ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam
Go to Exam

Exam AZ-104 topic 5 question 58 discussion

Actual exam question from Microsoft's AZ-104
Question #: 58
Topic #: 5
[All AZ-104 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.

You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You delete the BlockAllOther443 inbound security rule.
Does this meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Moyuihftg at April 30, 2021, 11:50 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
mlantonis
Highly Voted 3 years, 11 months ago
Correct Answer: B - No Allow_131.107.100.50 rule has a higher priority (100) than BlockAllOther441 (200) and it allows inbound traffic over TCP 443 from source 131.107.100.50. App1 (VM1 and VM2) is in a VNet, so this rule applies. Unfortunately, we still cannot access App1, so the issue is somewhere else, maybe the VMs are off, or the firewall is blocking it.
upvoted 84 times
mlantonis
3 years, 11 months ago
It's a tricky question. It might also be YES. The Load Balancer backend pool VMs may not be responding to the probes due to any of the following reasons: - Load Balancer backend pool VM is unhealthy. - Load Balancer backend pool VM is not listening on the probe port. - Firewall, or a network security group is blocking the port on the Load Balancer backend pool VMs. - Other misconfigurations in Load Balancer. Note: Check if a Deny All network security groups rule on the NIC of the VM or the subnet that has a higher priority than the default rule that allows LB probes & traffic (network security groups must allow Load Balancer IP of 168.63.129.16). Reference: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-troubleshoot-health-probe-status
upvoted 33 times
knowakuk
4 months, 1 week ago
Rule 65001 is named Allow Load Balancer, And it has higher priority DenyAll
upvoted 1 times
...
alexandrud
1 year, 4 months ago
This question was in my exam today, and I specifically looked at the "Attach network interface" button and it was grayed out (not enabled like in this screenshot). Creating the Allow inbound from the LB may fix the issue. This was my answer for that question today and I scored 909. Not sure if it was the correct answer though, but here I think it is still NO.
upvoted 5 times
...
alexander_890512
1 year, 10 months ago
Hello guys, the NIC is not attached to any vm, look at the attach options.
upvoted 13 times
pcfixok
1 year, 7 months ago
You're right! So simple!
upvoted 1 times
...
Nighty470
1 year, 7 months ago
'Detach..' being grayed out only means that the VM has only one NIC attached, which cannot be removed for obvious reason. 'Attach..' being active means that the VM is not running.
upvoted 3 times
...
...
Load full discussion...
...
vrm1358
1 month, 2 weeks ago
A is the correct answer. Traffic is allowed from 131.107.100.50 to the backend servers. (rule #100) However, policy #200 drops healthmonitor traffic that would have been permitted by default rule #65001. Monitors fail (if we assume same configuration is applied to both VM's) hence users cannot access the web service. removing BlockAllOther443 rule will fix the issue, because back-end pool members will be marked up and traffic will be sent to them as usual. In other words, service will return to operation.
upvoted 1 times
...
Goofer
2 years ago
Answer should be A (yes) I think. Because deleting rule BlockAllOther443, would cause default rule 65001 to allow the traffic from the loadbalancer reach VM1/VM2
upvoted 3 times
...
kansaj
3 years, 6 months ago
also the destination is for virtual network only so its doesn't matter still wouldn't work
upvoted 2 times
...
...
Moyuihftg
Highly Voted 3 years, 12 months ago
Answer should be A (yes) I think. Because deleting rule BlockAllOther441, would cause default rule 65001 to allow the traffic from the loadbalancer reach VM1/VM2
upvoted 47 times
ScreamingHand
3 years, 10 months ago
An active "Attach network interface" suggests that VM2 is not running.
upvoted 8 times
itgg11
3 years, 2 months ago
I think you are spot on. the VM is off. Answer: B
upvoted 3 times
rupayan87
2 years, 5 months ago
but VM1 may be running. The NSG is tied to subnet
upvoted 2 times
...
...
garmatey
1 year, 12 months ago
omg thank you, ive been looking through the comments of all three of these questions looking for this answer
upvoted 1 times
...
...
Lkk51
3 years, 10 months ago
Question is ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
upvoted 1 times
...
rawrkadia
3 years, 9 months ago
You could be right, its hard to tell (insufficient info). That rule could be blocking health probes as explained in a later discussion in the series. It could also be that its off or something else blocking the connection.
upvoted 1 times
...
cyna58
3 years, 11 months ago
I think B is correct as Allow_131.107.100.50 rule has higher priority
upvoted 3 times
...
Load full discussion...
...
vrm1358
Most Recent 1 month, 2 weeks ago
Selected Answer: A
A is the correct answer. Traffic is allowed from 131.107.100.50 to the backend servers. (rule #100) However, policy #200 drops healthmonitor traffic that would have been permitted by default rule #65001. Monitors fail (if we assume same configuration is applied to both VM's) hence users cannot access the web service. removing BlockAllOther443 rule will fix the issue, because back-end pool members will be marked up and traffic will be sent to them as usual. In other words, service will return to operation.
upvoted 1 times
...
minura
4 months, 1 week ago
Selected Answer: B
Correct Answer: B - No Allow_131.107.100.50 rule has a higher priority (100) than BlockAllOther441 (200). Deleting BlockAllOther441 will NOT make any difference. Issue must be somewhere else.
upvoted 1 times
...
[Removed]
6 months ago
Selected Answer: B
B is correct You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a priority of 150.
upvoted 2 times
...
Pcservices
7 months, 1 week ago
Selected Answer: B
The VM is off so asnwer is B
