Exam AZ-104 topic 6 question 27 discussion

I see people saying the question is incomplete but the point of the question is to see if you are paying attention enough to know what you think is missing. Note: NSG1 Applies to Subnet1 only. Yes - VM1 can access the Storage account because there is nothing blocking it the on the virtual network. There is a rule that actually allows outbound access to storage. Yes- VM2 is on the Same VNET there is nothing blocking access to it from VM1 on the Virtual network. The Deny rule for HTTPS_VM1_Deny is for inbound connections from the internet. No- You have a Inbound deny rule for VM1 from the the internet with a destination of the 10.3.0.15 which is in Subnet1. This proves the NSG is associated to Subnet1 and only subnet one because the image shows it is connected to only 1 subnet. VM2 is on Subnet2 which you can determined by its IP address. This means that NSG1 does not apply to VM2.

I think is : Yes Yes No

Yes No (VMs are on 2 different VNETs that are not peered) No

I'm going to first assume that the NSG is related to one subnet and that is subnet1. Clues that help me conclude that: "Associated with: 1 subnet" and Inbound rule #1 has a destination of VM1 which is in Subnet1. 1 - Y, Outbound rule 1 has a storage destination from VNet of VM1 with Allow 2 - Y, Inbound rule HTTPS_VM1_Deny doesn't apply since VM2 is not on the Internet. AllowVnetInBound rule does apply 3 - N, because of the main clue in the top right "Associated with: 1 subnets". If it applied to any virtual machine on VNet1 than you would see associated with 2 subnets.

WRONG Yes Yes No

I want to become an Azure admin not Azure detective ffs

It is Y Y N. Yes: There are no outbound restrictions preventing this traffic. Yes: Since VM2 is in subnet2, the rule that denies access from the Internet does not apply to internal traffic between subnets. The default allow rules for Virtual Network should permit traffic between VMs in different subnets within the same VNET. No: NSG1 is associated with subnet1 in VNET1, so the security rules apply only to the VMs in subnet1, not to all VMs in VNET1.

Y, N, N Y'all give me heartburn lmfao

NO NO YES

correct answer: YYN NSG is assigned to Subnet 1. 1st box: outbound rule has allow rule for storage 2nd box: Priority 110 does not apply, this rule is for internet (outside) connection Priority 65000 will apply for vnet-vnet which is allowed 3rd box. NSG rule applies to Subnet 1

Yes Yes No

Hi All, I have a question. How VM1 can access storage1 with an outbound rule that block any internet access and there isn't any private endpoint and service endpoint mentioned in the question.

YNN 1. Allowed by outbound rule 2. Blocked by DenyAllInbound, explanation: -Allow VnetInbound will allow all traffic between peered VNETs, it will not allow traffic from all sources on VNETs to reach all destinations on VNETs. --The destination of the rule is VirtualNetwork, so traffic can come into the virtual network, but there is no rule that allows HTTPS traffic from the virtual network into the VM. 3. Only applied to VMs one Subnet.

1) Yes - Rule `Storage_Access` is allowing access to storage accounts; 2) Yes - Rule `Deny_VM1` is only for Internet Inbound, not for VirtualNetwork, so VM2 can access VM1 via HTTPS; 3) NO - NGS is associated only to Subnet1.

We assume that storage account allow VM1 to connect. Otherwise not what the NSG rule is, VM1 can't connect to storage account!

Yes Yes No This is correct!

please find my understanding below: Yes -> VM1 can access storage1 -> because 443 is allowed. Yes -> VM2 can access VM1 by using the HTTPS protocol -> because HTTPS outbound is allowed Yes -> The security rules for NSG1 apply to any virtual machine on VNET1 -> becasue there is no restrictions