AZ-303 Exam - Question 33

Question

HOTSPOT -You have an Azure subscription that contains a resource group named RG1. You have a group named Group1 that is assigned the Contributor role for RG1. You need to enhance security for the virtual machines in RG1 to meet the following requirements:✑ Prevent Group1 from assigning external IP addresses to the virtual machines. ✑ Ensure that Group1 can establish a Remote Desktop connection to the virtual machines through a shared external IP address. What should you use to meet each requirement? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:.

Examice · Accepted Answer

Box 1: Azure Policy -There is a built-in policy in the Azure Policy service that allows you to block public IPs on all NICs of a VM. Note: Azure Policy is a powerful tool in your Azure toolbox. It allows you to enforce specific governance principals you want to see implemented in your environment. Some key examples of what Azure Policy allows you to do is:Automatically tag resources -✑ Block VMs from having a public IP✑ Enforce specific regions✑ Enforce VM sizeBox 2: Azure Bastion -Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP and SSH access to your virtual machines directly through the AzurePortal. Azure Bastion is provisioned directly in your Virtual Network (VNet) and supports all VMs in your Virtual Network (VNet) using SSL without any exposure through public IP addresses. Incorrect Answers:Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet. Reference:https://blog. nillsf. com/index. php/2019/11/02/using-azure-policy-to-deny-public-ips-on-specific-vnets/ https://azure. microsoft. com/en-us/services/azure-bastion/.

Chuck_Strut · Answer

the second box in my exam was load balancer not bastion

sanketh123 · Answer

Does bastion provide an external IP address?

syu31svc · Answer

Answer is correct

Policy to prevent assignment and Bastion for RDP

Rens19991 · Answer

Load balancer or Azure WAF for Box 2

chris009 · Answer

Wrong answer. should be Azure policy and WAF

poplovic · Answer

Bastion is the correct answer for (2). The shared external IP address is the public IP address of Bastion.

resq4u · Answer

The answer is correct.
For second part, Bastion is the correct answer as although the VMs don't require public IPs but Bastion server does require a public IP to which clients can connect.

sreejit4u2003 · Answer

Answer is Correct

goTEXANS · Answer

https://docs.microsoft.com/en-us/azure/bastion/vnet-peering
Azure Bastion works with the following types of peering:

Virtual network peering: Connect virtual networks within the same Azure region.
Global virtual network peering: Connecting virtual networks across Azure regions.

quantumray · Answer

Question appeared On AZ-303 exam on 08/12/2021 - 49 questions, 4Q - Fabrikan case study

Suwani · Answer

Answer is correct

AZ-303 Exam - Question 33

Discussion