HOTSPOT -
You are evaluating the security of the network communication between the virtual machines in Sub2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Box 1: Yes. All traffic is allowed out to the Internet so you can ping the public IP.
NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table.
Box 2: Yes. VM3 is on Subnet12. There is no NSG attached to Subnet12 so the traffic will be allowed by default.
Box 3: No (because VM5 is in a separate VNet).
Note: Sub2 contains the virtual machines shown in the following table.
1 -- No, as traffic would be sourced from internet since it is destined to the public IP address of VM2. 2 -- Yes, as VM3 has no NSGs interfering and traffic is contained within the same vnet. 3 -- No, as VM5 is in a separate vnet and there is no mention of any peering going on.
Answer is No, Yes, No. Please note that "Network security groups are processed after Azure translates a public IP address to a private IP address for inbound traffic, and before Azure translates a private IP address to a public IP address for outbound traffic.". Here is the link for reference. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview It means you need to use some other means to prevent traffic from reaching the public IP of VM2. NSGs will only come in action once the public-to-private IP address translation has taken place.
1. [No] because VM1 is trying to reach VM2 with VM2's PUBLIC IP address which should be blocked by NSG1. 2. [Yes] because VM1 and VM3 are in the same VNET and you can reach each other with the private IP address. 3. [Yes] VM5 has NSG4 which allows internet traffic. VM1 can reach VM5 through internet using the public IP.
3. it states private IP, not public IP. Plus, VM5 is on a different network. 3 is No IMO.
good observation. The question does not tell anything about peering and routing between the 2 vnets. So, No for sure for 3rd box.
The ping to the private ip address of VM5 is No . Because, VM5 do not have application security group, it only true if VM5 configure that.
Question asked for Privet IP..and not Public IP of VM5
Option 3 can never be True/Yes, it must be NO...because they are talking abt Private IP not public one and secondly VM1 and VM5 are in different Vnets and also have no Peering between them.
Gotten this in May 2023 exam.
NO YES NO
In exam 1/28/24
Answer is NO-YES-NO
Passed. Exam duration 100 min + 20. On the Microsoft site: https://learn.microsoft.com/en-us/credentials/certifications/azure-security-engineer/?practice-assessment-type=certification You will have 100 minutes to complete this assessment. Last Updated 04/30/2024 55 questions (46+9) contoso, 6 questions This question in exam (study case) My answer Y N Y New 3 or 4 questions VM1, SQL1, VNET1, AKS in Google Cloud. What items are protected by Microsoft Defender & default period scan.
Explanation: 1 -- No, as traffic would be sourced from internet since it is destined to the public IP address of VM2.2 -- Yes, as VM3 has no NSGs interfering and traffic is contained within the same vnet.3 -- No, as VM5 is in a separate vnet and there is no mention of any peering going on.
This is like a sick Microsoft mind bending puzzle.
No, Yes, No - Is correct. I have really looked it through.
in exam oct. 31st
In Exam20/07/2024
Answer is N N N Box 1: No. All traffic is allowed out to the Internet as per the outbound rule. However, the inbound rules on the NSG1 does not have a rule to allow traffic from Internet and on NSG2 is set to allow traffic from the Internet on port TCP 80 only, hence, Ping will be denied. Box 2: No. VM3 is on Subnet12(same VNet). However, there is no NSG attached to Subnet12 so the traffic will be blocked. All network traffic is blocked through a subnet and network interface if they don't have a network security group associated to them. From <https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#inbound-traffic> However, kindly note that if it was the opposite, ping from VM3 to VM1 then the outbound traffic from VM3 will be allowed as the default rule for the outbound traffic is to allow any. Box 3: No (because VM5 is in a separate VNet).
Ans is N, Y, N. For 1st question, NSG2 only allows traffic from Internet on Port 80.
Associate a public IP address to a virtual machine | Microsoft Learn Public IP addresses are associated to network interfaces attached to a VM Allow network traffic to the VM Before you can connect to the public IP address from the internet, ensure that you have the necessary ports open in any network security group that you might have associated to the network interface, the subnet of the network interface, or both. Though security groups filter traffic to the private IP address of the network interface, once inbound internet traffic arrives at the public IP address, Azure translates the public address to the private IP address, so if a network security group prevents the traffic flow, the communication with the public IP address fails.
In Exam 10/18/2022. One case study(6 ques), no lab.
Answer is Correct 1 . NSG 2 is assign in Subnet 11 So First answer is Yes. NSG 1 is assign in NIC 2. In this case, 2 NSG assign Subnet and NIC in VM 2. If you apply any rule in NIC or Subnet, this rule will be effect in VM.