HOTSPOT - You are evaluating the security of VM1, VM2, and VM3 in Sub2. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
Suggested Answer:
VM1: Yes. NSG2 applies to VM1 and this allows inbound traffic on port 80. VM2: No. NSG2 and NSG1 apply to VM2. NSG2 allows the inbound traffic on port 80 but NSG1 does not allow it. VM3: Yes. There are no NSGs applying to VM3 so all ports will be open.
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
For anyone who doesn't understand how multiple NSGs work. This explains it perfect
Answers are correct
Passed.
Exam duration 100 min + 20.
On the Microsoft site:
https://learn.microsoft.com/en-us/credentials/certifications/azure-security-engineer/?practice-assessment-type=certification
You will have 100 minutes to complete this assessment.
Last Updated 04/30/2024
55 questions (46+9)
contoso, 6 questions
This question in exam (study case)
My answer
Y N Y
New 3 or 4 questions
VM1, SQL1, VNET1, AKS in Google Cloud.
What items are protected by Microsoft Defender & default period scan.
VM1: Yes. NSG2 applies to VM1 and this allows inbound traffic on port 80.
VM2: No. NSG2 and NSG1 apply to VM2. NSG2 allows the inbound traffic on port 80 but NSG1 does not allow
it.
VM3: Yes. There are no NSGs applying to VM3 so all ports will be open.
VM1: Yes. NSG2 applies to VM1 and this allows inbound traffic on port 80.
VM2: No. NSG2 and NSG1 apply to VM2. NSG2 allows the inbound traffic on port 80 but NSG1 does not allow it.
VM3: Yes. There are no NSGs applying to VM3 so all ports will be op
Agree on YNN unless MS's example on this page is incorrect for VM4 Inbound where traffic is blocked
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
This is wrong information. If your VM has a public IP and no NSG associated, all traffic from the internet is allowed.
https://learn.microsoft.com/en-us/azure/virtual-network/diagnose-network-traffic-filter-problem
There is a slightly detail about that. Without NSG all internal traffic is allowed. About traffic coming from Internet, you have two cases:
-> If you are using a Basic SKU Public IP, then the IN/OUT public traffic is allowed by default without an NSG on the NIC/Subnet
-> If you are using a standard SKU Public IP, then the IN/OUT public traffic is NOT allowed by default and you need to create an NSG
As the question on that exam seems pretty old and there is no precisions about the Public IP SKU (Basic or Standard), we can assume that it is YNY. But assuming the SKU is standard, the answer would be YNN.
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku
Whatever, in september 2025, the basic SKU will disappear. At that time, the answer will be definitively YNN if the exam content is updated & the exam still exist on MS side :)
Answer is correct: YNY
2nd:
The problem is that NSG1 is the last resolved NSG in the NSG order where NSG2 is resolved before which allows the connection through. Then comes NSG1 which has NSG1 and the traffic denies.
3rd:
No NSG == access allowed
VM1 and VM2 is connected to the same NIC and subnet.
you connect to VM1 from internet, yess i got it.
But why NO, when you connect to VM2 from internet.
The same case but different results. Is there any one can write an explanation?
VM1 associated to subnet11 => NIC2
VM2 associated to subnet11 => NIC2
NIC2 inbound rule says 80 / TCP (Source = internet, destination=VirtualNetwork)
Why is it different, where connection requests are coming from internet ?
The problem is that NSG1 is the last resolved NSG in the NSG order where NSG2 is resolved before which allows the connection through. Then comes NSG1 which has NSG1 and the traffic denies.
Its YNN the default inbound rule does not allow traffic from the Internet you guys are confusing this with the default outbound rule which does allow all traffic to the Internet
you are correct. By default nothing from Internet is allowed if there is no NSG. Tested in lab by disassociating NSG from VM NIC and it stopped connectivity.
There is not before nsg in the condition of question:
All virtual machines have public IP addresses and the Web Server (IIS) role installed. The firewalls for each virtual machine allow ping requests and web requests.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
dadageer
Highly Voted 3 years, 9 months agomacco455
Highly Voted 3 years, 9 months agosaira23
Most Recent 5 months, 1 week agoRemmyT
7 months, 3 weeks agoIvan80
11 months agoSwaminathan
11 months, 1 week agoSwaminathan
11 months, 1 week agowardy1983
1 year, 1 month agowardy1983
1 year, 1 month agoFeraso
1 year, 1 month agolt9898
1 year, 1 month agoNava702
9 months agocertma2023
8 months, 2 weeks ago_punky_
1 year, 2 months agoTheProfessor
1 year, 2 months agoAzureAdventure
1 year, 3 months agoAzureAdventure
1 year, 3 months ago_punky_
1 year, 2 months agozellck
1 year, 7 months agomajstor86
1 year, 9 months agoGrafting
1 year, 11 months agoAjdlfasudfo0
1 year, 11 months agoMacke53
1 year, 8 months agoJimmy500
5 months, 3 weeks agolahl
2 years, 1 month agokoreshio
2 years, 2 months ago