Exam AZ-500 All QuestionsBrowse all questions from this exam
Go to Exam
Question 252

HOTSPOT -

You have an Azure subscription that contains the resources shown in the following table.

An IP address of 10.1.0.4 is assigned to VM5. VM5 does not have a public IP address.

VM5 has just in time (JIT) VM access configured as shown in the following exhibit.

You enable JIT VM access for VM5.

NSG1 has the inbound rules shown in the following exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

    Correct Answer:

Discussion
nexel

Just tested in Lab environment: 1. In case if rule 100 is deleted manually the access will not work. So the answer is - YES 2. RDP is not blocked because rule 100 is in place and we should consider it as it is. - NO 3. Azure Bastion host is not enabling RDP from the internet. This is the key feature of Bastion - allowing access to VMs which does not have a public IP address. So the answer is - NO

licna

Ad 3. "No Public IP required on the Azure VM: Azure Bastion opens the RDP/SSH connection to your Azure virtual machine using private IP on your VM. You don't need a public IP on your virtual machine." https://docs.microsoft.com/en-us/azure/bastion/bastion-overview I understand it as Bastion allows the RDP on VM from Portal (i.e. also from internet).

kazaki

Rule 100 will be deleted as mentioned which means 2 will be blocked

JakeCallham

These question are to be answered singular and not in relation or in dependency of others.

chikorita

WHY ARE WE ALL IGNORING THE FACT THAT WE HAVE NSG2 attached to Subnet of VM....whose rules are not confirmed...considering default rules,,,access must be blocked.....SO its YYN

rudyydmitrij

For #1 - the access will not work, for sure. But it will not revoke approved JIT request

lt9898

Agree, and tested this in a lab just in case MS implemented some smarts for consistency. Deleting rule w/ priority 100 does not change the "active" status of the JIT access listed on this page: https://portal.azure.com/#view/Microsoft_Azure_Security_R3/JitNetworkAccessBlade/section/configured Technically it's a reasonable workaround for closing previously opened JIT connectivity since Azure doesn't provide a feature to revoke an approved request, but the request itself is not revoked or reversed

Jimmy500

Finally , I found one person who read question carefully, here it talks about approved jit, approved jit will stay 3 hours then it will user try will not be able to activate it.

CASGTI

Now... question 2... For me, is "NO" also, because RDP is allowed, that the machine dont have a public IP means you cant access from internet, does not means you cant access. and question 3 ... for me would be "YES" Why? just because a well configured bastion host, will allow you to connect from the internet to the bastion, and then from there, to the machine by using the private IP (as stated on question 2, RDP is allowed, but just internally, so the bastion will solve this)

Frosticus

JIT does not work with bastion: https://charbelnemnom.com/how-to-configure-just-in-time-vm-access-for-azure-firewall-in-azure-security-center/#Azure_Bastion_and_Jut-In-Time_VM_access

licna

See the update on the article linked: "Updated – 29/11/2021 – Azure Bastion is now supported with Just-In-Time VM access as confirmed by Microsoft in the multilayered protection for Azure virtual machine access. The Bastion private IP range (AzureBastionSubnet) will have to be entered either when Just-In-Time (JIT) is set up, or when the JIT request is created in Microsoft Defender for Cloud."

heatfan900

Y, N, Y The DENY takes over and denies RDP access. RDP access is not blocked because the first rule ALLOWS it. A BASTION HOST will allow you to connect to the VM over the internet by behaving as a JUMP BOX that you can RDP from internally.

heatfan900

A FURTHER NOTE, WHEN LOOKING AT THE JIT ACCESS CONFIG YOU CAN CLEARLY SEE THAT THE ACCESS IS GRANTED ON DEMAND FOR THE PERIOD OF THREE HRS ONLY. THEREFORE, BOTH RULES WILL EXPIRE AFTER SUCH TIME. THE RULE WITH THE HIGHER PRIORITY WINS OUT SO ACCESS IS ALLOWED. TECHNICALLY, NO ONE WOULD EVER CONFIGURE TWO RULES THAT DIRECTLY CONFLICT WITH EACH OTHER AND THIS IS ONLY DONE FOR THE SAKE OF THIS QUESTION. THAT BEING SAID, BESIDES THE JIT RULE WHICH IS SET AGAINST NSG (REASON Y YOU NEED AN NSG TO SETUP JIT IN THE FIRST PLACE) RDP ACCESS IS ALLOWED DIRECTLY AS WELL BUT SINCE THERE IS NO PUBLIC IP THEN A BASTION HOST WILL NEED TO BE AVAILABLE FOR RDP ACCESS TO THE SERVER FROM THE INTERNET.