upvoted 2 times
...
BrkyUlukn
9 months, 1 week ago
Correct Answer: A There is a rule 65001 that allows the LB to access VMs, and the rule 200 blocks it for port 443. Most probably the NSG2 is shared between Vm1 and Vm2. The active button "Attach Network Interface" indicates VM2 is stopped, but nothing is known about VM1 which is supposed to be able to accept connections. Reference: https://fastreroute.com/azure-network-security-groups-explained/
upvoted 2 times
...
adilkhan
9 months, 3 weeks ago
YES is correct and make sense! Based on the provided network security group (NSG) rules for VM2, let's analyze the rules and their priority: Allow_131.107.100.50: Priority 100, allows traffic from 131.107.100.50 on TCP port 443. BlockAllOther443: Priority 200, blocks traffic on TCP port 443 from any source. AllowVnetInbound: Priority 65000, allows traffic from the virtual network. AllowAzureLoadBalancerInbound: Priority 65001, allows traffic from Azure Load Balancer. DenyAllInbound: Priority 65500, denies all inbound traffic. The reason connections from 131.107.100.50 over TCP port 443 are failing is because of the BlockAllOther443 rule with priority 200, which blocks all traffic on port 443 except for the specific allow rule with priority 100. By deleting the BlockAllOther443 rule, you will allow the previously specified allow rule (priority 100) to take effect, thus permitting traffic from 131.107.100.50 on port 443.
upvoted 2 times
...
bobothewiseman
1 year, 1 month ago
Selected Answer: B
No! You need to attached network interface
upvoted 2 times
...
tashakori
1 year, 1 month ago
Yes is correct
upvoted 1 times
...
jhodax
1 year, 1 month ago
Selected Answer: A
Answer A When an Azure Load Balancer get created, it will probe backend to detect if the backend service is healthy or not, the probe packet is sent from source address "AzureLoadBalancer", the IP address of "AzureLoadBalancer" is always 168.63.129.16. https://msazure.club/addendum-of-azure-load-balancer-and-nsg-rules/ What is happening here is the LB Health Probe of TCP 443 to VM1 & VM2 are getting blocked by Rule 200 so it thinks both VM1 and VM2 are down. Hence App1 is failing as the LB won't direct any 443 traffic anywhere as it considers all Hosts are down. Make a new rule above 200 or move rule 65001 up to <200, so the Health Probe will start working again, it will find a health host and start to direct 443 traffic from 131.107.100.50 to it. App1 is alive!
upvoted 2 times
...
nchebbi
1 year, 5 months ago
Selected Answer: A
From the exibit we can see that the NSG is applied only to the subnet (it's not applied to none of the network interfaces of VM1 nor VM2). Standard SKU must be used, Basic SKU is typically for testing ONLY, see Ref1 1. the first rule is required for standard LB as they are closed by default in order to allow traffic to flow to the backend pool resources, unless you have NSG on the VM NIC or subnet. (basic SKU is open by default.) Ref1 2. The security rule we remove will allow the LoadBalancer to check the health of theVMs, the LB is marking them as unhealthy, though not sending traffic to them, that's why it's failing.Ref2 Ref1: https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/azure-load-balancer-security-baseline Ref2: https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview#probe-source-ip-address
upvoted 2 times
nchebbi
1 year, 5 months ago
From Ref1: " The Standard Load Balancer is designed to be secure by default and part of a private and isolated Virtual Network. It is closed to inbound flows unless opened by network security groups to explicitly permit allowed traffic, and to disallow known malicious IP addresses. Unless a network security group on a subnet or NIC of your virtual machine resource exists behind the Load Balancer, traffic is not allowed to reach this resource." Ref1: "Note: Using a Standard Load Balancer is recommended for your production workloads and typically the Basic Load Balancer is only used for testing since the basic type is open to connections from the internet by default and doesn't require network security groups for operation."
upvoted 1 times
...
...
MOSES3009
1 year, 5 months ago
Selected Answer: A
Flow 131.107.100.50 -> LB -> servers. Deleting the rule will allow second half of the flow. So, it solve the problem.
upvoted 1 times
...
[Removed]
1 year, 5 months ago
Selected Answer: A
allow the LB to health probe
upvoted 2 times
...
JD908
1 year, 7 months ago
Question literally says "You verify that the Load Balancer rules are configured correctly". If its configured correctly than why would you delete one of the rules?
upvoted 1 times
...
hidefo6963
1 year, 7 months ago
Selected Answer: A
There is a rule 65001 that allows the LB to access VMs, and the rule 200 blocks it for port 443. Most probably the NSG2 is shared between Vm1 and Vm2. The active button "Attach Network Interface" indicates VM2 is stopped, but nothing is known about VM1 which is supposed to be able to accept connections.
upvoted 1 times
...
rimvydukas
1 year, 8 months ago
Selected Answer: A
Ok, lets dig in :) Rule with prio 100 allows required traffic from required IP but the App1 still is not working. Why? Because of the rule with prio 200. Why? Because as we can see from the rules - App1 is on 443 port. So most likely health probes are also configured against this port and these health probes are blocked with rule with prio 200. LB thinks that VMs are not active and does not send the traffic to these VMs. When we'll delete this rule, health probes will start to work because of rule with prio 65001 and everything will start to work again:) And one more thing, maybe not so important in this case. "Attach Network Interface" button is active, so VM2 is probably powered off. But we still have VM1 left in any case :)
upvoted 3 times
hidefo6963
1 year, 7 months ago
in a lab starting a VM really makes the "Attach..." button inactive
upvoted 1 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago