HOTSPOT -
You have an Azure subscription that contains the resources shown in the following table.
NSG1 is configured as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
I think is : Yes Yes No
I'm assuming that the NSG is applied to Subnet1. Y. Outbound rules have 145 priority for allow storage1 access Y. Inbound rules has default Vnet to Vnet allow so VM2 can access VM1. The deny rule 110 is for Internet traffic coming in. N. We can see the NSG is associated to 1 subnet from the image.
yep seems incomplete. it says it applies to 1 subnet but did not say which subnet.
We can infer from Inbound rule HTTPS_VM1_Deny that is applied on VM 1 - IP 10..3.0.15 means VM1 is in Subnet1
Yes No - since it's saying it's using the HTTPS protocol "HTTPS ports are dedicated network ports that allow internet users to transmit data via a secure connection encrypted using an SSL/TLS certificate. The most common examples are ports 443 and 8443." No
The rule block communication on port 443 from internet to VM1 But communication between internal networks should be allowed
Forget the answer is Y,Y,N Agree with Metafaim
Allow VnetInbound only applies to the VNETS that NSG1 is applied to, NSG1 is only applied to Subnet1 on VNET 1, so only traffic from VNET1 is allowed in. HTTPS_VM1_Deny has no effect on https from VM2 as VM2 is not on the internet. But... DenyAllInbound blocks VM2 because VM is not on VNET1.
I see people saying the question is incomplete but the point of the question is to see if you are paying attention enough to know what you think is missing. Note: NSG1 Applies to Subnet1 only. Yes - VM1 can access the Storage account because there is nothing blocking it the on the virtual network. There is a rule that actually allows outbound access to storage. Yes- VM2 is on the Same VNET there is nothing blocking access to it from VM1 on the Virtual network. The Deny rule for HTTPS_VM1_Deny is for inbound connections from the internet. No- You have a Inbound deny rule for VM1 from the the internet with a destination of the 10.3.0.15 which is in Subnet1. This proves the NSG is associated to Subnet1 and only subnet one because the image shows it is connected to only 1 subnet. VM2 is on Subnet2 which you can determined by its IP address. This means that NSG1 does not apply to VM2.
You explained everything. Thank you.
YNN @nd question asking for conncetion thru HTTPS, Port 443 is blocked, its not just saying can connect to VM1. in that case it will connect since in the same Vnet but not thru internet.
YNN 1. Allowed by outbound rule 2. Blocked by DenyAllInbound, explanation: -Allow VnetInbound will allow all traffic between peered VNETs, it will not allow traffic from all sources on VNETs to reach all destinations on VNETs. --The destination of the rule is VirtualNetwork, so traffic can come into the virtual network, but there is no rule that allows HTTPS traffic from the virtual network into the VM. 3. Only applied to VMs one Subnet.
You're wrong on 2. There's also a policy on AllowVnetOutbound so answer should be YES for box 2.
Also AllowVnetOutbound and AllowVnetInbound both have a higher ranking in priority than the policy you are claiming. The answer to 2 should def be Yes.
Yes Yes No This is correct!
Y,Y,N . Box1 Y: Outbound storage port 443 allowed Box2 Y: Inbound only restricts from source internet so doesn't affect vnet to vnet as per inbound 65000 which is allowed Box3 Probably N: Since it looks incomplete. But exhibit shows associated with 1 subnet and priority inbound 110 is subnet1
I want to become an Azure admin not Azure detective ffs
It is Y Y N. Yes: There are no outbound restrictions preventing this traffic. Yes: Since VM2 is in subnet2, the rule that denies access from the Internet does not apply to internal traffic between subnets. The default allow rules for Virtual Network should permit traffic between VMs in different subnets within the same VNET. No: NSG1 is associated with subnet1 in VNET1, so the security rules apply only to the VMs in subnet1, not to all VMs in VNET1.
Y, N, N Y'all give me heartburn lmfao
NO NO YES
Hello, please when you will pass the exam?
correct answer: YYN NSG is assigned to Subnet 1. 1st box: outbound rule has allow rule for storage 2nd box: Priority 110 does not apply, this rule is for internet (outside) connection Priority 65000 will apply for vnet-vnet which is allowed 3rd box. NSG rule applies to Subnet 1
Yes Yes No
Hi All, I have a question. How VM1 can access storage1 with an outbound rule that block any internet access and there isn't any private endpoint and service endpoint mentioned in the question.
there is an outbound rule named Storage_Access that has higher priority than the Block_Internet rule
1) Yes - Rule `Storage_Access` is allowing access to storage accounts; 2) Yes - Rule `Deny_VM1` is only for Internet Inbound, not for VirtualNetwork, so VM2 can access VM1 via HTTPS; 3) NO - NGS is associated only to Subnet1.
We assume that storage account allow VM1 to connect. Otherwise not what the NSG rule is, VM1 can't connect to storage account!
please find my understanding below: Yes -> VM1 can access storage1 -> because 443 is allowed. Yes -> VM2 can access VM1 by using the HTTPS protocol -> because HTTPS outbound is allowed Yes -> The security rules for NSG1 apply to any virtual machine on VNET1 -> becasue there is no restrictions
NSG is only associated with the subnet, not whole VNET, so the third one is NO
I say its YNN