HOTSPOT -
You need to restrict traffic from VMScaleSet1 to VMScaleSet2. The solution must meet the virtual networking requirements.
What is the minimum number of custom NSG rules and NSG assignments required? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Box 2: One NSG -
The minimum requirement is one NSG. You could attach the NSG to VMScaleSet1 and restrict outbound traffic, or you could attach the NSG to VMScaleSet2 and restrict inbound traffic. Either way you would need two custom NSG rules.
Box 1: Two custom rules -
With the NSG attached to VMScaleSet2, you would need to create a custom rule blocking all traffic from VMScaleSet1. Then you would need to create another custom rule with a higher priority than the first rule that allows traffic on port 443.
The default rules in the NSG will allow all other traffic to VMScaleSet2.
2 Rules 1 Assignment Reminds me of an old video I once saw on the internet...
Right, validated!
I saw a variant of that movie : 3 rHoles 1 Assgnment I just saw a few minutes though
I tested your movie in lab - got all Yesses
To restrict traffic from VMScaleSet1 to VMScaleSet2 on TCP port 443, we need to create a custom NSG rule to allow traffic on port 443 and apply it to both VMScaleSet1 and VMScaleSet2. We also need to create a custom NSG rule to deny all traffic and apply it to VMScaleSet1. So the minimum number of custom NSG rules and NSG assignments required would be: 2 custom NSG rules: 1 to allow traffic on TCP port 443 and 1 to deny all traffic 2 NSG assignments: 1 for VMScaleSet1 and 1 for VMScaleSet2 Therefore, the answer is: Minimum number of custom NSG rules = 2 Minimum number of NSG assignments = 2 Note: It's important to note that we could potentially use an existing NSG that is already assigned to the virtual machines and add the necessary rules to it. In that case, the minimum number of NSG assignments would be 1.
You could just apply the NSG to the subnet that both VMSS are in. Min number of rules = 2 Min number of assignments = 1
Correct
My 2 cents on this: 1 Custom Rule and 1 assignment Custome rule: Allow trafic from VMSS1 to VMSS2 on port 443. Assignment: NSG assigned to subnet since they reside inside the same subnet. Now the caveat... With each NSG we have a standard rule to ALLOW inbound Vnet communications. If you DENY that traffic you don't need to create another custom rule to deny the traffic within the subnet. Am I wrong ? Please
why not 1:1 ? 1 - assignment to just VMSS2 as "Network Security Groups can be applied directly to a scale set, by adding a reference to the network interface configuration section of the scale set virtual machine properties." 1 rule - block TCP/443 with source of subnet1 and deny. REST VNET's cidrs would be allowed by default. out of the scope of this question I guess but you could assign ASG to VMSS1 and use that as source in that single blocking rule assigned directly to VMSS2
my bad - I misread the requirements 1:2 1 assignment 2 rules: 1st allow tcp/443, 2nd block subnet1 as source