HOTSPOT -
You implement the planned changes for ASG1 and ASG2.
In which NSGs can you use ASG1, and the network interfaces of which virtual machines can you assign to ASG2?
Hot Area:
Exam AZ-500 All QuestionsBrowse all questions from this exam
Question 467
Correct Answer:
Discussion
JL15546
ASG constraint : All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. (Not a regional constraint) 1) NSG2 only 2) VM3 only
JL15546
Source : https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups
thegs1
yep, according to your link you have the correct answer
somenick
Azure is showing only application security groups in the same region as the network interface. If you choose more than one application security group, they must all exist in the same virtual network.
Anarchira
Correct, https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups "All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in"
Malikusmanrasheed
But how is that relevant to the question? In which NSGs can you use ASG1 Could be used in any nsg I think The network interfaces of which virtual machines can you assign to ASG2 ASG2 is empty to start with. So any Vm nic as long as it's the first one. I think all vms in the list
dpaz
I think second option should be VM3 only because ASG2 is in Central US and only VM3 is in Central US region. ASGs and the Network Interfaces should be in the same region.
wooyourdaddy
I agree with you assessment. Stream lines with the other questions for this particular case study
ManiMessner
1) NSG2 only 2) VM3 only Tested in lab; even if the documentation does not mention that, I could associate an ASG only to VM's NIC in the same region (tried with command line too); The same goes for NSG, I could select the ASG in security rule editor when they were in the same region
Itboss
most of you are forgetting that NICs, NSGs and VNETs are regional, you need to take this into consideration too 1) NSG2 and NSG4 only 2) VM3 only
majstor86
NSGs: NSG2 and NSG4 only VMs: VM3 only
Elpintintun
Hi Bro, NSG2 and NSG4 are not in the same Vnet. Please elavorate. Best.
hfk2020
NSG2 AND NSG4 ASG should be in the same region tested in lab NIC should be in the same regions so its VM3only tested in lab
hfk2020
Showing only application security groups in the same region as the network interface. If you choose more than one application security group, they must all exist in the same virtual network.
Strive_for_greatness_kc
I have implemented the whole infrastructure of this use case. So for this question 1. NSG2 and NSG4 can be added to ASG1. My explanation : ASG1 contains VM1 (By the way when an ASG is empty it can contain only VMs in the same region); VM1 is in VNET1 in West US, only NSG in the same region than the VNET can associated to subnets in the VNET, so here only NSG2 and NSG4 can be associated to subnets in VNET1, due to that ASG1 can only be used in NSG2 and NSG4. 2. VM3 only When an ASG is empty it can only contain VMs in the same region so here only VMs in Central US can be added. Then when you add a VM, the next VM should be in the same Vnet than the first VM added. I encourage you to deploy it on Azure to better understand.
Strive_for_greatness_kc
So to summarize here, for 1. ASGs can only be used with NSGs which can applied to the VNET which contains the VMs of the ASG.
Feraso
1) NSG2 and NSG4 2) VM3 only --> Explanation: ASG2 located in Central US In Central US we have NSG3 NSG3 is associated to VM3 Thus, the answer is VM3 only.
Feraso
Correction for 1, the answer should be NSG2 only since ASG1 is already assigned to the Virtual Network that's connected to VM1 and on the same network we have VM2 which has NSG2 associated to it. ASG constraint: All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. Answer: 1) NSG2 only 2) VM3 only
datz
for 1 I will stick with NSG2 and NSG4 only, as question says in which NSG can you user ASG1, not you can add : ) Cheers
_punky_
1: NSG2 only All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in 2: All of them Why? You can associate multiple ASG to single VM and ASG is not regional bounded/constrained. Only thing is when you associate ASG to a VM which is for example in VNet1234 the ASG can only stay in that particular vnet. Where the VNet is regional bounded. So the point in this 2nd question is with which VMs can you associate the free available ASG2. So you can pick one VNet where.
_punky_
or VM to associate the ASG2 with
nonamejames23
I agree confidently with 1: NSG2 only. I want to agree with 2: All VM's. Following the logic of your explanation. One thing I thought that might constrain VM assignment is: "If you specify an application security group as the source and destination in a security rule, the network interfaces in both application security groups must exist in the same virtual network." I'm not smart enough to tell, but is there anything in the question that suggests the ASG's will be used as a source and destination in a security rule? https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups
heatfan900
IN ORDER FOR AN NSG TO BE ASSOCIATED TO A VNET THEY MUST BE IN THE SAME REGION. SAME RG IS NOT A REQUIREMENT. SAME GOES FOR AN NSG/ASG RELATIONSHIP. IN ORDER FOR AN NSG TO USE AN ASG AS PART OF A RULE THEY BOTH MUST BELONG TO THE SAME REGION. AGAIN, THE SAME RG IS NOT REQUIRED.
ESAJRR
NSGs: NSG2 and NSG4 only VMs: VM3 only
naokos
8/27/2023 45 questions, 1 yes/no(3 questions) ,1 case study(5 questions). No lab. Only 2/45 new questions. Passed in 778.
Disparate
Easy: Location Box 1: 2-4 Box 2: 3 only
Muaamar_Alsayyad
1- NSG2 only 2- VM3 only
Jimmy500
Please take this notes and wish me best in the exam that I wish all of you! When we associate network security groups with subnets and network interface cards(nics) the vnets and nics that we associate nsg to it should be in the same region and subscription as network security groups. When we create inbound and outbound rule and we want to use ASG there as destination or source, we can only use ASG’s that are in the same region and subscription as Network Security Groups. Application security groups have the following constraints: There are limits to the number of application security groups you can have in a subscription, and other limits related to application security groups. For details, see Azure limits.
Jimmy500
All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. For example, if the first network interface assigned to an application security group named AsgWeb is in the virtual network named VNet1, then all subsequent network interfaces assigned to ASGWeb must exist in VNet1. You can't add network interfaces from different virtual networks to the same application security group. If you specify an application security group as the source and destination in a security rule, the network interfaces in both application security groups must exist in the same virtual network.
Jimmy500
An example would be if AsgLogic had network interfaces from VNet1 and AsgDb had network interfaces from VNet2. In this case, it would be impossible to assign AsgLogic as the source and AsgDb as the destination in a rule. All network interfaces for both the source and destination application security groups need to exist in the same virtual network. There is one more not that also is not in the documentation, but this should be If want to add ASG to VM they also should be in the same subscription and region as well. For the box-1 answer will be NSG-2,NSG-4 For the box-2 answer will be VM3 only
wardy1983
ASG constraint : All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. (Not a regional constraint) 1) NSG2 only 2) VM3 only
TheProfessor
Planned Changes: Associate the network interface of VM1 to ASG1. VM1 is associated with VNET1, and Associated with NSG2. Hence, Box1: NSG2 Only (Because ASG1 must be associated with ONLY 1 VNET. For the second box, According to MS: All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. So, if the first ASG (Which is ASG1) is associated with VNET1, then ASG2 also must be associated with VNET1 only. In that case, the Box 2: VM1 and VM2 Based on the above: Box1: NSG2 Only Box 2: VM1 and VM2
TheProfessor
MS Link: https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups Look at: Application security groups have the following constraints:
TheProfessor
Correction to the Box2: VM3 Only. Both ASG and VM are from the same Central US location.