Exam AZ-104 topic 5 question 21 discussion

Correct Answer: A NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager). You can associate zero, or one, NSG(s) to each VNet subnet and NIC in a virtual machine. The same NSG can be associated to as many subnets and NICs as you choose. So, you can create 1 NSG and associate it with all 3 Subnets. - Allow web requests from internet to VM3, VM4, VM5 and VM 6: You need to add an inbound rule to allow Internet TCP 80 to VM3, VM4, VM5 and VM6 static IP addresses. - Allow all connections between VM1 & VM2: You do not need an NSG as communication in the same VNet is allowed by default, without even configuring NSG. - Allow remote desktop to VM1: You need to add an inbound rule to allow RDP 3389 in VM1’s static IP address . - Prevent all other network traffic to VNET1: You do not need to configure any NSG as the there is explicit deny rule (DenyAllInbound) in every NSG.

I believe it's wrong. I would go with 1 NSG only. NSGs can associate to multiple subnets. There is no conflict in rules so all can be in 1 NSG. My penny.

NSGs can associate to multiple subnets. There is no conflict in rules so all can be in 1 NSG

it´s A

You can have 1 NSG overseeing the rules for all subnets, as log as they are in the same vNET "You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same network security group can be associated to as many subnets and network interfaces as you choose." https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

Correct answer: 4 As explained in the given link: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules You need 4 NSG because of the needed associations.

1 is correct

You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same network security group can be associated to as many subnets and network interfaces as you choose.

ChatGPT (it was prompted correctly with all requirements and understood the task) In summary, you would need three NSGs, each associated with its respective subnet: NSG1 for Subnet1 (VM1 and VM2) Allow all traffic between VM1 and VM2 Allow incoming RDP to VM1 Deny all other inbound and outbound traffic NSG2 for Subnet2 (VM3 and VM4) Allow incoming web traffic (HTTP/HTTPS) to VM3 and VM4 Deny all other inbound and outbound traffic NSG3 for Subnet3 (VM5 and VM6) Allow incoming web traffic (HTTP/HTTPS) to VM5 and VM6 Deny all other inbound and outbound traffic

The fact that the answers provided in the solution section are wrong makes this very difficult to study for.

on exam 4/29/23

lol 4?! ET really wants you to get this question wrong. You need 1. I understand people saying 3. The 4th ask applies to all VMs, so why even have a separate policy for it?

Depends on how many NSGs already existed? Assuming ZERO Answer A (1) Lets call it NSG1 -Add Rule Priority 100 ANY-> 80/443 to IPs of VM3,4,5,6 Allow -Add Rule Priority 101 ANY-> 3389 to IP of VM1 Allow -Default Rule Deny Prevents all other inbound connections Apply it to all Subnets Job Done

One NSG for the web requests from the internet to VM3, VM4, VM5, and VM6. One NSG for the connections between VM1 and VM2. One NSG for the Remote Desktop connections to VM1. By configuring these NSGs, you can allow the required traffic and prevent all other network traffic to VNET1.

Should be A: 1, tested in Lab

The correct answer should include more than 1 NSG. MeasureUp practice questions for this exam include a question with this exact scenario but with 7 VMs. I chose 1 NSG as my answer and got the question wrong. The answer was 3 NSGs. Microsoft also throws a hint in the wording of the question that their expecting more than 1 NSG, by stating "network security groups (NSGs)."

Correct Answer is 4 NSGs Explanation: You can not associate multiple Subnet to 1 NSG (Subnet Level) 1. NSG1-Subnet2 (VM3 and VM4 Allow web request) 2. NSG2-Subnet3 (VM5 and VM6 Allow web request) 3. NSG3-Subnet1 (VM1 and VM2 Prevent all other network traffic to VNET1) 4.NSG4-NICVM1 (Allow Remote Desktop connections to VM1 not VM2 we must set on NIC)