ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam
Go to Exam

Exam AZ-104 topic 5 question 19 discussion

Actual exam question from Microsoft's AZ-104
Question #: 19
Topic #: 5
[All AZ-104 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
✑ A virtual network that has a subnet named Subnet1
✑ Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
✑ A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections
NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
✑ Priority: 100
✑ Source: Any
✑ Source port range: *
✑ Destination: *
✑ Destination port range: 3389
✑ Protocol: UDP
✑ Action: Allow
VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol.
Does this meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Hibs2016 at Dec. 6, 2020, 7:10 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
fedztedz
Highly Voted 4 years, 2 months ago
Answer is correct. YES. To enable RDP, you need to add "Allow" rule for 3389 port on TCP protocol. this is matches the given suggested solution. For the existing custom rule, priority doesn't matter if it is 100 or not. As "Network security group security rules are evaluated by priority using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic." So Azure checks the first rule, it finds that it has UDP. then It will check the second rule, it will find allow TCP on port 3389. So it will allow. Since the protocols are different, so those are totally different rules. Please read the page https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
upvoted 78 times
jam7272
3 years, 11 months ago
Exactly this! The rule is evaluated, if the rule is not matched it moves on to the next rule. So in this case the UDP rule is effectively ignored because the traffic is TCP. The TCP rule then permits the traffic.
upvoted 1 times
...
lcdr_scl
3 years, 9 months ago
Agree!! Yes and tested
upvoted 4 times
...
Kopy
3 years, 6 months ago
Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.
upvoted 1 times
Kopy
3 years, 6 months ago
but what the guy is saying is valid as they are both different rules (protocols)
upvoted 3 times
...
...
boozy
3 years, 10 months ago
Agree! YES! Because RDP TCP is allowed at subnet and on VM level NSGs. "You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol."
upvoted 3 times
...
Load full discussion...
...
mlantonis
Highly Voted 3 years, 9 months ago
Correct Answer: A - Yes RDP TCP is allowed at Subnet and on VM level NSGs. The default port for RDP is TCP port 3389. To enable RDP, you need to add "Allow" rule for 3389 port on TCP protocol. Reference: https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-rdp-connection
upvoted 49 times
Arash123
11 months, 2 weeks ago
But the NSG ruke for NSG-Subnet1 has UDP allowed, you said both are TCP. That is wrong and RDP won't work.
upvoted 2 times
...
...
Nathan12345
Most Recent 1 week, 5 days ago
Selected Answer: B
Vnet is for internal, RDP connection required for external (internet) to connect to the system
upvoted 1 times
...
Karl_Anthony_Towns
4 months, 1 week ago
Selected Answer: A
To the largest extent possible I tend to go for A. Surprised someone opted answer B.
upvoted 1 times
...
[Removed]
5 months, 1 week ago
Selected Answer: A
A is correct
upvoted 1 times
...
Surs
5 months, 2 weeks ago
highest priority is 100. The sollution does not mention this is removed, only a new inbound rule is added as NIC level. which will have a lower prio. So answer is NO
upvoted 1 times
...
d7fb451
6 months, 1 week ago
The current version of RDP will only run over TCP/IP. https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/understanding-remote-desktop-protocol
upvoted 2 times
...
Josh219
6 months, 3 weeks ago
A: YES is correct
upvoted 1 times
...
L3w1s
9 months, 2 weeks ago
Selected Answer: A
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the *destination for port range 3389 and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1 -Yes. Solution: You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol. -Yes Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the UDP protocol. -No
upvoted 3 times
...
JackGelder
9 months, 2 weeks ago
Depends on priority for the newly added rule in NSG-VM1. If priority is lower than 100 it'll be ok, otherwise, connection won't be established
upvoted 1 times
...
bobothewiseman
11 months, 1 week ago
Selected Answer: A
Correct Answer: A This rule will also allowed to connect remote desktop from internet
upvoted 2 times
...
Arash123
11 months, 2 weeks ago
Selected Answer: B
RDP will not work. I tested this scenario and previous ones. Here only TCP maters. If you use UDP on any NSG, that stops RDP.
upvoted 1 times
...
[Removed]
1 year, 2 months ago
Selected Answer: A
I tested in my lab and the correct answer is A. Not sure how others are getting B I followed the same instructions as detailed in the question.
upvoted 2 times
...
[Removed]
1 year, 2 months ago
Selected Answer: B
I don't believe A is correct and don't understand what exactly you guys have tested? If VM1 has a public IP address, the incoming traffic from the internet would first hit the NSG associated with the network interface (NSG-VM1). If there's no matching rule in NSG-VM1, the default behavior is to deny the traffic. The traffic won't reach the NSG associated with the subnet (NSG-Subnet1) because the default rules of NSG-VM1 would prevent it from doing so. Therefore, you would first have to remove NSG-VM1 in order for NSG-Subnet1 to be evaluated.
upvoted 4 times
[Removed]
1 year, 2 months ago
I was wrong here.
upvoted 1 times
...
...
DBFront
1 year, 3 months ago
Selected Answer: A
A - Yes Allowed TCP 3389 over both NSG's
upvoted 2 times
...
HALLYdre
1 year, 8 months ago
The answer should be NO. The destination of the NSG rule is the Vnet , but the VNet ip range has no direct connection to the internet. The user on the internet will be trying to connect to the Public ip on the NIC and not the Vnet ip range , there rule does not cover connection to the public ip , hence traffic will be denied by default rule.
upvoted 2 times
...
isijama
1 year, 8 months ago
Selected Answer: A
"To allow port x to the virtual machine, both NSG1 and NSG2 must have a rule that allows port x from the internet." Or, in this scenario the port would be 3389, so the answer is YES.
upvoted 2 times
isijama
1 year, 8 months ago
reference: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
upvoted 1 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago