ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam
Go to Exam

Exam AZ-104 topic 5 question 17 discussion

Actual exam question from Microsoft's AZ-104
Question #: 17
Topic #: 5
[All AZ-104 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
✑ A virtual network that has a subnet named Subnet1
✑ Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
✑ A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections
NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
✑ Priority: 100
✑ Source: Any
✑ Source port range: *
✑ Destination: *
✑ Destination port range: 3389
✑ Protocol: UDP
✑ Action: Allow
VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the *destination for port range 3389 and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1.
Does this meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Throwitawaynow at Dec. 2, 2020, 10:25 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ihavespoken
Highly Voted 4 years, 2 months ago
My comments were incorrect, late night study :-). The answer is Yes. The main point i miss was that NSG-Subnet 1 is correctly modified with TCP 3389 and NSG-VM1 is removed. In this case you should be able to connect. - "Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the *destination for port range 3389 and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1."
upvoted 116 times
Junhui74
3 years, 7 months ago
reference to https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works , answer is yes
upvoted 1 times
...
Hibs2016
4 years, 2 months ago
Agreed answer is incorrect. The answer should be Yes.
upvoted 12 times
...
al2
3 years, 10 months ago
Then how come this Q has two correct answers? both this one here and the one on the next page are correct? I assume if this one is partly correct, then I'll go with NO for this one and YES for the one next page which is "more" correct. wdyt?
upvoted 1 times
mlantonis
3 years, 9 months ago
Some question sets might have more than one correct solution, while others might not have a correct solution.
upvoted 6 times
...
RamanAgarwal
3 years, 9 months ago
On next question the protocol used for subnet nsg is UDP which is wrong hence the answer is No.
upvoted 2 times
[Removed]
3 years, 8 months ago
It works with both TCP and UDP protocols
upvoted 3 times
...
...
...
Omar_Aladdin
3 years, 5 months ago
does anyone note that this is a UDP-RDP service???
upvoted 8 times
kennynelcon
2 years, 10 months ago
True The Remote Desktop Gateway Role Service in Windows Server 2008 does not support UDP transport. This rule remember was removed
upvoted 1 times
...
...
Load full discussion...
...
mlantonis
Highly Voted 3 years, 9 months ago
Correct Answer: A - Yes By adding the rule to NSG-Subnet1 you are allowing RDP on Subnet level. Then you delete NSG-VM1, so you are able to RDP. Note: A rule to permit RDP traffic may not be created automatically when you create your VM. Reference: https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-rdp-connection
upvoted 95 times
lafegob
2 years, 2 months ago
yep agree , we need to remove NSG-VM1 because it has already a rule to allow UDP. And the RDP connection will use tcp but will try to make use of udp too in order to improve the connection delay.
upvoted 2 times
...
meeko86
2 years, 3 months ago
Answer Yes. Remote Desktop Protocol (RDP) is a Microsoft proprietary protocol that enables remote connections to other computers, typically over TCP port 3389. It provides network access for a remote user over an encrypted channel. https://www.cisecurity.org/insights/white-papers/security-primer-remote-desktop-protocol#:~:text=Overview,user%20over%20an%20encrypted%20channel.
upvoted 1 times
...
Slimus
1 year, 9 months ago
Agree! there is only one NSG on sub-net level remain.
upvoted 1 times
...
...
58b2872
Most Recent 1 month, 1 week ago
Selected Answer: A
Deleting is correct bcz... Network Security Groups associated with subnets have priority over those associated with network interfaces
upvoted 1 times
58b2872
1 month, 1 week ago
and RDP is not working with RDP
upvoted 1 times
...
...
[Removed]
5 months, 1 week ago
Selected Answer: A
it´s A
upvoted 2 times
...
Pcservices
5 months, 2 weeks ago
Selected Answer: B
RDP uses TCP, not UDP: Remote Desktop Protocol (RDP) requires inbound TCP connections on port 3389. The current configuration on NSG-VM1 allows UDP on port 3389, which is incorrect. You need to allow TCP on port 3389. NSG at VM and Subnet levels: Removing NSG-VM1 from the network interface of VM1 and only applying rules at the subnet level (NSG-Subnet1) is not necessary. You can allow RDP access through both VM-level and subnet-level NSGs. The correct solution would be to ensure that: The NSG associated with VM1 or the subnet (either NSG-VM1 or NSG-Subnet1) has an inbound security rule that allows TCP traffic on port 3389. Thus, while adding the TCP rule to NSG-Subnet1 is correct, removing NSG-VM1 is not needed, and it alone doesn't meet the goal. Both rules should be properly configured at whichever NSG is applied, with TCP protocol enabled.
upvoted 1 times
Elsayed2030
2 months, 1 week ago
If you read the question, it mentions that the rule was removed
upvoted 1 times
...
...
