ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-700 All Questions

View all questions & answers for the AZ-700 exam
Go to Exam

Exam AZ-700 topic 4 question 34 discussion

Actual exam question from Microsoft's AZ-700
Question #: 34
Topic #: 4
[All AZ-700 Questions]

HOTSPOT
-

You have an Azure subscription that contains 10 virtual machines. The virtual machines are assigned private IP addresses. The subscription contains the resources shown in the following table.



You need to configure FWPolicy1 to meet the following requirements:

• Allow incoming connections to the virtual machines from the internet on port 4567.
• Block outbound connections from the virtual machines to an FQDN of *.fabrikam.com.

What should you configure in FWPolicy1? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by jorgesoma at Nov. 6, 2023, 9:07 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
getafix
1 week, 2 days ago
1. Network Rule - you cannot use DNAT to send the traffic to 10 VMs at the same time. With DNAT the Firewall will use a random port to send the traffic to the VMs and hence the VMs would not be reachable on the port in question. 2. Application rule as that enables us to block the FQDN
upvoted 1 times
...
ZQasqas
6 months, 4 weeks ago
1. Network Rule - its specific port that mean it is Layer 4 2. Application Rule - HTTP/S with FQDNs as targets # Azure Firewall Policy rule sets# - DNAT rules: DNAT rules allow or deny inbound traffic through one or more firewall public IP addresses. You can use a DNAT rule when you want a public IP address to be translated into a private IP address. - Network rules Network rules allow or deny inbound, outbound, and east-west traffic based on the network layer (L3) and transport layer (L4). - Application rules Application rules allow or deny outbound and east-west traffic based on the application layer (L7). You can use an application rule when you want to filter traffic based on fully qualified domain names (FQDNs), URLs, and HTTP/HTTPS protocols. https://learn.microsoft.com/en-us/azure/firewall/policy-rule-sets#dnat-rules
upvoted 2 times
...
Avanade2023
1 year ago
I prefer DNAT rule for first question. In this case, the VMs have Private IPs, haven't any public IP. And inbound traffic is from Internet that will use public IP, it should be translated to private IP.
upvoted 2 times
Avanade2023
12 months ago
I like to change the answer for the first question to Network Rule. The reason is "For security reasons, the recommended approach is to add a specific Internet source to allow DNAT access to the network and avoid using wildcards." from https://learn.microsoft.com/en-us/azure/firewall/rule-processing#dnat-rules-and-network-rules
upvoted 2 times
...
...
matanzpl
1 year ago
1. Network Rule - its Internet to CIDR on a specific port 2. Application Rule - HTTP/S with FQDNs as targets DNAT is more 1:1 and in this case its 1:many hence network rule
upvoted 4 times
...
VeryOldITGuy
1 year, 2 months ago
Shouldn't it be a DNAT since you need to nat the outside IP to the inside IP ?
upvoted 4 times
stormtraining
5 months, 1 week ago
it is DNAT 100%. I afraid of those saying network rule, how they are doing in the networking tech industry :(
upvoted 3 times
xRiot007
4 days, 4 hours ago
Before being arrogant, maybe you should do a comparison between a DNAT, network and application rule. You might learn new things, like the fact that a DNAT forwards traffic to a specific internal private IP, which in this case is not needed. You might also learn that a network rule can allow internet traffic on any port to one or multiple specific resources or subnets, which is exactly what we need here.
upvoted 1 times
...
0af6e8e
2 months, 3 weeks ago
Dnat is 1 to 1, not 1 to many... how are you going to translate 1 public IP to 10 private IP's of the VM's ?
upvoted 1 times
...
rilanc24
3 months, 2 weeks ago
Logically you are right, but the question here is using DNAT can we do Port based filtering, if the answer is yes, then DNAT is 200% correct
upvoted 1 times
0af6e8e
3 months ago
You can configure Azure Firewall Destination Network Address Translation (DNAT) to translate and filter inbound Internet traffic to your subnets or intranet traffic between private networks (preview). When you configure DNAT, the NAT rule collection action is set to Dnat. Each rule in the NAT rule collection can then be used to translate your firewall public or private IP address and port to a private IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic. For security reasons, the recommended approach is to add a specific source to allow DNAT access to the network and avoid using wildcards. To learn more about Azure Firewall rule processing logic, see Azure Firewall rule processing logic. https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat
upvoted 1 times
...
...
...
VeryOldITGuy
1 year, 2 months ago
That is what I figure too.. otherwise the port would not know to which VM it needs to go. That is what my network firewall background tells me at least
upvoted 2 times
...
...
SJHCI
1 year, 3 months ago
You just need a network rule, no Dnat required. 1 - A network Rule "You can use a network rule when you want to filter traffic based on IP addresses, any ports, and any protocols." 2 - An application Rule "ou can use an application rule when you want to filter traffic based on fully qualified domain names (FQDNs), URLs, and HTTP/HTTPS protocols." Link: https://learn.microsoft.com/en-us/azure/firewall/policy-rule-sets#rule-types
upvoted 4 times
...
Bobip
1 year, 4 months ago
I think for the first we may just need a "network rule". It's because it needs to allow a specific port, It is not about port mapping that we need a DNAT rule.
upvoted 4 times
ServerBrain
1 year, 3 months ago
Correct
upvoted 1 times
...
...
jorgesoma
1 year, 5 months ago
Answer is correct
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago