Exam AZ-305 topic 1 question 29 discussion

1. Answer is Azure Bastion. https://docs.microsoft.com/en-us/azure/bastion/bastion-overview It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. While JIT access allows access via RDP or SSH, incoming connections is not TLS tcp 443 (but RDP or SSH when the inbound port is temporarily authorized) https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-avm%2Cjit-request-asc 2. Second is correct https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows Enforce Conditional Access policies You can enforce Conditional Access policies, such as multifactor authentication or user sign-in risk check, before you authorize access to Windows VMs in Azure that are enabled with Azure AD login. To apply a Conditional Access policy, you must select the Azure Windows VM Sign-In app from the cloud apps or actions assignment option. Then use sign-in risk as a condition and/or require MFA as a control for granting access.

1. Azure Bastion 2. Conditional Access Policy that has the cloud apps assignment set to Microsoft Azure management Azure bastion client access is authorized and authenticated when trying to log into the Azure portal. You can enable MFA on the Azure portal access by using the Conditional access policy for Microsoft Azure Management. We use this currently at work, it works very well! Azure bastion proxies the web portal requests via https to the servers running in the VNET.

Bastion and Azure Windows VM sign-in

WRONG 1. Azure Bastion 2. Conditional Access Policy that has the cloud apps assignment set to Microsoft Azure management

WRONG!!! AI: To manage the virtual machines on VNET1 and meet your requirements: 1) To provide access to virtual machines on VNET1, use: Azure Bastion Azure Bastion allows secure connections to your VMs via the Azure portal using RDP and SSH, without directly exposing your VMs to the internet. It uses TLS and can authenticate via Azure MFA. Why the other options aren't suitable: Just-in-time (JIT) VM access: While JIT reduces the attack surface by opening ports only when necessary, it doesn't directly manage RDP/SSH connections and MFA. Azure Web Application Firewall (WAF) in Azure Front Door: This is aimed at protecting web applications, not RDP/SSH management connections.

• To provide access to virtual machines on VNET1: Azure Bastion • To enforce Azure MFA: A Conditional Access policy that has the Cloud apps assignment set to Azure Windows VM Sign-In

To provide access to virtual machines on VNET1, use: Azure Bastion Azure Bastion provides secure and seamless RDP and SSH connectivity to virtual machines directly in the Azure portal over TLS (TCP port 443), ensuring secure access without exposing the VMs to the public internet. To enforce Azure MFA, use: A Conditional Access policy that has the Cloud apps assignment set to Azure Windows VM Sign-In A Conditional Access policy ensures that users must authenticate with MFA before accessing the virtual machines, enhancing security by requiring multi-factor authentication for access.

Final Answer: 1. Azure Bastion 2. Conditional Access Policy that has the cloud apps assignment set to Microsoft Azure management

#1 is bastion https://www.youtube.com/watch?v=DHiZbIks9i0

I previously gave two reasons to rule out Azure Bastion as an answer. One more additional reason to rule it out: Reason 3: We need to design a solution to manage the virtual machines from the internet. Azure Bastion enable VM access on private IP address range NOT on Public IP range i.e. not on internet.

I would rule out "Azure Bastion" for following reasons. 1) Question text does not indicate the existence of Azure Bastion subnet in VNET1. Without Azure Bastion subnet in virtual network Bastion host cannot be deployed in virtual network. 2) Answer area also does not mention anything about "Create Azure Bastion subnet and host. So for above reasons I will go with JIT VM

Answer is Azure Bastion and Conditional Access Policy with "Cloud apps assignment set to Windows VM signin":

For the answer is: Azure Bastion & Conditional access policy microsoft azure management

1. Answer is Azure Bastion. You can reach Bastion via https. 2. Answer is Conditional Access Policy that has the Cloud apps assignment set to Microsoft Azure Management, that's enforces the MFA for the Bastion services. Even it's not mentioned that the VM's are only Windows VM's. Maybe there are also Linux VM's.

For those who are doubting the second answer. If you look at this link, the azure bastion is not mentioned among the services. Hence it will not trigger the MFA authentication. You need to go with Windows VM Sign-in https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#microsoft-azure-management

Answer is Azure Bastion The JIT VM access page opens listing the ports that Defender for Cloud recommends protecting: 22 - SSH 3389 - RDP 5985 - WinRM 5986 - WinRM

Azure Bastion: Azure Bastion is a managed PaaS service that allows secure and seamless RDP and SSH access to your virtual machines directly from the Azure portal without the need for a public IP address on the VMs. It uses TLS encryption (HTTPS) on port 443 for secure access.