AZ-700 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-700 Exam - Question 235

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription that contains the following resources:

✑ A virtual network named Vnet1

✑ A subnet named Subnet1 in Vnet1

✑ A virtual machine named VM1 that connects to Subnet1

✑ Three storage accounts named storage1, storage2, and storage3

You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.

Solution: You create a network security group (NSG) and associate the NSG to Subnet1.

Does this meet the goal?

Show Answer
Correct Answer: B

Simply creating a network security group (NSG) and associating it to Subnet1 does not meet the goal. To ensure VM1 can access only storage1 while being prevented from accessing storage2 and storage3, you need to configure specific rules within the NSG. The NSG must explicitly allow outbound traffic to storage1 and deny outbound traffic to the other two storage accounts. Therefore, additional configuration beyond just creating and associating an NSG is required to meet the stated goal.

Discussion

17 comments
Sign in to comment
derrrp
Jan 19, 2024

Assuming the NSG does not magically know what you're trying to do, we can assume the answer is no.

tartarus23Option: B
Jan 11, 2024

B. No I do not think it meets the goal since the NSG was not specific on what account or access it allowed or denied.

hogemaxOption: B
Jan 30, 2024

B. No This just creates a network security group and associates it to Subnet1. Further configuration is required.

BenHOption: A
Dec 2, 2023

I think this will meet the goal.

jeffangel28
Feb 10, 2024

explain how pls

Diazan
Nov 28, 2024

A NSG by itself (with only default rules configured) won't work at all

omgMerrickOption: B
Aug 17, 2024

B. No This solution does not fully meet the goal. Although creating a network security group (NSG) and associating it to Subnet1 is a step in the right direction for securing network traffic, simply associating an NSG to a subnet does not restrict outbound traffic from VM1 to the storage accounts. To ensure that VM1 can access storage1 and is prevented from accessing any other storage accounts, you need to apply a specific set of rules to the NSG. One way to achieve this is by configuring the NSG to allow outbound traffic only to storage1 and deny outbound traffic to all other storage accounts. So, to fully meet the goal, you need to create an NSG, associate it to Subnet1, and then configure appropriate rules in the NSG to allow traffic from VM1 to storage1 and block traffic to all other storage accounts.

Swetareddy
Jan 7, 2024

It happens only thru service endpoint policies using which u can restrict access to only one storage account.

jeffangel28Option: B
Feb 10, 2024

Correct!, is not only create and associate NSG necessary!

JamesatOption: B
Feb 18, 2024

A NSG would do nothing without Rules. Also if the Storage Accounts are public then you would need to set a Service Endpoint and then block it. This would affect all the storage accounts. Without clarity this is cleared a NO.

azeem0077Option: B
Feb 26, 2024

Just adding an NSG won't do any change. So answer is B. Incase if the question also said that outbound and inbound rules are there in the NSG, then the answer may have been A.

GohanF2
May 13, 2024

it's too vague the solution so the answer is NO.

rac_sp
Jan 14, 2024

extremely abstract the information provided in the question.

Alessandro365Option: B
Mar 23, 2024

No is correct

BlackZerosOption: B
Mar 27, 2024

default NSG will allow the traffic to still go out.

Prutser2Option: B
Apr 13, 2024

it doesnt stipulate what is in the NSG, so assuming it is empty, in which case it will not do anything

AzureJobsTillRetireOption: A
Jun 30, 2024

Hey guys, I think the answer might be A yes. I had this question in my exam in a group of three YES/NO questions. I passed the exam with a score of 900, which is not very high but enough. I thought that there would be one YES in the three questions, and if that is true, this one is the only one could be YES. We can either assume the NSG does not configure well and give it a NO, or assume the NSG is configured as it should be and give it a YES.

Aunehwet79
Jul 9, 2024

That's a pretty good score bro

wooyourdaddy
Oct 4, 2024

All of these 3 questions would be a no. The simplest solution to this problem would be to implement a service endpoint for storage on the subnet that VM1 is on and then use a service endpoint policy to limit it to the storage1 resource only. Source: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview

xRiot007
Apr 21, 2025

"I thought that there would be one Yes in the three questions, and if that is true" - it is not, here is why: "Some question sets might have more than one correct solution, while others might not have a correct solution."

unclegrandfather
Dec 29, 2023

Appeared on exam Jun/28/22

TJ001
Jul 21, 2024

NSG wont help...we can define rules to deny/allow access to Storage service or a regional storage service by using service tags...but in this case the VM should access only one storage account... so NSG wont help here... Answer No

TJ001
Jul 21, 2024

Creating service endpoint policy is a good idea