AZ-300 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-300 Exam - Question 41

SIMULATION -

Click to expand each objective. To connect to the Azure portal, type https://portal.azure.com in the browser address bar.

When you are finished performing all the tasks, click the "˜Next' button.

Note that you cannot return to the lab once you click the "˜Next' button. Scoring occur in the background while you complete the rest of the exam.

Overview -

The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.

Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn't matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.

Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.

Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.

To start the lab -

You may start the lab by clicking the Next button.

You plan to host several secured websites on Web01.

You need to allow HTTPS over TCP port 443 to Web01 and to prevent HTTP over TCP port 80 to Web01.

What should you do from the Azure portal?

Show Answer
Correct Answer:

See explanation below.

You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.

A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.

Step A: Create a network security group

A1. Search for and select the resource group for the VM, choose Add, then search for and select Network security group.

A2. Select Create.

The Create network security group window opens.

A3. Create a network security group

Enter a name for your network security group.

Select or create a resource group, then select a location.

A4. Select Create to create the network security group.

Step B: Create an inbound security rule to allows HTTPS over TCP port 443

B1. Select your new network security group.

B2. Select Inbound security rules, then select Add.

B3. Add inbound rule -

B4. Select Advanced.

From the drop-down menu, select HTTPS.

You can also verify by clicking Custom and selecting TCP port, and 443.

B5. Select Add to create the rule.

Repeat step B2-B5 to deny TCP port 80

B6. Select Inbound security rules, then select Add.

B7. Add inbound rule -

B8. Select Advanced.

Clicking Custom and selecting TCP port, and 80.

B9. Select Deny.

Step C: Associate your network security group with a subnet

Your final step is to associate your network security group with a subnet or a specific network interface.

C1. In the Search resources, services, and docs box at the top of the portal, begin typing Web01. When the Web01 VM appears in the search results, select it.

C2. Under SETTINGS, select Networking. Select Configure the application security groups, select the Security Group you created in Step A, and then select Save, as shown in the following picture:

References:

https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic

Discussion

11 comments
Sign in to comment
bootyholeman
Jan 28, 2020

All inbound connections are blocked by default in NSG. You only need to add a rule to allow 443

Novix
Mar 3, 2020

Technically you still need the deny. It has no mention of external traffic. So you need to assume that AllowVnetInBound also needs port 80 blocked.

epomatti
Jun 14, 2020

I wouldn't take any chances and would deny HTTP 80 explicitly.

Ekramy_Elnaggar
Dec 31, 2019

1- If VM >> Create NSG with 2 rules and assign to Subnet 2- If Web App >> Configure HTTPS Only : ON

ron_b
May 22, 2020

Good to know both ways

lorimer1
Jan 2, 2020

The nic already has a network security group so should update the rules on that i.e. no need to create a 2nd NSG

Ahmed911
Apr 16, 2020

You don't need to create NSG, just go the VM>Networking>then add "Allow" 443 to the inbound rules. HTTP already not allowed by default, if you found it just delete the rule.

TYT
Apr 24, 2020

This is definitely a VM. Go to VM -> Networking -> Add Inbound Port Rule -> Source: Any, Source Port ranges : *, Destination: Any, Destination Port Range: 443 (https), Action: Allow, Priority: More than 100, Name: anything -> Add. Same with Port 80 for HTTP. Or As Ekramy_Elnaggar suggested, create NSG and do the same thing as above.

nabylion
Jul 12, 2020

first search for web01 and check whether it is an app or a vm, then apply corresponding action plan.

chibadoo
Sep 5, 2020

it is a vm and not app

Rakeshsuryawanshi
Dec 9, 2019

Question is about the Website (AppService) not about a website on Virtual machine. not sure why the explanation show this path

Ekramy_Elnaggar
Dec 13, 2019

it is mentioned "You plan to host several secured websites on Web01" , so Web01 must be a VM not an App service.

2cool2touch
Mar 10, 2020

I am wondering why you shouldn't update existing NSG. It may impact other VMs in the VNET. I was thinking to create a new NSG and replace the current one with the new NSG with appropriate Allow for HTTPS and Deny for HTTP

levm39
Mar 2, 2020

the explanation also shows at the end Application Security Groups, this is wrong!

pattasana
Jun 6, 2020

I think it's not wrong. just another way to do.

franksoul
Jun 14, 2020

I Think we have 2 options: 1. Create Inbound Rules in NSG and allow 443 and deny 80. But all the VM's attached to this NSG will be impacted by this Rule. 2. Create Application Security Group, assign to VM and create same 443 allow and 80 deny rule in NSG with Destination as ASG. SO these rules will apply to only those VM's where ASG is added.

tundervirld
Jul 7, 2020

Agree whit franksoul. We have two options:. 1.-) You can use NSG to filter traffic and add this same rules in other resources, is the best option but has more steps. Step A: Create a network security group Step B: Create an inbound security rule to allows HTTPS over TCP port 443 Step C: Create an inbound security rule to deny TCP port 80 Step D: Associate your network security group with the same subnet to your Service or VM. 2).- The Same thing in 1, but inside the VM in the networking section, you will need to understand what is your scenery in the lab. References: https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic