Exam AZ-104 topic 5 question 96 discussion

I believe it should be No, Yes, Yes. The NSG2 on the NIC of VM1 blocks the request that passes through NSG1 which is attached on the subnet. There is no priority bypass between NSGs. Traffic is filtered independently between NSGs.

1. NO - VM1 has the NSG1 on Subnet1, which allows traffic over port 1433 between Subnet2 and Subnet1. BUT NSG2 also applied on NIC level for VM1 that blocks the traffic on port 1433. Hence No traffic allowed. Answer is NO. 2. YES - For VM2 there are no NSGs applied neither on subnet or NIC level hence all traffic is allowed. 3. YES - For VM3 there are no NSGs applied neither on subnet or NIC level hence all traffic is allowed.

WRONG No Yes Yes there is no NSG applied on VM2 & VM3

- VM2 can connect to TCP port 1433 services on VM1 = No (VM1 use NSG2, inbound block regardless of priority) - VM1 can connect to TCP port 1433 services on VM2 = Yes (VM2 no NSG. So, all allowed) - VM2 can connect to TCP port 1433 services on VM3 = Yes (VM3 no NSG. So, all allowed)

N,Y,Y IS CORRECT

Solution is NO NO YES . Explanation: NO vm2 traffic is blocked by the rule priority 125 from NSG2 at subnet1 when it reach subnet1 before reaching vm1 NO vm1 traffic is blocked by the default deny all rule from NSG2 at subnet1 YES no NSG present so traffic is allowed by default The key here, whenever you push traffic , it goes throug all the steps, outgoing vm > nic > subnet , incoming subnet > nic > vm

N Y Y NSG rules applied at the VM level take precedence over rules applied at the subnet level. If there are conflicting rules, the VM-level rule will be applied.

No Yes Yes

Always, we need to take too many assumptions here, the windows built-in firewall, already configured. Windows server is already running the services in the port, TCP/1433

as TCP is bi-directional is am wondering is it NO-NO-YES VM2 would never be able to confirm anything to VM1 on that blocked tcp port...

Shouldn't it be NO YES YES? Like the answer is litterally in the question, first Q1 can't be a YES. It has to be NO.

I see a lot of people saying that Q1 should be No, but look at the Priorities. Priority 101 is higher than Priority 125 and will thereby be override by 101, so following that logic, it should be: Yes Yes Yes

1. VM2 to VM1. VM1 is in subnet 1 that has NSG1 associated. This NSG allow inbound TCP 1433. Vm1 has NSG2 associated, which denies traffic from VM2 specifically. Priority doesn’t have anything to do with traffic evaluation because they’re different rules. Then answer No. 2. VM1 to VM2. VM2 is in subnet2 that has no subnet NSG associated, and no VM NSG. VM1 and VM2 are in different subnets in the same VNET, or same address space. Then traffic is allowed. Answer Yes. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview 3. VM2 to VM3. VM2 and VM3 are in the same subnet AND no defined NSGs that deny traffic. Answer Yes. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

N - Y - Y Intra-Subnet traffic It's important to note that security rules in an NSG associated to a subnet can affect connectivity between VMs within it. By default, virtual machines in the same subnet can communicate based on a default NSG rule allowing intra-subnet traffic. If you add a rule to NSG1 that denies all inbound and outbound traffic, VM1 and VM2 won't be able to communicate with each other. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works In our example, its explicit in the NSG NIC rule that VM2 cannot connect to VM1 in the said port

No, yes, and yes.

so even though they are applied to different VM's the NSG1 has priority? NO

For Inbound traffic, -> Subnet -> NI, NSG rules are evaluated in this sequence. For Outbound traffic, NI-> Subnet -> Vnet , NSG rules are evaluated in this sequence. If there is any explicit deny ( with high priority within that NSG) at any level, traffic will be blocked. So the answer is NYY.