ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam
Go to Exam

Exam AZ-104 topic 5 question 90 discussion

Actual exam question from Microsoft's AZ-104
Question #: 90
Topic #: 5
[All AZ-104 Questions]

HOTSPOT -
You have an Azure subscription that contains the virtual machines shown in the following table:

VM1 and VM2 use public IP addresses. From Windows Server 2019 on VM1 and VM2, you allow inbound Remote Desktop connections.
Subnet1 and Subnet2 are in a virtual network named VNET1.
The subscription contains two network security groups (NSGs) named NSG1 and NSG2. NSG1 uses only the default rules.
NSG2 uses the default rules and the following custom incoming rule:
✑ Priority: 100
✑ Name: Rule1
✑ Port: 3389
✑ Protocol: TCP
✑ Source: Any
✑ Destination: Any
✑ Action: Allow
NSG1 is associated to Subnet1. NSG2 is associated to the network interface of VM2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
by Galbraj5797 at Dec. 3, 2020, 9:33 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
fedztedz
Highly Voted 4 years, 2 months ago
Answer is correct . No, Yes, Yes. No: VM1 has default rules which denies any port open for inbound rules Yes: VM2 has custom rule allowing RDP port Yes: VM1 and VM2 are in the same Vnet. by default, communication are allowed
upvoted 203 times
alsmk2
6 months, 3 weeks ago
I disagree with this. RDP traffic to VM2 has to get through NSG1, which denies RDP by default. The fact that the NIC has MSG2 and an allow rule for 3389 doesn't matter because the traffic has already been dropped by NSG1.
upvoted 2 times
alsmk2
6 months, 3 weeks ago
And now I agree with it lol - didn't see that NSG1 is only associated to subnet1, so out of the picture.
upvoted 6 times
...
...
Ougesh
4 years ago
Since VM2 is in subnet1 and NSG1 applied to subnet1 which should deny inbound connection from Internet. Therefore i guess you cannot connect to VM2 from internet? Is it correct please?
upvoted 4 times
jimmyli
3 years, 8 months ago
@Ougesh, i was bothered by this as well. but then i noticed that VM1 is in Subnet1, and VM2 is in Subnet2 from the table. So VM2 is NOT in subnet1, accordingly RDP to VM2 is fine (as only NSG2 is applied to NIC of VM2)
upvoted 4 times
...
...
Irgond07
3 years, 8 months ago
Ansere should be No Yes No, No: VM1 has default rules which denies any port open for inbound rules Yes: VM2 has custom rule allowing RDP port No: VM1 and VM2 are in the same Vnet but associated different NSG's.
upvoted 8 times
Mozbius_
3 years ago
Last is YES. NSGs allow INBOUND & OUTBOUND traffic within a same Vnet by default [in&out rules 65000]. Any INBOUND INTERNET connection/aka coming from the internet is denied by default [inbound Rule 65500]. Any OUTBOUND INTERNET connections /aka going out to the internet is allowed by default [outbound Rule 65001]). NSG2 has the added rule that it allows any inbound RDP connection [rule 100]. Therefore NSG1 allows VM1 to go OUT INSIDE the Vnet1 using all ports & protocols. NSG2 allows all Vnet1 originating traffic on all ports & protocols by default. The added rule 100 is explicitely opening RDP larger by allowing RDP from the internet.
upvoted 9 times
...
Abubaker3030
2 years, 9 months ago
Last is yes, because NSG2 is attached to the NIC of VM2, not the VNET. NSG2 has a rule to allow inbound traffic for RDP
upvoted 1 times
...
...
d0bermn
3 years, 8 months ago
you are right, but for vm1->vm2 not bcoz vms are in the same vnet, but bcoz vm1->vm2 connect allowed in nsg2, assigned to vm2 nic (as in 2nd q)
upvoted 10 times
...
Load full discussion...
...
mlantonis
Highly Voted 3 years, 9 months ago
Correct Answer: Box 1: No NSG1 has default rules, which denies any port open for inbound rules Box 2: Yes NSG2 has custom Rule1, allowing RDP port 3389 with TCP. Box 3: Yes VM1 and VM2 are in the same Vnet. By default, communication is allowed.
upvoted 157 times
RougePotatoe
2 years ago
Box3 is questionable. The question asked specifically on if VM1 can RDP into VM2. The VMs are on azure. The only ways I can think of that will allow you to RDP into the other server are through RDP or bastion which will require the use of RDP on the first server. Nested RDP is not supported. "Only one level of nested Remote Desktop connection is supported. Establishing a Remote Desktop connection from inside a nested Remote Desktop connection isn't supported." https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/run-remote-desktop-connection-session
upvoted 3 times
RougePotatoe
2 years ago
In theory, if you ignore the fact that you probably RDP'd into VM1, you could RDP into VM2. Unless someone can come up with a way that would allow you to connect to VM1 that doesn't use bastion or RDP i'm going to say you can't RDP into VM2 because nested RDP is not supported.
upvoted 2 times
RougePotatoe
2 years ago
Well I just tested in azure with RDP (downloaded file) then from VM1 tried RDC (remote desktop connection app) into vm2 over public IP and it worked so you can RDP then RDC into another vm. Both uses port 3389
