Exam AZ-900 All QuestionsBrowse all questions from this exam
Go to Exam
Question 262

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your Azure environment contains multiple Azure virtual machines.

You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP.

Solution: You modify an Azure firewall.

Does this meet the goal?

    Correct Answer: B

    To ensure that a virtual machine named VM1 is accessible from the Internet over HTTP, you should modify the network security group (NSG) associated with VM1 to allow inbound traffic on port 80 (HTTP). Azure Firewall is primarily used for providing protection for non-HTTP/S protocols and offers outbound network-level protection. Therefore, modifying an Azure Firewall alone does not meet the goal of making VM1 accessible over HTTP from the Internet. The correct approach would include setting up an NSG with the proper inbound rule for HTTP traffic.

Discussion
foreverlearnerOption: A

You can either modify a firewall or modify a NSG. For basic allow/deny traffic, NSG is enough. But the same can be achieved with Firewall as well. "The Azure Firewall service complements network security group functionality. Together, they provide better "defense-in-depth" network security. Network security groups provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in each subscription. Azure Firewall is a fully stateful, centralized network firewall as-a-service, which provides network- and application-level protection across different subscriptions and virtual networks." https://docs.microsoft.com/en-us/azure/firewall/firewall-faq

lehoang15tuoi

Your logic is not clear. To put it simply, both Firewall and NSG can be used to block traffic. Think of them like 2 gates on the same walkway. You open one and close one, can you pass through both? The NSG default rule is blocking all inbound traffic, so if you don’t do anything with it, it doesn’t matter what you do with the firewall.

Mozbius_

EXACTLY my chain of thought. But then again... They didn't specify that a NSG has been set up (NSG's are not set by default when you create a vm...) so the only thing that could prevent a vm from communicating on port 80 is the firewall...

Chris0105

You are right. see as well question #133, so it must be firewall or NSG. I actually thought it was just NSG - seems I am wrong.

thebadfella

Guys, forget about the question for a moment and look at your on-prem infra, you need to whitelist in FW first for any legitmate inbound access. So answer is "YES"

PhilB1000Option: B

https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-is-the-difference-between-network-security-groups-nsgs-and-azure-firewall What is the difference between Application Gateway WAF and Azure Firewall? The Web Application Firewall (WAF) is a feature of Application Gateway that provides centralized inbound protection of your web applications from common exploits and vulnerabilities. Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.

hercuOption: B

I think that the following quote resolves all doubts as it sounds clear enough. “The Web Application Firewall (WAF) is a feature of Application Gateway that provides centralized inbound protection of your web applications from common exploits and vulnerabilities. Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.” References: https://docs.microsoft.com/en-us/azure/firewall/firewall-faq Comment: Azure firewall is not intended for inbound HTTP/S protection. This means that only the variant with "You modify a network security group (NSG)." in the other similar question is correct. Hope it helps :)

Mozbius_

I would agree with you hercu but then Microsoft also says the following (can't be clearer than that) : Can be filtered by Azure Firewall : * HTTP(S) traffic from on-premises/internet to Azure (inbound) * HTTP(S) traffic from Azure to on-premises/internet (outbound) * Non-HTTP(S) traffic, inbound/outbound https://docs.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway

BengalTigersOption: B

B. No. Modifying an Azure firewall alone will not ensure that a virtual machine named VM1 is accessible from the Internet over HTTP. Instead, you need to configure the network security group (NSG) associated with the VM1's network interface to allow inbound traffic on port 80 (HTTP) from the Internet. Additionally, you may also need to configure any applicable Azure load balancer, DNS, or public IP settings to ensure proper connectivity.

jokerbaseOption: B

Follow this article: https://adamtheautomator.com/azure-firewall/ We can choose Azure Firewall or NSG. It's also working together. We also can create a VM without NSG. Almost the example they created the VM with NSG because it's free. Azure Firewall is not free. That's all.

MarcalOption: B

No, modifying an Azure firewall would not meet the goal of ensuring that a virtual machine named VM1 is accessible from the Internet over HTTP. To achieve this goal, you would need to configure the network security group (NSG) associated with VM1 to allow inbound traffic on port 80 (HTTP).

MS_Learner

Got Feb 10, 2022, this question came in a way where they list 4 options, so I choose Azure firewall.

stefano1856Option: B

In Microsoft Learning Path is stated : Azure Firewall provides Inbound protection for non-HTTP/S protocols (for example, RDP, SSH, and FTP) https://docs.microsoft.com/en-us/learn/modules/secure-network-connectivity-azure/7-combine-services-complete-solution#:~:text=Azure%20Firewall%20provides,and%20FTP

Tas006Option: A

Answer is A. This question came out on the 05.03.2021

AlsariOption: B

Modifying an Azure firewall alone does not meet the goal. To ensure that VM1 is accessible from the Internet over HTTP, you should modify the Network Security Group (NSG) associated with VM1 to allow inbound traffic on port 80 (HTTP). Additionally, you need to ensure that the VM has a public IP address and that any necessary routing or load balancing configurations are correctly set.

zellckOption: A

A is the answer.

mikamozgOption: B

Firewall, WAF and NSG Application rules aren't applied for inbound connections. So if you want to filter inbound HTTP/S traffic, you should use Web Application Firewall (WAF). Or alternatively you can tweak NSG because by default everything is closed on NSG once it is created and assigned to vnet, subnet or vnic. Below is tutorial how to setup firewall and vnet, but if you go through you will see that all conversation is about outbound trafic not inbound may be because Azure Firewall application rules aren't applied for inbound connections. So we left with WAF or NSG. https://docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal

mikamozg

in addition if you go through the deploy guide you will see that making changes to firewall is not enough you always need to do additional things like create default route in ip tables or create default route in VM in order to direct traffic to firewall. so answering to test question making changes on Firewall is not enough.

mikamozg

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/nsg-quickstart-portal You open a port, or create an endpoint, to a virtual machine (VM) in Azure by creating a network filter on a subnet or a VM network interface. You place these filters, which control both inbound and outbound traffic, on a network security group attached to the resource that receives the traffic.

mikamozg

everytime you search for the correct answer or solution NSG comes up: https://docs.microsoft.com/en-us/answers/questions/182838/need-to-enable-ports-80-and-443-along-with-inbound.html

manfredwOption: A

correct

Eka22Option: A

hey guys...in my opinion the answer is correct it should be YES. In simple words , NSGs allow authentic ends to communicate and doesn't care about the data exchange, on the other hand, Azure Firewall does the same thing as NSG but, it also checks the data transfer. So the best suitable here to use is Azure Firewall.

KavitwOption: A

correct answer

CARIOCA

This question is very divided in the feedback after all what would be the answer and which justified it?

rob_724Option: B

while modifying azure firewall 'can' help -- firewall is not a default service and it is not assumed that it has been already enabled.