AZ-103 Exam — Question 254

Exam AZ-103 All QuestionsBrowse all questions from this exam

Question 254

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription that contains the following resources:

✑ A virtual network that has a subnet named Subnet1

✑ Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1

✑ A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections

NSG-Subnet1 has the default inbound security rules only.

NSG-VM1 has the default inbound security rules and the following custom inbound security rule:

✑ Priority: 100

✑ Source: Any

✑ Source port range: *

✑ Destination: *

✑ Destination port range: 3389

✑ Protocol: UDP

✑ Action: Allow

VM1 connects to Subnet1. NSG1-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.

You need to be able to establish Remote Desktop connections from the internet to VM1.

Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the * destination for port range 3389 and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1.

Does this meet the goal?

A.

Yes

B.

No

Correct Answer: A

To establish a Remote Desktop connection from the internet to VM1, you need an inbound security rule that allows TCP traffic on port 3389. By adding this rule to NSG-Subnet1 and removing NSG-VM1 from the network interface of VM1, you ensure that the traffic is correctly permitted at the subnet level. Since NSG-Subnet1 allows TCP traffic on port 3389, and there's no conflicting NSG associated with the network interface of VM1, the solution meets the goal.

Discussion

Navo27Option: A

The answer should be yes because VM NSG is removed

ExamGuy01

the answer is YES because you add a inbound RDP rule on the subnet nsg (procressed first)

Bastiaan

Its yes, but please know that traffic flows thru both, subnet and interface.

jonnybugalooOption: A

I just tested here, and the answer is yes. I've created a VM, a NSG associated to the subnet, allowing inbound connection from any, to *, port 3389 TCP, and removed the NSG from the VM. The connection was ok from internet to VM. When you have an NSG to the subnet, the traffic flows to the VMs connected on this subnet.

exam4rtistOption: A

I agree, with Navo27, the answer is A because the subnet NSG is now allowing inbound RDP traffic and the VM NSG is out of the way. On a side note: the explanation in the solution is wrong; it misquotes the referenced doc (https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection). The correct quote is: "A rule to permit RDP traffic may not be created automatically when you create your VM."

praveen97

Agree with exam4rtist. The answer is A - YES Network Security Group: NSG-VM1 is removed from the network interface of VM1. Also this NSG is not associated with Subnet. So, this will not execute any inbound rules when a user is connecting to VM1. Network Security Group: NSG-Subnet1 is associated to Subnet1 and also it has the custom inbound security rule is added to allow RDP (TCP Port 3389) connections from internet. So, while connecting to VM1 through RDP from internet, then only NSG-Subnet1 inbound security rules will get executed and so the RDP traffic is allowed to VM1.

megaejayOption: A

Answer A . A rule to permit RDP traffic may not be created automatically when you create your VM.

bnairOption: B

wrong protocol; doesn't work. Answer is NO

TzzZ

dio le lao mo

hstorm

TCP is indeed the right protocol. Please do not spam !

OsimIndia

In NSG, protocol ... TCP : 3389 is for RDP only...

IanC

rule added to NSG-Subnet1 is for TCP rule on NSG1-VM1 is for UDP but that is removed so answer is A

CloudyugaOption: A

Given answer is wrong ..Correct answer is A.yes ...Given solution in question will work

akamalOption: A

it's A

tashakoriOption: A

Yes is correct

NoobieWonOption: A

The 6 default rules in a NSG will block RDP on a VM but allow RDP on a Subnet AllowVNetInBound/AllowVnetOutBound will allow RDP on a Subnet DenyAllInbound/DenyAlloutbound will block RDP on a VM

OzguraydinOption: A

The answer should be YES.

tezawynn

what the difference between this and question 66?? Seems the same to me.

GayathriRajangam

Question 66 has a different solution. You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol.

LanoldOption: B

answer is correct, destination clould'nt be "*". Allow values for destination are : "Any", "IPAdress", "VirtualNetwork" and "Application security group".

jonnybugaloo

Yes, you can. Look at this: Name : default-allow-rdp Id : /subscriptions/guid/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/myNetworkSecurityGroup/securityRules/default-allow-rdp Etag : ProvisioningState : Succeeded Description : Protocol : TCP SourcePortRange : * DestinationPortRange : 3389 SourceAddressPrefix : * DestinationAddressPrefix : * Access : Allow Priority : 1000 Direction : Inbound https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection Item 2 on troubleshooting using Azure Powershell

zakhanzOption: A

The answer should be YES. Because NSGVM is removed and NSG subnet rule is allowed with TCP 3389.

CristianNOption: B

If VM NSG will be removed, the inbound connections rule will fall on the other NSG that has only the default rules (Inbound connections denied by default)