Exam AZ-700 topic 4 question 17 discussion

2 ASGs e 3 assignments, aswer is correct. "All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in." https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups the ASG needs to be associated with the network card of the VMs, so there are 3 associations

2 ASG and 2 ASG assignments The question is looking for minimum. VNET 1: Create 1 ASG for SQL. Create outbound deny rule and assign to SQL1 Nic VNET2: Create 1 ASG for IIS. Create inbound deny rule and assign to Web3 Nic

Correct answer: - 2 AGSs - an application security group can be assigned at the level of the VNet. We have 2 VNets, so 2 ASGs. https://www.cayosoft.com/azure-security-best-practices/azure-application-security-group/ - 3 assignments - we have 3 IIS resources, so we need to assign 3 NICs to the ASGs, so we need to block each of them from reaching SQL with a deny NSG rule per ASG

One ASG ( all SQL VM) per vnet. in each Web VM's NSG (3 IIS Nic) you need to assign that ASG.

1 ASG and 2 assignments. Explanation: Vnet 1 does not need ASG because there's only 1 SQL server, so there's no point in creating ASG. Vnet 2 has 2 SQL servers that need to be added to 1 ASG. So, 2 assignments (1 for each SQL server), and 1 ASG.

https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups#:~:text=You%20can%27t%20add%20network%20interfaces%20from%20different%20virtual%20networks%20to%20the%20same%20application%20security%20group.

2 ASGs and 6 Assignments ASGs are per Resource Group and not per VNET. So, one for each app type (iis & sql) There are 6 VMs. Each NIC needs to be told what ASG it's part of. Then one NSG applied to both VNETs with one rule. Src-SQL-ASG ; Dst-IIS-ASG ; Deny

2 ASG / 3 assignments: 1x ASG for vnet1/sql 1x ASG for vnet2/sql now assignments: 1) 1st sql server in vnet1 2) 1st sql server in vnet 2 3) 2nd sql server in vnet 2 then subnet level NSGs with inbound rule (source SQL application group -> dst any > deny)

2 & 3 key word is "minimize administrative effort", and remember goal is to block sql. so work only with outbound rule applied to SQL server, when building the rule will'have the tcp-80, doesn't matter which destination (use any), for sure IIS server are in. in this case 2 ASG (1 each vnet) for sql are required and 3 ssignment (1 each sql server nic).

NSG and ASG can be used in different vnet. Tested.

it's only required : from SQL Server 2019 to IIS. what about these 3 ASG assignments: (Source=Vnet1/Sub1/SQL, Destination=Vnet1/Sub1/IIS, Access=Deny) (Source=Vnet2/Sub1/SQL, Destination=Vnet2/Sub1/IIS, Access=Deny) (Source=Vnet2/Sub2/SQL, Destination=Vnet2/Sub1/IIS, Access=Deny)

No of ASGs [ANS 4 ] - So there are 2 VNETs, 2 types of applications in both VNET one of type IIS and one of type SQL. The best practice is to use ASG assignment for both app types... which means 2 ASGs per VNET = 4 ASGs required. Note ASG cannot reference multiple VNETs 2)No of associations [Ans 6] ? - The assignment is at subnet level, so we could do add either an outbound rule for SQL server subnet or an inbound rule at IIS server subnet or both .. Assume we are adding only one rule (either inbound or outbound) and the question asks minimum no of assignments - In VNET 1 add an outbound rule for Subnet 1 to deny traffic from SQL ASG to IIS ASG - In VNET 2 add an inbound rule for Subnet 1 to deny traffic from SQL ASG to IIS ASG so 1 NSG rule per VNET is sufficient to introduce the control.. To meet this solution the ASG needs to associated to all the VMs in all VNET ... so total 6 associations is needed (if by 'association' it means attaching ASG to VM NIC)

I think you must create one ASG for all IIS NIC's and one NSG on al SQL server NICs In the NSG Block all outgoing traffic to IIS ASG. (You need only to block traffic from SQL Server 2019 to IIS) 1 ASG (for all IIS NICS) 1 NSG (for all SQL NICs) It's not a pretty solution, but with the least administrative effort

2 ASGs How to make the IIS side (receiving side) an application group, How to make the SQL side (sending side) an application group There are two, and both methods create one application group for each VNET, so there are two application groups. 2 Assignments In VNET1, the IIS side is set as an application group, and transmission to the IIS application group can be suppressed in the transmission traffic of Subnet1 or NIC of SQL1. In VNET2, the SQL side is set as an application group, and reception to the IIS application group should be suppressed in the reception traffic of Subnet1 or NIC of Web3.

Confuse answer, the correct answer is to have 2 ASG and 3 associations per VNET, in this case, there are 2 VNETs. Total 4 ASG and 6 associations, one association per VM

answer is correct

By network security group assigement, they mean how many Microsoft SQL servers assigned within an Application secuirty grroup