upvoted 6 times
...
...
...
...
[Removed]
Most Recent 5 months ago
CORRECT..
upvoted 3 times
...
[Removed]
5 months, 1 week ago
CORRECT
upvoted 1 times
...
[Removed]
5 months, 1 week ago
CORRECT
upvoted 1 times
...
ashtonez
10 months, 3 weeks ago
For me is, explaneid below : NO: VM1 is affected by NSG1 at subnet level, since NSG has no rules, the implicit deny all by default at the end applies here, so basically any traffic regarding subnet1 is blocked by NSG1 YES: VM2 is affected by NSG2 at NIC level , NSG2 allows dstport 3389 so yes NO: VM1 is affected by NSG1 at subnet level, NSG1 has no rules, the implicit deny all by default at the end applies here, so no traffic can flow at subnet level, you need to go from VM1, through subnet1, in order to arrive to the other subnet subnet2 and finally the VM2, so NO. For people stating that inside VNET traffic is allowed by default, is true, but that changes whenever you begin pushing NSG which by default blocks everything at the end , and need to include some rules to allow specific traffic REF: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
upvoted 1 times
...
ashtonez
10 months, 3 weeks ago
For me is, explaneid below : NO: VM1 is affected by NSG1 at subnet level, since NSG has no rules, the implicit deny all by default at the end applies here, so basically any traffic regarding subnet1 is blocked by NSG1 YES: VM2 is affected by NSG2 at NIC level , NSG2 allows dstport 3389 so yes NO: VM1 is affected by NSG1 at subnet level, NSG1 has no rules, the implicit deny all by default at the end applies here, so no traffic can flow at subnet level, you need to go from VM1, through subnet1, in order to arrive to the other subnet subnet2 and finally the VM2, so NO. For people stating that inside VNET traffic is allowed by default, is true, but that changes whenever you begin pushing NSG which by default blocks everything at the end , and need to include some rules to allow specific traffic
upvoted 1 times
...
Amir1909
11 months, 2 weeks ago
No Yes No
upvoted 1 times
...
dani21
11 months, 2 weeks ago
Got this question on 20/03/24
upvoted 2 times
...
dani21
11 months, 2 weeks ago
Got this question on 20/03/24
upvoted 2 times
...
tashakori
11 months, 3 weeks ago
Given answer is correct
upvoted 1 times
...
LovelyGroovey
1 year ago
Chat GPT said, "Yes, you can connect to VM1 by using Remote Desktop from the Internet. This is because VM1 uses a public IP address and allows inbound Remote Desktop connections. Additionally, the network security group (NSG) associated with the subnet of VM1 allows incoming traffic on TCP port 3389, which is the port used by Remote Desktop Protocol (RDP). However, please note that while this setup allows RDP connections, it’s crucial to secure such connections due to potential security risks. Always ensure you’re following best practices for security." Is this answer wrong? ChatGPT says 1st one is YES
upvoted 1 times
...
vsvaid
1 year ago
No, No, Yes For second question, nsg2 is associated with NIC not subnet. The request will be blocked by subnet. For incoming traffic, the request is first processed by subnet and then by NIC
upvoted 4 times
MSBITSM
1 year ago
NSGs can be associated with subnets or individual virtual machine instances within those subnets. When an NSG is associated with a subnet, the ACL rules apply to all virtual machine instances of that subnet. Additionally, NSGs can be directly associated with a specific virtual machine for more granular traffic control.
upvoted 2 times
...
...
PhoenixAscending
1 year, 1 month ago
This was on my exam. The suggested answer to the question is correct.
upvoted 1 times
...
rnd3131
1 year, 1 month ago
Default Inbound Security Rules: AllowVNetInBound: Priority: 65000 Allows all inbound traffic from resources in the same Virtual Network (VNet). Source: VirtualNetwork Destination: VirtualNetwork Source and Destination Port Ranges: Any Protocol: Any Action: Allow
upvoted 1 times
...
bodjy
1 year, 1 month ago
I have tested today with score 870 most of question came from ET question and be carful for wrong answers from the site and try to understand the solution not suppose most voted answers is the correct answers
upvoted 1 times
...
josola
1 year, 3 months ago
There are 2 NSG. NSG1 applied to subnet 1. NSG2 apply to VM2. For a host is subnet 1 to accept traffic from Internet, both Subnet NSG and NIC NSG should allow traffic. - VM1 is in subnet 1 and it doesn't have a NIC associated NSG, so subnet NSG1 applies which denies Inbound Internet traffic by default. Answer No. - VM2 is in subnet 2, which doesn't have an associated subnet NSG and has NSG2 applied to the VM. NSG2 allows traffic RDP traffic from anywhere, so RDP connection is possible. Answer Yes. - Same policy as before (Source=Any), then VM1 can RDO to VM2. Answer Yes. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago