Exam AZ-104 topic 5 question 39 discussion

Correct Answer: B You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by using the RDP or SSH protocol over the site-to-site VPN connection. You have to deny direct RDP or SSH access over the internet through an NSG. Reference: https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices

Definitely B. A makes no sense

B is correct

B is right

None of these answers make any sense. The subnet is a private IP range. You would have to associate the NSG with each NIC for the rules to affect the public IP address assigned to each NIC on each VM. Also, you'd probably use a Firewall if you weren't retarded.

Cleared the exam on 04/12/2023. This question came up. Make sure to read the comments in the discussion. It's really helpful.

exp: removing Public IPs will prevent the applications access on port 443 to users on the internet which is a requirement. Deny rule is a more appropriate solution

Yes, it's B. Obviously. But these MS answers re: NSGs are seriously leading newer folks into dangerous territory: you DO NOT create Deny rules for specific ports. Instead, DENY everything - and only open what you NEED. Anything else is a disaster waiting to happen - especially in this scenario with machines directly facing the internet... TL/DR: answer B for the test but do the right thing in a real environment

B - but I don't think it's that straightforward. I might be wrong , but I see it more like : adding 2 rules 1. high prio allow RDP from gateway CIDR 2. (above prio -1 )deny RDP from internet.

Correct Answer: B

- You wake up. - VNet1 contains a subnet named Subnet1. - Subnet1 contains three Azure virtual machines. - Each virtual machine has a public IP address. - You drink some coffee. - The virtual machines host several applications that are accessible over port 443 to users on the Internet. - You make a sandwidch. - Your on-premises network has a site-to-site VPN connection to VNet1. - You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network. - You travel to the moon for vacations. - You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. - When you are back you receive a medall. - You figure out how to overcome speed of light. - The solution must ensure that all the applications can still be accessed by the Internet users.

I Luv Honey Because it is B

Correct answer is: Deny direct RDP or SSH access through an NSG. You do need public IPs for the VMs mainly because internet users need to be able to reach the VM via TCP 443. If LB is in place/mentioned, the VM won't necessarily need public IP.

Definitely B. Why would anyone think of A?

B is correct, configure a nsg rule.C can't be because vm need access through internet

I would say B is the correct Answer

Tested - B correct and only place where you can allow source which can connect to RDP.