Exam AZ-700 topic 4 question 18 discussion

should be N,N, Y 1) Inbound rule on subnet1 will deny 2) Inbound rule on subnet2 will deny 3) No rule on VM3 so it would allow connections

N, inbound rule on subnet one will deny Y, Communication within the same subnet does not go through an NSG, so nothing blocking Y, Standard rules do not block vNet to vNet communication unless explicit.

NNY VM3 can connect to VM1 on port 8080? ❌ No 2. VM1 and VM2 can connect on port 9090? ❌ No 3. VM1 can connect to VM3 on port 9090? ✅ Yes

NNY 1 and 2 Inbound rule deny because of NSG 1 assigned to Subnet 1 and Default Inbould Rule is allowVnet any to any so, Vm1 can connect to Vm3 by default

3) NSG Default inbound rule include DenyAllInBound rule. So this answer is No.

N,N,Y Lab confirmed: Virtual Network 200 * Deny rule blocks both: -VM1 to VM2 -VM3 to VM1 Remove that rule and connectivity is restored Good to know, as I had thought the NSG applied to a SN only worked on the ingress and egress of the SN, but it also can work within the SN itself. Maybe I am remembering back to my AWS networking, or just imagining things. I don't think anyone is disputing VM1->VM3 = Y

NNY * Inbound rule on subnet1 will deny * Inbound rule on subnet2 will deny - remember the scope is the whole vNET * No rule on VM3 and default rule allows for vNET communication without restrictions

NNY "If you add a rule to NSG1 that denies all inbound and outbound traffic, VM1 and VM2 won't be able to communicate with each other." https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#intra-subnet-traffic

NNY Ref for #2: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#intra-subnet-traffic

I think the best answer is N,N,N the first two are already very clear, about the last one, it is said that the NSG2 has default rules, nothing is said about port 9090 released, so, based on this, access would be denied. Anyone else agree?

1. N — VM3 is trying to access VM1 through port 8080 and port 8080 not in allowed port list of NSG1 2. N — VM1 and VM2 tryin to talk with each other. Even though the are on the same subnet the NSG1 deny rule will include port 9090 3. Y — VM1 and VM3 can have connection NSG1 will not affect any outbound connection. NSG 1 is applied inbound and which means it affect connections that comes Subnet 1 only. The only allowed port is http (80) and https (443) and the rest is blocked. Any connection going out side of Subnet 1 is allowed. VM1 and VM2 will be affected by NSG1 because they are under Subnet1. NG2 will not affect anything because only default rules are configured.

The answer should be N N Y

I re-created this in a lab and can confirm that the VMs could not communicate with one another even though they are in the same subnet. As others have discussed and provided the link for... NSGs are still used for intra-subnet communication. Answer is NNY

I would go with N,N,Y as described,"By default, virtual machines in the same subnet can communicate based on a default NSG rule allowing intra-subnet traffic. If a rule is added to *NSG1 that denies all inbound and outbound traffic, VM1 and VM2 will no longer be able to communicate with each other." With NSG1 having custom rules, intra-communication is defined by the rules.

should be NYN 1. Inbound rule on subnet1 will deny 2.By default, virtual machines in the same subnet can communicate based on a default NSG rule allowing intra-subnet traffic. (https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#intra-subnet-traffic) 3. VM3 has default rule as the text states. DenyAllInbound is the default vor NSG. See here: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

VM3, which is part of Subnet 2, can not connect to port 8080 on VM1, because we have inbound rule that denies all ports accept port 80 and 443. so, the answer is No! VM1 and VM2 are on the same subnet and by default inbound rules within a virtual network are allowed, however we NSG with a lower priority(200) over riding the default allowed rule which is priority 65000. So the Answer is NO! VM1 is on Subnet 1 and VM3 is on Subnet 2, and outbound communication by default between subnets in the same virtual network is allowed and the question states NSG2 has only the default rules configured. so the answer is YES! N N Y

It should be N,N, Y