ExamGecko
Question list
Search
Search

List of questions

Search

Related questions











Question 109 - AZ-104 discussion

Report
Export

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription that contains the following resources:

A virtual network that has a subnet named Subnet1

Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1

A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections

NSG-Subnet1 has the default inbound security rules only.

NSG-VM1 has the default inbound security rules and the following custom inbound security rule:

Priority: 100

Source: Any

Source port range: *

Destination: *

Destination port range: 3389

Protocol: UDP

Action: Allow

VM1 connects to Subnet1. NSG1-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.

You need to be able to establish Remote Desktop connections from the internet to VM1.

Solution: You modify the custom rule for NSG-VM1 to use the internet as a source and TCP as a protocol.

Does this meet the goal?

A.
Yes
Answers
A.
Yes
B.
No
Answers
B.
No
Suggested answer: B

Explanation:

NSGs deny all inbound traffic except from virtual network or load balancers. For inbound traffic,

Azure processes the rules in a network security group associated to a subnet first, and then the rules in a network security group associated to the network interface.

By default NSG rule to allow traffic through RDP port 3389 is not created automatically during the creation of VM , unless you change the setting during creation. Subnets usually do not have any NSG associated unless you go out of the way to do so, which this scenario does. when you create that extra NSG, it won't have an RDP rule by default, thus blocking inbound connections.

Request first goes to NSG -subnet1 and as there is no allow rule for RDP so it will block the request by default.Since the Subnet NSG (the one with the default rules) is evaluated first, it blocks the inbound

RDP connection.

Reference:

https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdpconnection

https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules

asked 26/09/2024
chitranjan ranga
33 questions
User
Your answer:
0 comments
Sorted by

Leave a comment first