MSExpertGER
8 months, 3 weeks ago
Selected Answer: A
(YES) is correct. NSG-VM1 is incorrectly configured (RDP runs on TCP, not UDP) We remove NSG-VM1 and instead add a correct rule to NSG-Subnet1. Kaboom. Team work makes the dream work
upvoted 3 times
...
090200f
9 months ago
Answer is A, just now tested in Lab. if we create a rule in subnet level it will applicable at complete subnet which we have some VM's rt, even though we deleted rule at VM level. we can still do VM RDP , TCP port 3389
upvoted 1 times
...
23169fd
9 months ago
It should be no. NSG-Subnet 1 has nothing to do with Vm1.
upvoted 1 times
...
L3w1s
9 months, 2 weeks ago
Selected Answer: A
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the *destination for port range 3389 and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1 -Yes. Solution: You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol. -Yes Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the UDP protocol. -No
upvoted 2 times
...
bobothewiseman
11 months, 1 week ago
Selected Answer: A
Correct Answer: A creating this rule will allow RDP connection
upvoted 2 times
...
vsvaid
1 year ago
Selected Answer: B
Need a rule for for RDP with TCP at 3389.
upvoted 1 times
...
Tomix
1 year, 8 months ago
B. No The proposed solution does not meet the goal. Although the solution adds an inbound security rule to NSG-Subnet1 that allows connections from Any source to the destination port range 3389 using the TCP protocol, it fails to remove NSG-VM1 from the network interface of VM1. To establish Remote Desktop connections from the internet to VM1, you would need to configure the network security groups (NSGs) correctly. NSG-VM1 should have an inbound security rule allowing Remote Desktop Protocol (RDP) traffic (port 3389) using the TCP protocol. Additionally, the NSG-Subnet1 should have an inbound security rule that allows the RDP traffic from the internet to the VM's public IP address. The correct solution would involve modifying NSG-VM1 to allow RDP traffic over TCP and ensuring that NSG-Subnet1 has an inbound security rule allowing RDP traffic from the internet to the VM's public IP address.
upvoted 1 times
...
ivan0590
1 year, 9 months ago
Selected Answer: A
Answer is A. The question clearly states ‘You need to be able to establish Remote Desktop connections from the internet to VM1’. It says nothing about restricting RDP traffic in the subnet. The proposed solution is not the best possible solution, but it would work. You would be able to establish an RDP connection to VM1 and the rest of the VMs in the subnet.
upvoted 3 times
...
Exilic
1 year, 10 months ago
Selected Answer: B
OpenAI "B. No. The solution provided is not correct as it adds an inbound security rule for TCP protocol to NSG-Subnet1 and removes NSG-VM1 from the network interface of VM1. However, the custom inbound security rule in NSG-VM1 is for UDP protocol, not TCP, and removing NSG-VM1 from the network interface of VM1 would also remove the custom inbound security rule that allows Remote Desktop connections. To meet the goal of establishing Remote Desktop connections from the internet to VM1, you should add a custom inbound security rule to NSG-VM1 that allows connections from the internet to the public IP address of VM1 for port 3389 using the TCP protocol. The rule should have a lower priority than the existing custom inbound security rule in NSG-VM1 to ensure that it is evaluated first."
upvoted 2 times
...
morito
1 year, 11 months ago
Selected Answer: A
Answer is Yes, albeit its a really weird way to solve this. From applying the same NSG to an interface and a Vnet, to allowing RDP into a whole network instead of scoping it to a single server.
upvoted 3 times
...
CyberKelev
2 years ago
Selected Answer: B
No, this does not meet the goal because the NSG-VM1 has a custom inbound security rule that allows connections on UDP protocol to port 3389, which is required for Remote Desktop Protocol (RDP) on Windows. By removing NSG-VM1 from the network interface of VM1, this rule would be deleted, and RDP connections would not be allowed. The correct solution would be to add an inbound security rule to NSG-VM1 that allows connections from the Internet to the *destination for port range 3389 and uses the TCP protocol. This would allow RDP connections to VM1 from the Internet while still maintaining the security of the subnet using NSG-Subnet1.
upvoted 2 times
loner_123
1 year, 12 months ago
"and RDP connections would not be allowed." Who is there to deny the RDP connections? There is no NSG assigned to the VM to do this.
upvoted 3 times
...
...
khaled_razouk
2 years, 1 month ago
Selected Answer: B
No The custom inbound security rule in NSG-VM1 allows connections from Any source to the destination for port range 3389 using the UDP protocol, which is required for Remote Desktop connections. Removing NSG-VM1 from the network interface of VM1 will remove this security rule and prevent Remote Desktop connections to VM1. To allow Remote Desktop connections from the internet to VM1, you should keep NSG-VM1 associated to the network interface of VM1 and add the necessary inbound security rule to NSG-Subnet1.
upvoted 1 times
GBAU
2 years ago
" You remove NSG-VM1 from the network interface of VM1" All rules in NSG-VM1 are now irrelevant. Answer is A (Yes)
upvoted 2 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago