Exam AZ-900 topic 1 question 262 discussion

You can either modify a firewall or modify a NSG. For basic allow/deny traffic, NSG is enough. But the same can be achieved with Firewall as well. "The Azure Firewall service complements network security group functionality. Together, they provide better "defense-in-depth" network security. Network security groups provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in each subscription. Azure Firewall is a fully stateful, centralized network firewall as-a-service, which provides network- and application-level protection across different subscriptions and virtual networks." https://docs.microsoft.com/en-us/azure/firewall/firewall-faq

https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-is-the-difference-between-network-security-groups-nsgs-and-azure-firewall What is the difference between Application Gateway WAF and Azure Firewall? The Web Application Firewall (WAF) is a feature of Application Gateway that provides centralized inbound protection of your web applications from common exploits and vulnerabilities. Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.

Azure Firewall is a network-based security service that filters traffic between networks. Simply modifying Azure Firewall does not allow HTTP (Port 80) access to a virtual machine. Instead, a Network Security Group (NSG) must be configured to allow inbound HTTP traffic. Alternatively, a Load Balancer with a NAT rule can be used if multiple VMs are involved. ❌ Modifying Azure Firewall alone does NOT meet the goal! 👉 Correct Answer: B. No ✅ 💡 Steps to allow HTTP access to VM1: Modify the NSG rule: Allow inbound traffic on Port 80 (HTTP). Ensure VM1 has a public IP address. If using a Load Balancer, configure a NAT rule for HTTP access. 🔹 Quick Tip: NSG controls access to individual VMs, while Azure Firewall manages network-level security. 🚀

Modifying an Azure Firewall alone will not necessarily make VM1 accessible over HTTP from the internet. To allow HTTP (port 80) access, you typically need to modify the Network Security Group (NSG) attached to VM1

Key words here in the question are "multiple Azure virtual machines" and "a VM1". So, NSG needs to be modified not Firewall.

B is the answer. If you use firewall then it would be applied to all the other VMs as well, not just to VM1.

B is the correct answer because you wood need NSG for this purpose. While you could configure Azure Firewall to allow HTTP (port 80) traffic, this rule would apply to any resource within the network, not just VM1. Remember that the question mentions multiple VMs.

Modifying an Azure firewall alone will not ensure that VM1 is accessible from the Internet over HTTP. While an Azure firewall can control and filter network traffic, you also need to configure other components to allow HTTP access. Here are the steps you should take: Network Security Group (NSG): Ensure that there is an NSG associated with the subnet or network interface of VM1. Add an inbound security rule to allow HTTP traffic (port 80). Public IP Address: Ensure that VM1 has a public IP address assigned to it. VM’s Firewall Settings: Ensure that the Windows Firewall on VM1 allows inbound HTTP traffic. These steps, combined with any necessary Azure firewall rules, will ensure that VM1 is accessible over HTTP from the Internet. If you need more detailed instructions on any of these steps, feel free to ask!

can modify in firewall

Modifying an Azure firewall alone does not meet the goal. To ensure that VM1 is accessible from the Internet over HTTP, you should modify the Network Security Group (NSG) associated with VM1 to allow inbound traffic on port 80 (HTTP). Additionally, you need to ensure that the VM has a public IP address and that any necessary routing or load balancing configurations are correctly set.

No, modifying an Azure firewall would not meet the goal of ensuring that a virtual machine named VM1 is accessible from the Internet over HTTP. To achieve this goal, you would need to configure the network security group (NSG) associated with VM1 to allow inbound traffic on port 80 (HTTP).

B. No. Modifying an Azure firewall alone will not ensure that a virtual machine named VM1 is accessible from the Internet over HTTP. Instead, you need to configure the network security group (NSG) associated with the VM1's network interface to allow inbound traffic on port 80 (HTTP) from the Internet. Additionally, you may also need to configure any applicable Azure load balancer, DNS, or public IP settings to ensure proper connectivity.

A is the answer.

Follow this article: https://adamtheautomator.com/azure-firewall/ We can choose Azure Firewall or NSG. It's also working together. We also can create a VM without NSG. Almost the example they created the VM with NSG because it's free. Azure Firewall is not free. That's all.

Got Feb 10, 2022, this question came in a way where they list 4 options, so I choose Azure firewall.

Firewall, WAF and NSG Application rules aren't applied for inbound connections. So if you want to filter inbound HTTP/S traffic, you should use Web Application Firewall (WAF). Or alternatively you can tweak NSG because by default everything is closed on NSG once it is created and assigned to vnet, subnet or vnic. Below is tutorial how to setup firewall and vnet, but if you go through you will see that all conversation is about outbound trafic not inbound may be because Azure Firewall application rules aren't applied for inbound connections. So we left with WAF or NSG. https://docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal

correct