Correct me if I'm wrong.

kl8585

For second one: VM2 has no NSG - so all the traffic inbound and outbound is allowed inside the VNET; VM1 inbound traffic is restricted by NSG1 and NSG2. Outbound rules are not specified, so I assume there are the default ones that ALLOW all traffic. So for 2nd answer should be YES. Ref. for default rules: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

adilkhan

N,Y,Y IS CORRECT

ashtonez

Solution is NO NO YES . Explanation: NO vm2 traffic is blocked by the rule priority 125 from NSG2 at subnet1 when it reach subnet1 before reaching vm1 NO vm1 traffic is blocked by the default deny all rule from NSG2 at subnet1 YES no NSG present so traffic is allowed by default The key here, whenever you push traffic , it goes throug all the steps, outgoing vm > nic > subnet , incoming subnet > nic > vm

ashtonez

Also let me add, that there are no NSG taking precedence over other NSG, you just need to go through all the NSG at every resource (subnet, vm or whatever)

bobothewiseman

N Y Y NSG rules applied at the VM level take precedence over rules applied at the subnet level. If there are conflicting rules, the VM-level rule will be applied.

tashakori

No Yes Yes

TSKARAN

Always, we need to take too many assumptions here, the windows built-in firewall, already configured. Windows server is already running the services in the port, TCP/1433

belyo

as TCP is bi-directional is am wondering is it NO-NO-YES VM2 would never be able to confirm anything to VM1 on that blocked tcp port...

Indy429

Shouldn't it be NO YES YES? Like the answer is litterally in the question, first Q1 can't be a YES. It has to be NO.

Indy429

I see a lot of people saying that Q1 should be No, but look at the Priorities. Priority 101 is higher than Priority 125 and will thereby be override by 101, so following that logic, it should be: Yes Yes Yes

bobothewiseman

because we are right and you are wrong. it should be NYY NSG1 and NSG2 are different set of rules. so priority is not a question on this scenario

josola

1. VM2 to VM1. VM1 is in subnet 1 that has NSG1 associated. This NSG allow inbound TCP 1433. Vm1 has NSG2 associated, which denies traffic from VM2 specifically. Priority doesn’t have anything to do with traffic evaluation because they’re different rules. Then answer No. 2. VM1 to VM2. VM2 is in subnet2 that has no subnet NSG associated, and no VM NSG. VM1 and VM2 are in different subnets in the same VNET, or same address space. Then traffic is allowed. Answer Yes. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview 3. VM2 to VM3. VM2 and VM3 are in the same subnet AND no defined NSGs that deny traffic. Answer Yes. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

ziggy1117

N - Y - Y Intra-Subnet traffic It's important to note that security rules in an NSG associated to a subnet can affect connectivity between VMs within it. By default, virtual machines in the same subnet can communicate based on a default NSG rule allowing intra-subnet traffic. If you add a rule to NSG1 that denies all inbound and outbound traffic, VM1 and VM2 won't be able to communicate with each other. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works In our example, its explicit in the NSG NIC rule that VM2 cannot connect to VM1 in the said port

Ahkhan

No, yes, and yes.

DWILK

so even though they are applied to different VM's the NSG1 has priority? NO

sumaju

For Inbound traffic, -> Subnet -> NI, NSG rules are evaluated in this sequence. For Outbound traffic, NI-> Subnet -> Vnet , NSG rules are evaluated in this sequence. If there is any explicit deny ( with high priority within that NSG) at any level, traffic will be blocked. So the answer is NYY.

sardonique

reason why box1 is NO: VM1 is hosting SQL; on VM1's NIC there is NSG2; NSG2 is blocking incoming requests on port 1433 from subnet 2. Now both VM2 and VM3 happen to be connected to subnet2. so neither VM2 nor VM3 will be able to reach the SQL server on VM1, even if traffic is allowed at the subnet level. think about the flow: The requests are coming from VM2 and VM3 on subnet2, they will reach subnet1 because both subnets belong to the same vNet, the requests are allowed by NSG1 to reach VM1 and right there they will be blocked at the NIC level by NSG2