AZ-103 Exam - Question 102

Question

HOTSPOT -You have an Azure virtual machine named VM1 that connects to a virtual network named VNet1. VM1 has the following configurations:✑ Subnet 10. 0. 0. 0/24✑ Availability set: AVSet✑ Network security group (NSG): NonePrivate IP address: 10. 0. 0. 4 (dynamic)✑ Public IP address: 40. 90. 219. 6 (dynamic)You deploy a standard, Internet-facing load balancer named slb1. You need to configure slb1 to allow connectivity to VM1. Which changes should you apply to VM1 as you configure slb1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:.

Examice · Accepted Answer

.

FrancisFerreira · Answer

Most people here seem to forget that Standard SKU Public IPs cannot have Dynamic assignments.

If the Public IP on VM1 is set to Dynamic, that means it is a Public IP with Basic SKU (Public IPs with Standard SKU have Static assignments by default, that cannot be changed).

We cannot associate Basic SKUs IPs with Standard SKUs LBs... So, top-box must be "Removing public IP address from VM1".

Now, Standard LBs are secure by default (like Standard IPs), so we won't be able to connect to then without explicitly allowing such connections via NSG... So, bottom-box must be "Create and configure NSG".

phongvu · Answer

I believe the answer for 1 should be "Removing public IP address from VM1" and 2 should be "Create and configure NSG".

Exam103 · Answer

I think it ir right:

Secure by default
Standard Load Balancer is built on the zero trust network security model at its core. Standard Load Balancer secure by default and is part of your virtual network. The virtual network is a private and isolated network. This means Standard Load Balancers and Standard Public IP addresses are closed to inbound flows unless opened by Network Security Groups. NSGs are used to explicitly permit allowed traffic. If you do not have an NSG on a subnet or NIC of your virtual machine resource, traffic is not allowed to reach this resource. To learn more about NSGs and how to apply them for your scenario, see Network Security Groups. Basic Load Balancer is open to the internet by default.
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview

mojo13 · Answer

I would remove the public IP in VM1 for sure and assign a static private IP to VM1 as well.

gsbence · Answer

Tested this:
Dynamic Public IP only can be Basic, so it must be removed first before the VM can be added to the backend pool.
If you don't assign an NSG to the VM the inbound connections to the LB would be rejected.

First box: Remove the public IP...
Second box: Create and configure an NSG

chan4u · Answer

Tried and correct answer is :

1) Remove Public IP address (In this case since the IP is dynamic and since it is dynamic it is of Basic category). A Standard load balancer cannot have Basic Public IP Address. Private IP can be Static or dynamic.

2) Create and configure NSG.

Nhan · Answer

Yes, The given answer is correct

Ravihonnagiri · Answer

Public IP SKUs and Load Balancer SKUs must match. For Standard Load Balancer , use VMs with Standard IP addresses in the backend pool.

Also, you cannot reach standard lb as nothing is allowed. So NSG creation is mandatory

Reference:https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-portal#create-backend-servers

Box1: Remove public IP
Box2: create and configure NSG

Sheru · Answer

One cannot create a backend slb pool if the VM to be associated has a Public IP. So 1st in the sequence is to remove the public IP.
Secondly, you need to create and configure the NSG with the right rules to allow inbound access to the Azure VM.

samco · Answer

Top Box:  remove the public IP from VM1
Bottom Box: Create and assign an NSG to VM

Cloudyuga · Answer

Correct answer is 
Box 1 - Removing public IP address from VM1
Box 2 - create a new network security group (NSG)
Private Ip is - dynamic or static it doesn't matter still u can add the VM if above two are there. i have check it in my environment

Ta_C · Answer

the first answer ought to be [ changing the IP address from dynamic to static ]

awsc · Answer

Tested this today
-Remove the public address from VM1
-Create and configure an NSG

KenZx · Answer

So many people being tricked by this question. VM1 has public Ip address and sku basic and private Ip address (dynamic). So internet facing Load balancer sku "standard" requires backend pool which has private ip address type static
=> Answer 1: change dynamic to static
 Asnwer 2: create and configure NSG

ExamPrep · Answer

Top Box - Create and assign an NSG to VM1
Bottom Box - Change the private IP address of VM1 to static

Top Box - https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-basic-internal-portal

"Create virtual machines....
…...In the Networking tab make sure the following are selected:
….
Public IP > select Create new, and in the Create public IP address window, ....
To create a new network security group (NSG), a type of firewall, under Network Security Group, select Advanced. 
In the Configure network security group field...."

