You have an Azure virtual machine named VM1 that has a private IP address only.
You configure the Windows Admin Center extension on VM1.
You have an on-premises computer that runs Windows 11. You use the computer for server management.
You need to ensure that you can use Windows Admin Center from the Azure portal to manage VM1.
What should you configure?
To manage VM1, which has a private IP address, from an on-premises computer using Windows Admin Center through the Azure portal, there needs to be a secure communication channel between the on-premises network and the Azure virtual network where VM1 resides. Configuring a VPN connection to the virtual network that contains VM1 will provide the necessary connectivity, allowing the on-premises computer to securely access the virtual machine using its private IP address.
"You need to ensure that you can use Windows Admin Center from the Azure portal" - The portal use 443 port. No VPN required, the use is trough Portal, not RDP access. Answer, D.
Answer is Correct
• A. an Azure Bastion host on the virtual network that contains VM1. - Not the recommended procedure nor product for long term management. • B. a VPN connection to the virtual network that contains VM1. - most costly and secure approach • C. a private endpoint on the virtual network that contains VM1. - not recommended D. a network security group (NSG) rule that allows inbound traffic on port 443 - most agreeable
Question refers to using Azure portal, so Bastion is required.
Correct. The Windows 11 machine is a distraction.
Question is to " use Windows Admin Center from the Azure portal" to use from azure portal you need Azure Bastion. No direct access to VM required here. so the answer would be A
I agree...https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/manage-vm
Sorry I've had a nightmare here. Firstly I responded to the wrong comment and secondly the info I supplied is incorrect. I just set this up, attempting to connect to a private IP address without a VPN is place and it didn't work. When attempting to connect the connection attempt came from my local browser, not the portal. So long story short, I'm going with D.
B not D!!!! What's wrong with me???
B not D!!!! What's wrong with me???
Sorry I've had a nightmare here. Firstly I responded to the wrong comment and secondly the info I supplied is incorrect. I just set this up, attempting to connect to a private IP address without a VPN is place and it didn't work. When attempting to connect the connection attempt came from my local browser, not the portal. So long story short, I'm going with D.
B not D!!!! What's wrong with me???
B not D!!!! What's wrong with me???
https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/manage-vm Outbound internet access or an outbound port rule allowing HTTPS traffic to the WindowsAdminCenter and AzureActiveDirectory service tag Answer is D
It says "outbound" (from VM), and the answer (D) says "inbound" (to VM).
If your target Azure VMs don't have public IPs, and you want to manage these VMs from a Windows Admin Center gateway deployed in your on-premises network, you need to configure your on-premises network to have connectivity to the VNet on which the target VMs are connected. There are 3 ways you can do this: ExpressRoute, Site-to-Site VPN, or Point-to-Site VPN. https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/manage-azure-vms#connecting-to-vms-without-a-public-ip
Answer B seems to be correct, https://charbelnemnom.com/manage-windows-server-in-the-azure-portal-with-windows-admin-center/
Has to be VPN. B is correct answer.
Based on this: https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/manage-vm Correct answer is B
None of these are correct. A. an Azure Bastion host on the virtual network that contains VM1. - No WAC involved. B. a VPN connection to the virtual network that contains VM1. - That will allow you to install WAC on the W11 device and manage the server, but that is not the question here. C. a private endpoint on the virtual network that contains VM1. - Again no WAC involved. D. a network security group (NSG) rule that allows inbound traffic on port 443. - This is the closest and yet not correct as per documentation at https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/manage-vm#installing-in-a-vm Based on the above, I would mark D as the answer.
WAC is not on port 443 by default. Also, the VM only has a private ip, so your workstation has no access without a vpn. So D is for sure wrong. The answer is B because there needs to be a VPN connection between the on-prem server and azure vm for you to access it at all. The best way of doing it is using a s2s vpn specifically if possible. https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/manage-vm#management-pc-requirements
valid 27.11.23
Similar to next question, 10th.
Option B is partially correct, as a VPN connection to the virtual network that contains VM1 can enable you to connect to VM1 using its private IP address. This would allow you to access VM1 and manage it using Windows Admin Center from your on-premises computer running Windows 11. However, the question specifically asks for a solution that enables the use of Windows Admin Center from the Azure portal to manage VM1. A VPN connection to the virtual network does not enable this functionality as it only provides a secure connection between your on-premises computer and the virtual network. To enable the use of Windows Admin Center from the Azure portal, you need to use a private endpoint. This creates a private IP address within the virtual network that can be used to access Windows Admin Center securely over the Azure backbone network. This provides a more secure and scalable solution for managing VM1 from the Azure portal.
