HOTSPOT - You are evaluating the security of VM1, VM2, and VM3 in Sub2. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
Suggested Answer:
VM1: Yes. NSG2 applies to VM1 and this allows inbound traffic on port 80. VM2: No. NSG2 and NSG1 apply to VM2. NSG2 allows the inbound traffic on port 80 but NSG1 does not allow it. VM3: Yes. There are no NSGs applying to VM3 so all ports will be open.
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
For anyone who doesn't understand how multiple NSGs work. This explains it perfect
Answers are correct
Passed.
Exam duration 100 min + 20.
On the Microsoft site:
https://learn.microsoft.com/en-us/credentials/certifications/azure-security-engineer/?practice-assessment-type=certification
You will have 100 minutes to complete this assessment.
Last Updated 04/30/2024
55 questions (46+9)
contoso, 6 questions
This question in exam (study case)
My answer
Y N Y
New 3 or 4 questions
VM1, SQL1, VNET1, AKS in Google Cloud.
What items are protected by Microsoft Defender & default period scan.
VM1: Yes. NSG2 applies to VM1 and this allows inbound traffic on port 80.
VM2: No. NSG2 and NSG1 apply to VM2. NSG2 allows the inbound traffic on port 80 but NSG1 does not allow
it.
VM3: Yes. There are no NSGs applying to VM3 so all ports will be open.
VM1: Yes. NSG2 applies to VM1 and this allows inbound traffic on port 80.
VM2: No. NSG2 and NSG1 apply to VM2. NSG2 allows the inbound traffic on port 80 but NSG1 does not allow it.
VM3: Yes. There are no NSGs applying to VM3 so all ports will be op
Agree on YNN unless MS's example on this page is incorrect for VM4 Inbound where traffic is blocked
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
This is wrong information. If your VM has a public IP and no NSG associated, all traffic from the internet is allowed.
https://learn.microsoft.com/en-us/azure/virtual-network/diagnose-network-traffic-filter-problem
There is a slightly detail about that. Without NSG all internal traffic is allowed. About traffic coming from Internet, you have two cases:
-> If you are using a Basic SKU Public IP, then the IN/OUT public traffic is allowed by default without an NSG on the NIC/Subnet
-> If you are using a standard SKU Public IP, then the IN/OUT public traffic is NOT allowed by default and you need to create an NSG
As the question on that exam seems pretty old and there is no precisions about the Public IP SKU (Basic or Standard), we can assume that it is YNY. But assuming the SKU is standard, the answer would be YNN.
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku
Whatever, in september 2025, the basic SKU will disappear. At that time, the answer will be definitively YNN if the exam content is updated & the exam still exist on MS side :)
Answer is correct: YNY
2nd:
The problem is that NSG1 is the last resolved NSG in the NSG order where NSG2 is resolved before which allows the connection through. Then comes NSG1 which has NSG1 and the traffic denies.
3rd:
No NSG == access allowed
Are we sure about ans 3 ?
no NSG means all traffics are blocked.
Please check for VM 4 - https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#inbound-traffic
VM1 and VM2 is connected to the same NIC and subnet.
you connect to VM1 from internet, yess i got it.
But why NO, when you connect to VM2 from internet.
The same case but different results. Is there any one can write an explanation?
VM1 associated to subnet11 => NIC2
VM2 associated to subnet11 => NIC2
NIC2 inbound rule says 80 / TCP (Source = internet, destination=VirtualNetwork)
Why is it different, where connection requests are coming from internet ?
The problem is that NSG1 is the last resolved NSG in the NSG order where NSG2 is resolved before which allows the connection through. Then comes NSG1 which has NSG1 and the traffic denies.
Its YNN the default inbound rule does not allow traffic from the Internet you guys are confusing this with the default outbound rule which does allow all traffic to the Internet
you are correct. By default nothing from Internet is allowed if there is no NSG. Tested in lab by disassociating NSG from VM NIC and it stopped connectivity.
There is not before nsg in the condition of question:
All virtual machines have public IP addresses and the Web Server (IIS) role installed. The firewalls for each virtual machine allow ping requests and web requests.
This section is not available anymore. Please use the main Exam Page.AZ-500 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
dadageer
Highly Voted 4 years agomacco455
Highly Voted 4 years agoSabr_
Most Recent 2 days, 9 hours agosaira23
8 months, 3 weeks agoRemmyT
11 months agoIvan80
1 year, 2 months agoSwaminathan
1 year, 2 months agoSwaminathan
1 year, 2 months agowardy1983
1 year, 4 months agowardy1983
1 year, 4 months agoFeraso
1 year, 5 months agolt9898
1 year, 4 months agoNava702
1 year agocertma2023
12 months ago_punky_
1 year, 5 months agohellboysecret
3 weeks, 2 days agohellboysecret
3 weeks, 1 day agoTheProfessor
1 year, 6 months agoAzureAdventure
1 year, 6 months agoAzureAdventure
1 year, 6 months ago_punky_
1 year, 5 months agozellck
1 year, 11 months agomajstor86
2 years, 1 month agoGrafting
2 years, 3 months agoAjdlfasudfo0
2 years, 2 months agoMacke53
1 year, 12 months agoJimmy500
9 months agolahl
2 years, 5 months ago