Bottom Box:

https://www.ecanarys.com/Blogs/ArticleID/222/Microsoft-Azure-Implementing-Internet-Facing-Load-Balancers-using-Azure-Resource-Manager

"2 Windows server 2012 R2 Standard_A1 size VMs in the same VNET and corresponding subnet. Make sure both these VMs are in the Same Availability Set. They should have static private IPs and public IPs. (Public IPs are required to RDP into the machine to configure IIS)"

kaviraj · Answer

According to this: https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-portal the only thing I can see that is created is NSG which at the end.  Standard LB is closed by default in terms of security.  That link shows 3 vms created in 3 different zones all with public IPs.  Given answer looks correct, to me atleast.

ariahi · Answer

Why would you need a public IP if you have a load balancer in front of the VM?
Just send traffic to the private IP.

Shades · Answer

To add a backend pool to standard LB , you must have VMs that have static IP , otherwise you get this error: You can only attach virtual machines in your region that have a standard SKU public IP configuration or no public IP configuration. All IP configurations must be on the same virtual network. and for allowing communication for Standard LB: Standard Load Balancer is secure by default.  This means Network Security Groups (NSGs) are used to explicitly permit and whitelist allowed traffic. If you do not have an NSG on a subnet or NIC of your virtual machine resource, traffic is not allowed to reach this resource. Please configure an NSG to ensure communication if needed.

TahaMubarak · Answer

I was thinking about removing the public IP address then said what is the issue if you leave the public IP to the VM as long as the LB will use another public IP and will use the VM private IP

Saman2020 · Answer

Private IP and NSG are required for a Standard LB.

niceeu · Answer

"Basic SKU Load Balancers use Basic SKU IP Addresses, which aren't compatible with Standard SKU Load Balancers as they require Standard SKU IP Addresses"
The IP Addresses are Dynamically assigned, therefore making them, "Basic SKU." 
Ans1: remove Public IP
Ans2: Create & configure NSG
https://docs.microsoft.com/en-us/azure/aks/load-balancer-standard

Mdshah · Answer

i doubt if this is right

dorian_grecu · Answer

Standard-tier load balancers use standard-tier public IP addresses, which are by default closed to inbound traffic. When using a standard-tier load balancer, traffic must be whitelisted using NSGs. In contrast with basic-tier load balancers, traffic should be whitelisted using NSGs, but will also flow if NSGs are not used.

Rizan · Answer

The answer would be 
1st - Removing public IP address from VM1 
2nd  Create and configure NSG.

jonnybugaloo · Answer

Just tested here. You should first remove the Public IP from the VM1, and then, create a NSG to VM1
First Box says: Before you create a backend pool. Here, you can only add VM 1 if the VM has a Static Public IP (Standard), that is not the case, or removing the public IP from this VM. You can enter on public IP configuration associated to VM, and dissociate it from the VM.
Second box says Before you can connect to VM1 - Here you should have an NSG associated to VM1. So, based on the options, is create and configure a NSG.

kate00 · Answer

I tested the first scenario. 
When I tried to add VM with no nsg and dynamic public ip on the back pool, no VM was available which can be added on. On the top, "You can only attach virtual machines in westus that have a standard SKU public IP configuration or no public IP configuration. All IP configurations must be on the same virtual network." was shown. 
Firstly, I attached NSG on the NIC of VM and still no VM was available on the backpool. 
Secondly, I disassociated the dynamic public ip from the VM and I can see the vm list which I can add on the backpool.

AzExam2020 · Answer

The answer given is correct, the VM is in Availability Set.

bnair · Answer

"You can only attach virtual machines that are in the same location and on the same virtual network as the loadbalancer. Virtual machines must have a standard SKU public IP or no public IP."

masa1313 · Answer

Remove the public address from VM1
Create and configure an NSG

Thi · Answer

Given answer correct

AZ-103 Exam - Question 102

Discussion