Catlyn

1. No : Editing the NSG will not revoke the approved JIT request though it may affect the access. 2. No: RDP is not blocked as Rule 1001 still exists and it allows any any. Meaning it can allow devices from peered VNETs (not from internet as no public IP). 3. Yes: Azure Bastion can allow access to VMs without public IP if the user has access to Azure Portal.

wardy1983

Explanation: 1. In case if rule 100 is deleted manually the access will not work. So the answer is - YES 2. RDP is not blocked because rule 100 is in place and we should consider it as it is. - NO 3. Azure Bastion host is not enabling RDP from the internet. This is the key feature of Bastion - allowing access to VMs which does not have a public IP address. So the answer is - NO

Mnguyen0503

You clearly haven't tried Azure Bastion. It IS the Microsoft recommended method to allow administrators access to VM RDP and SSH services without having to link the VM with a public IP. So 3 is yes.

TheProfessor

Answer is Y Y N

Ario

you have to consider each of this questions individually , the answer for all 3 will be NO If you have configured a Just-In-Time (JIT) access rule in your Network Security Group (NSG) to allow RDP access to a VM for a specific duration, such as 3 hours, and you approve a user's request for access, the user will continue to have access until the specified duration ends, regardless of whether you remove the rule from the NSG.

majstor86

YES YES NO

Muaamar_Alsayyad

Given answer is correct, YES, YES, NO 1- if we remove the rule not more acccess since Deny will remain 2- JIT access only work with public ip, VM has only private IP 3- bastion need port 443 open

Muaamar_Alsayyad

Answer is YES, No, No sorry JIT can work without public ip https://learn.microsoft.com/en-us/answers/questions/701986/can-i-use-just-in-time-access-without-public-ip.html

Nava702

From the article below //The proper way to remove Security Center's JIT policy is to go the Security Center portal -> Azure Defender -> "Just-in-time VM access" under the Advances protection and remove the policy from the configured VM. Removing the NSG rule alone will not do the trick as JIT has recover option.// https://learn.microsoft.com/en-us/answers/questions/417961/disable-jit-in-security-center So Answer for Q1 - NO I think Q2 asks in general if RDP access is blocked or not. Once JIT expires or if it is not considered, it is indeed blocked, so - YES Q3 Bastion hosts allow you to connect to VMs without public IPs from the internet, however since RDP is blocked in general, the answer - NO

epomatti

Just a poorly written question with a lot of information missing. Really a garbage work if this is what is actually in the exam.

_ajay

JIT rule 100 will be deleted automatically after 3 hours

xxavimr

I think the bastion question is YES too. Look at his architecture https://learn.microsoft.com/en-us/azure/architecture/solution-ideas/articles/multilayered-protection-azure-vm

xxavimr

And Azure Bastion does not need 443 open and it still uses 3389 port to connect to the VM

Mnguyen0503

This is correct. Once authenticated, Bastion will give administrators access to RDP and SSH directly from the Internet. The only downside is that it is a admin-only tool, and not recommended for regular users.

Pixan

Hi Everyone!! Join ET and get actual and valid study material: https://examstopics.quora.com/ and pass your exam in first attempt. Study Smart Not Hard

wardy1983

1. In case if rule 100 is deleted manually the access will not work. So the answer is - YES 2. RDP is not blocked because rule 100 is in place and we should consider it as it is. - NO 3. Azure Bastion host is not enabling RDP from the internet. This is the key feature of Bastion - allowing access to VMs which does not have a public IP address. So the answer is - NO

Pupu86

Need not worry about NSG2 as a NSG tied to NIC takes precedence over a NSG tied to a subnet. In this case, NSG2 is a distractor in this question.

mssii

2nd question is "yes" because of deny for rdp connection. I assume it doesn't matter about priority https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks