ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam
Go to Exam

Exam AZ-104 topic 5 question 132 discussion

Actual exam question from Microsoft's AZ-104
Question #: 132
Topic #: 5
[All AZ-104 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load Balancer.

The effective network security configurations for VM2 are shown in the following exhibit.



You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.

You verify that the Load Balancer rules are configured correctly.

You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.

Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a priority of 150.

Does this meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by RandomNickname at June 23, 2023, 3:44 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
yettie79
Highly Voted 1 year, 9 months ago
Answer is 'NO' B, there is rule in place to allow 131.107.100.50 over TCP port 443 with higher priority of 100. Adding a new rule of priority of 150 will not made any difference.
upvoted 47 times
SDiwan
1 year, 2 months ago
The existing rule with priority 100 has source ip of the client (131.107.100.50). But the app1 is behind a LB, so the source ip should be of the LB and not the client. So adding, 150 priority will overrule the rule with 200 priority which is curently blocking the requests from LB to App1
upvoted 10 times
...
op22233
1 year ago
Many thanks for this comment, the VM is off. I agree there is a rule in place adding a new rule of priority of 150 makes no difference except the VM is powered on
upvoted 2 times
...
profesorklaus
1 year, 7 months ago
The rule is added to VM2 which hosts App2
upvoted 1 times
...
...
RandomNickname
Highly Voted 1 year, 10 months ago
Selected Answer: A
Presuming it's the health probe on 443 which is at fault and is required to ensure LB is processing as intended, the given answer is correct. https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview "Azure Load Balancer rules require a health probe to detect the endpoint status. The configuration of the health probe and probe responses determines which backend pool instances receive new connections. Use health probes to detect the failure of an application. Generate a custom response to a health probe. Use the health probe for flow control to manage load or planned downtime. When a health probe fails, the load balancer stops sending new connections to the respective unhealthy instance. Outbound connectivity isn't affected, only inbound."
upvoted 21 times
...
Elsayed2030
Most Recent 4 months ago
Selected Answer: B
The VM is switched off (Check the: Attach network interface on top of the pic)
upvoted 2 times
...
Calefare
4 months, 1 week ago
Selected Answer: B
yettie: Answer is 'NO' B, there is rule in place to allow 131.107.100.50 over TCP port 443 with higher priority of 100. Adding a new rule of priority of 150 will not made any difference.
upvoted 1 times
...
KR_Bala
4 months, 2 weeks ago
Selected Answer: B
the solution suggested is already there as a rule with priority 100 and adding the same rule lower priority (150) wont make difference. So answer is B - The solution doesnt meets the goal.
upvoted 2 times
...
d6f865d
4 months, 4 weeks ago
Selected Answer: B
443 doesn't matter as it can use rule 65001 and port 80 for its health probe. Since 80 is open and it still doesn't work I am assuming that the reason for the failure is the NIC is not attached.
upvoted 2 times
...
Neftali
5 months, 1 week ago
Selected Answer: A
A. Yes Creating an inbound security rule that allows any traffic from the Azure Load Balancer source with a priority of 150 will enable the connections to App1 from the Load Balancer, which is necessary for routing traffic to VM2. Since the Load Balancer forwards traffic to the VMs, this rule will help ensure that connections over TCP port 443 from the specified IP address can be established successfully.
upvoted 1 times
...
755aa96
5 months, 3 weeks ago
Selected Answer: B
There is already a rule in place to allow 131.107.100.50 over TCP port 443 with higher priority of 100
upvoted 1 times
...
Dankho
6 months, 1 week ago
Selected Answer: B
the source is not the Load Balancer, the source is 131.107.100.50
upvoted 1 times
...
Dankho
6 months, 1 week ago
One rule needs to go from the source or 131.107.100.50 to the front-end IP of the Load Balancer, it cannot stop at the VNET.
upvoted 1 times
...
Dankho
6 months, 1 week ago
Selected Answer: A
The traffic gets the VNet no problem because the destination is VirtualNetwork, but it needs to get to the VMs behind the load balancer and it gets denied by the 200 rule. By placing a 150 priority rule just before that 200 rule that says it will accept any destination from from the load balancer effectively says when you hit the load balancer you can go anywhere which is the application hosted on the VMs.
upvoted 1 times
Dankho
6 months, 1 week ago
I take it back, I think it's B. Adding a rule with a priority of 150 that allows traffic from the AzureLoadBalancer won't resolve the issue, because the traffic is not originating from the Load Balancer—it’s coming from the external IP 131.107.100.50.
upvoted 1 times
...
...
[Removed]
6 months, 2 weeks ago
Selected Answer: A
A is correct
upvoted 1 times
...
JuanZ
7 months, 2 weeks ago
Selected Answer: B
Ya existe una regla con prioridad 100 que permite este acceso
upvoted 1 times
...
learnazureportal
10 months, 1 week ago
Make sure to choose Answer "NO/ see the details below To resolve the issue and meet the goal, you would need to either: Remove or modify the inbound security rule with a priority of 100 to allow traffic from 131.107.100.50 over TCP port 443. Create a new inbound security rule with a higher priority (lower number) than 100 that specifically allows traffic from 131.107.100.50 over TCP port 443. Creating an additional rule that allows traffic from the AzureLoadBalancer source would not resolve the issue, as the existing rule with a higher priority (lower number) would still block the traffic from 131.107.100.50.
upvoted 2 times
...
MSExpertGER
10 months, 2 weeks ago
I think the correct answer is "no". The IPv4 is just messing up the question here. What needs to be done is a new inbound rule with source: service tag = Azure Load Balancer on Source port 443, Destination Vnet 443. The Priority of that rule needs to be less than 200 to outrule the deny.
upvoted 1 times
...
L3w1s
11 months, 1 week ago
Selected Answer: A
Correct solutions: Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a priority of 150. -Yes Solution: You delete the BlockAllOther443 inbound security rule. -Yes Incorrect solutions: Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150. -No (Because of the 'cost' should be 'priority') Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a cost of 64999. -No Solution: You modify the priority of the Allow_131.107.100.50 inbound security rule. - You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150. -No Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a priority of 64999. -No
upvoted 4 times
...
moe14
1 year ago
I think the Answer should be yes. The first rule makes the Vnet accessible from source 131.107.100.50. The NSG as shown is for vm2(hosting the app) and rule 200 denies any traffic going into the vm. Adding this new rule 150 will make sure that the load balancer can connect to the vm. Therefore 131.107.100.50 will be able to connect to the vnet, to the LB and ultimately the app in vm2 Kindly correct me if i am wrong
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago