ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam
Go to Exam

Exam AZ-104 topic 5 question 57 discussion

Actual exam question from Microsoft's AZ-104
Question #: 57
Topic #: 5
[All AZ-104 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.

You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a cost of 64999.
Does this meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Devgela at May 3, 2021, 2:58 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
IHensch
Highly Voted 3 years, 9 months ago
"Attach network interface" Button is enabeld! That means, VM is Stopped and deallocated!
upvoted 96 times
alexandrud
1 year, 2 months ago
This Question was in my exam today and I specifically looked at the "Attach network interface" button and it was grayed out (not enabled like in this screenshot). The answer is NO for the question. Adding the inbound rule will change nothing.
upvoted 8 times
...
nNeo
3 years, 8 months ago
Very good observation !!!
upvoted 11 times
...
suryamk
2 years, 8 months ago
even public IP is not visible in network interface!!
upvoted 2 times
...
sztiki
2 years, 9 months ago
Reading all the other options in this case, probably that's the answer. Pretty annoying though...
upvoted 3 times
...
...
mlantonis
Highly Voted 3 years, 9 months ago
Correct Answer: B - No You want to establish a successful connection from 131.107.100.50 over TCP port 43, and the solution suggests to create a deny inbound rule with low priority. It doesn’t make any sense. Virtual machines in load-balanced pools: The source port and address range applied are from the originating computer, not the load balancer. The destination port and address range are for the destination computer, not the load balancer. AllowAzureLoadBalancerInBound: The AzureLoadBalancer service tag translates to the virtual IP address of the host, 168.63.129.16 where the Azure health probe originates. Actual traffic does not travel through here, and if you don’t use Azure Load Balancing, this rule can be overridden.
upvoted 61 times
mlantonis
3 years, 9 months ago
The Load Balancer backend pool VMs may not be responding to the probes due to any of the following reasons: - Load Balancer backend pool VM is unhealthy. - Load Balancer backend pool VM is not listening on the probe port. - Firewall, or a network security group is blocking the port on the Load Balancer backend pool VMs. - Other misconfigurations in Load Balancer. Note: Check if a Deny All network security groups rule on the NIC of the VM or the subnet that has a higher priority than the default rule that allows LB probes & traffic (network security groups must allow Load Balancer IP of 168.63.129.16). Reference: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-troubleshoot-health-probe-status
upvoted 13 times
...
mlantonis
3 years, 9 months ago
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#azure-platform-considerations https://msazure.club/addendum-of-azure-load-balancer-and-nsg-rules http://gowie.eu/index.php/azure/best-practice/23-nsg-best-practice
upvoted 9 times
...
...
[Removed]
Most Recent 4 months, 3 weeks ago
Selected Answer: B
B is correct You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a priority of 150.
upvoted 1 times
...
tashakori
11 months, 2 weeks ago
No is right
upvoted 1 times
...
1828b9d
1 year ago
This question was in exam 01/03/2024
upvoted 2 times
...
jhodax
1 year ago
Selected Answer: B
Answer B (No) When an Azure Load Balancer get created, it will probe backend to detect if the backend service is healthy or not, the probe packet is sent from source address "AzureLoadBalancer", the IP address of "AzureLoadBalancer" is always 168.63.129.16. https://msazure.club/addendum-of-azure-load-balancer-and-nsg-rules/ What is happening here is the LB Health Probe of TCP 443 to VM1 & VM2 are getting blocked by Rule 200 so it thinks both VM1 and VM2 are down. Hence App1 is failing as the LB won't direct any 443 traffic anywhere as it considers all Hosts are down. Make a new rule above 200 or move rule 65001 up to <200, so the Health Probe will start working again, it will find a health host and start to direct 443 traffic from 131.107.100.50 to it. App1 is alive!
upvoted 5 times
...
dimsok
2 years, 1 month ago
a cost of 64999???????
upvoted 2 times
...
[Removed]
2 years, 1 month ago
Was on my 2nd test
upvoted 1 times
...
[Removed]
2 years, 1 month ago
Here 1/5/23
upvoted 1 times
...
Liriano
2 years, 4 months ago
In exam today, go with highly voted
upvoted 1 times
...
klexams
2 years, 4 months ago
Selected Answer: B
this is to ensure connections to App1 can be established successfully from 131.107.100.50 over TCP port 443, not denying.
upvoted 1 times
...
libran
2 years, 6 months ago
Selected Answer: B
B is the Answer..!
upvoted 1 times
...
EmnCours
2 years, 6 months ago
Selected Answer: B
Correct Answer: B
upvoted 1 times
...
minix
2 years, 8 months ago
came in today's exam 25/6/2022
upvoted 4 times
...
EleChie
2 years, 8 months ago
Correct answer: B After considering the issue a bit more I've realized that AllowAzureLoadBalancerInBound security rule only applies to the traffic originated by the Load Balancer - health probes, etc. So rule 200 is blocking the LB Probe traffic which in its turn let LB knows that VM2 (or pool members) is alive/working and hence deleting this rule will solve the issue.
upvoted 1 times
...
szabi777
2 years, 11 months ago
The VM is turned off as the Attach network interface option is avalilable. The solution is to turn on the VM. https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-vm#add-a-network-interface-to-an-existing-vm
upvoted 4 times
...
AbhiYad
3 years, 2 months ago
There is no Public IP for VM2 to establish connection from external computer. As rule already allows inbound connection, need to create Public IP for VM2 to facilitate connections.
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago