Exam AZ-800 topic 2 question 9 discussion

"You need to ensure that you can use Windows Admin Center from the Azure portal" - The portal use 443 port. No VPN required, the use is trough Portal, not RDP access. Answer, D.

Answer is Correct

I might be missing something here. I don't see anything about managing this VM1 and the Admin Center FROM the Windows 11 PC, we are just assuming that. With the Admin Center extension installed on VM1 in Azure, we could just use Bastion to connect to the VM, and run it on the Azure VM1 server with out ever hitting a public IP. Answer to me is A, but seems like a really badly written question.

Azure Bastion provides secure and seamless RDP and SSH connectivity to Azure VMs directly in the Azure portal, without requiring a public IP address on the VM. It allows you to manage VMs securely without exposing them to potential internet-based threats. This aligns with the scenario described in the question.

VPN Connection: Setting up a Virtual Private Network (VPN) between your on-premises network and the Azure virtual network allows your on-premises computer to securely access resources within the Azure virtual network, including VM1. This is essential because VM1 has only a private IP address and is not directly accessible from the public internet. https://www.youtube.com/watch?v=GH-i6sOtyAo

B: To use Windows Admin Center from the Azure portal to manage VM1, which has only a private IP address, you should configure a VPN connection to the virtual network that contains VM1. This option allows secure access to the private network where VM1 is located, enabling you to manage the VM using Windows Admin Center through the Azure portal. The other options are less suitable for this scenario: - Azure Bastion is primarily used for RDP and SSH connections, not specifically for Windows Admin Center. - A private endpoint is typically used for connecting to Azure PaaS services, not for managing VM. - An NSG rule allowing inbound traffic on port 443 alone would not provide the necessary connectivity from your on-premises network to the Azure virtual network.

manage VM1 from the Azure portal using the Windows Admin Center, you need to ensure secure and accessible connectivity to the VM that has a private IP address. Among the provided options, the most suitable configuration is: A. an Azure Bastion host on the virtual network that contains VM1. Azure Bastion provides secure RDP and SSH connectivity to your virtual machines directly through the Azure portal. This eliminates the need for a public IP address, thereby ensuring security while allowing you to manage VM1 through the Windows Admin Center. Setting up an Azure Bastion host will enable you to access VM1 securely from the Azure portal, maintaining the principles of least privilege and secure management practices

B. a VPN connection to the virtual network that contains VM1.

Answer is A

no public ip so B is the correct answer. Private Endpoints allows you to access resources from Azure

If your target Azure VMs don't have public IPs, and you want to manage these VMs from a Windows Admin Center gateway deployed in your on-premises network, you need to configure your on-premises network to have connectivity to the VNet on which the target VMs are connected. There are 3 ways you can do this: ExpressRoute, Site-to-Site VPN, or Point-to-Site VPN. https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/manage-azure-vms#connecting-to-vms-without-a-public-ip

Answer is C. The key word here is private IP address. C. Private endpoints allow you to access Azure services (such as VM1) over a private IP address within the virtual network. By configuring a private endpoint for VM1, you can securely manage it using Windows Admin Center from the Azure portal.

I agree with B. https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/manage-vm

Better, scenario is the Bastion in security, however if we look at cost, without a doubt the NSG releasing port 443.

The ON-PREM Windows 11 client is connecting to the Azure Portal which in turn then allows the admin to manage the Azure VM (VM1) via its extension. That connection happens inbound to the VM via PORT 443, therefore, you must allow inbound traffic for PORT 443 on the NSG attached to the VM or the subnet that is hosting it. The others make no sense here. You DO NOT need a VPN connection to manage an Azure resource via the Azure Portal. Nor should need to go to the trouble of putting one together to manage an Azure VM via the WAC tool. Its an HTTP tool. That is the whole point of using WAC.

valid 27.11.23

None of these are correct. A. an Azure Bastion host on the virtual network that contains VM1. - No WAC involved. B. a VPN connection to the virtual network that contains VM1. - That will allow you to install WAC on the W11 device and manage the server, but that is not the question here. C. a private endpoint on the virtual network that contains VM1. - Again no WAC involved. D. a network security group (NSG) rule that allows inbound traffic on port 443. - This is the closest and yet not correct as per documentation at https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/manage-vm#installing-in-a-vm Based on the above, I would mark D as the answer.