Exam AZ-104 topic 5 question 38 discussion

Correct Answer: Box 1: No NSG1 limits the traffic that is flowing into 172.16.2.0/24 (Subnet2), which host VM2. Box 2: Yes Since Network Watcher is showing that traffic from VM1 to VM2 is not reaching on the TCP port, that means that NSG1 is applied to VM2. We can understand for sure, that it is not applied to VM1. Box 3: Yes In Network Watcher, you can see that the next hop is the destination VM2. This means that they are part of the same virtual network.

N - Y - Y

WRONG No Yes Yes ...................

Technically we don't know the network topology. It can be two VNETs with /23 CIDR peered to each other. That's why 3. is N (maybe Y, but we don't know actually)

6/13/24 on exam

N Y Y is correct

Final Answer : NYY

The tricky bit of this question is that it used the connection troubleshoot tool to test connection from VM1 to VM2 on 8080 port, but it didn't say that there is an application running on VM2 that will listen on port 8080. I have tested in a lab. If you do not have an application running on port 8080 in VM2, the connection will always be refused. Box 1: N. As a lot of people already answered there is nothing limiting traffic flow to 172.16.1.0/24 Box 2: No. Whether you have rules 100 and 101 added to the NSG of VM2 NIC or not. It is not the main point. The main point is you need an application in VM2 to response to request from point 80 Box 3 Yes

both rules are for TCP Ans: N,N,Y 1. rule is for inbound the traffic is outgoing from VM1 - so doesn't matter and it was succeeded to go 2. if NSG1 applied to VM2; then rule 100 should applied and allow traffic from VM1-VM2 for TCP 808 3. Yes, since both in same VNET they can communicate by default and next hop for ICMP showing VM2

My guess N - not applying to VM1 Y - Applying to VM2 Y - Internet Control Message Protocol (ICMP) is a protocol that devices "within a network" use to communicate problems with data transmission.

3rd option - NO its vnet peering so next-hop type in Diagnostic tests is = "VirtualNetworkPerring" but Hopy by hop details shows next hop for VM1 actual IP address of VM2 likewise its directly connected network tested in LAB

1. No - Inbound rules apply to it's destination which is VM2 (172.16.2.0/24). NSG1 is not actively limiting VM1's traffic only what's is allowed to the destination which is VM2. 2. Yes - Same explanation. 3. Yes - Network Watcher configuration shows a next hop of 172.16.2.4 which is the IP of VM2 so they must be in the same VNet.

N Y Y is correct!

ok so based on this comment section I will be purely guessing on this question...

my thinking: NSG1 is working on subnet level. Box1: No, NSG1 is not limiting Subnet1 or VM1's traffic Box2: Yes, VM2's IP is in 172.16.2.0/24 (Subnet2). Regarding the unreachable TCP test, I am assuming there is another Nic level NSG on VM2 (blocking TCP traffic)

N N Y As per first Network Watcher test, TCP connection from VM1 to VM2 did not succeed. NSG1 specifically allows VM1 subnet to connect to VM2 subnet on TCP. As per second Network Watcher test is working but NSG1 blocks ICMP So NSG1 was NOT applied to VM2 or its subnet. 1) NSG1 if applied to VM1 or its subnet will limit VM1 traffic. It will allow TCP traffic only to VM2 subnet, rest is denied.(ICMP also) 2) NSG1 was not applied to VM2 as per second Network Watcher test, ICMP connection from VM1 to VM2 did succeed. 3) Next hop is VM2 IP which implies they are part of the same vnet.

box1: Yes NSG1 limits the traffic to only TCP that's why network watcher status is UNREACHABLE. ICMP is not a TCP traffic. It is also not UDP. Thus, protocol should be set to ANY. ANY basically means allowing ALL traffic. box2: Yes box3: Yes