D... Answer is Correct
The management PC or other system that you use to connect to the Azure portal has the following requirements: The Microsoft Edge or Google Chrome web browser Access to the virtual network that's connected to the VM (this is more secure than using a public IP address to connect). There are many ways to connect to a virtual network, including by using a VPN gateway.
The ON-PREM Windows 11 client is connecting to the Azure Portal which in turn then allows the admin to manage the Azure VM (VM1) via its extension. That connection happens inbound to the VM via PORT 443, therefore, you must allow inbound traffic for PORT 443 on the NSG attached to the VM or the subnet that is hosting it. The others make no sense here. You DO NOT need a VPN connection to manage an Azure resource via the Azure Portal. Nor should need to go to the trouble of putting one together to manage an Azure VM via the WAC tool. Its an HTTP tool. That is the whole point of using WAC.
Better, scenario is the Bastion in security, however if we look at cost, without a doubt the NSG releasing port 443.
I agree with B. https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/manage-vm
Question refers to using Azure portal, so Bastion is required.
I would go with D. https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/manage-vm
In my mind, this has to be B. You're connecting from on-prem to a server in Azure that only has a private IP address. Without a tunnel, the NSG isn't going to work as you're connecting to a private address in a different network.
It's B. S2S Connection.
The management PC or other system that you use to connect to the Azure portal has the following requirements: The Microsoft Edge or Google Chrome web browser Access to the virtual network that's connected to the VM (this is more secure than using a public IP address to connect). There are many ways to connect to a virtual network, including by using a VPN gateway.
Answer is C. The key word here is private IP address. C. Private endpoints allow you to access Azure services (such as VM1) over a private IP address within the virtual network. By configuring a private endpoint for VM1, you can securely manage it using Windows Admin Center from the Azure portal.
no public ip so B is the correct answer. Private Endpoints allows you to access resources from Azure
Answer is A
B. a VPN connection to the virtual network that contains VM1.
manage VM1 from the Azure portal using the Windows Admin Center, you need to ensure secure and accessible connectivity to the VM that has a private IP address. Among the provided options, the most suitable configuration is: A. an Azure Bastion host on the virtual network that contains VM1. Azure Bastion provides secure RDP and SSH connectivity to your virtual machines directly through the Azure portal. This eliminates the need for a public IP address, thereby ensuring security while allowing you to manage VM1 through the Windows Admin Center. Setting up an Azure Bastion host will enable you to access VM1 securely from the Azure portal, maintaining the principles of least privilege and secure management practices
B: To use Windows Admin Center from the Azure portal to manage VM1, which has only a private IP address, you should configure a VPN connection to the virtual network that contains VM1. This option allows secure access to the private network where VM1 is located, enabling you to manage the VM using Windows Admin Center through the Azure portal. The other options are less suitable for this scenario: - Azure Bastion is primarily used for RDP and SSH connections, not specifically for Windows Admin Center. - A private endpoint is typically used for connecting to Azure PaaS services, not for managing VM. - An NSG rule allowing inbound traffic on port 443 alone would not provide the necessary connectivity from your on-premises network to the Azure virtual network.
VPN Connection: Setting up a Virtual Private Network (VPN) between your on-premises network and the Azure virtual network allows your on-premises computer to securely access resources within the Azure virtual network, including VM1. This is essential because VM1 has only a private IP address and is not directly accessible from the public internet. https://www.youtube.com/watch?v=GH-i6sOtyAo
Azure Bastion provides secure and seamless RDP and SSH connectivity to Azure VMs directly in the Azure portal, without requiring a public IP address on the VM. It allows you to manage VMs securely without exposing them to potential internet-based threats. This aligns with the scenario described in the question.
No... i think is B, azure bastion is ssh & rdp, but this quedaron is about windows admin center
I might be missing something here. I don't see anything about managing this VM1 and the Admin Center FROM the Windows 11 PC, we are just assuming that. With the Admin Center extension installed on VM1 in Azure, we could just use Bastion to connect to the VM, and run it on the Azure VM1 server with out ever hitting a public IP. Answer to me is A, but seems like a really badly written question.