Exam AZ-900 topic 1 question 242 discussion

A network security group (NSG) will block all network traffic by default >> A network security group does not encrypt network traffic. It works in a similar way to a firewall in that it is used to block or allow traffic based on source/destination IP address, source/destination ports and protocol Applications security group can be specified as part of network security group (NSG) rules >> In a NSG you can have up to 1000 NSG rules. In max 100 of this 1000 NSG rules you can specify an Application Security Group as a source or destination Network security groups (NSGs) always include inbound security rules and outbound security rules >> A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. Answer: No Yes Yes

Q1.NO. By default, all inbound traffic is blocked and all outbound traffic is allowed. So the answer is NO since not all traffic is blocked.

The first question does not specify if it's inbound or outbound traffic. In only blocks all inbound traffic by default, so I think it's a no

q1 is No full answer is NYY

keyword: by default!!! its NYY

Answer is YYY Network Security Group (NSG) in Azure will block all network traffic by default. When you create a new NSG, there are no inbound or outbound security rules defined. This means that all inbound and outbound traffic to/from resources associated with the NSG is blocked. To allow traffic to flow, you need to create inbound and/or outbound security rules explicitly in the NSG. These rules define the type of traffic (such as TCP or UDP), the source and destination IP addresses and ports, and the action (allow or deny). It's important to note that NSGs are applied to subnets or network interfaces, not individual virtual machines. This means that all virtual machines associated with a subnet or network interface will be subject to the same NSG rules. Also, keep in mind that NSGs are stateful, which means that if you create an inbound security rule to allow traffic, the return traffic will be allowed automatically. You don't need to create a separate outbound security rule to allow the return traffic.

Answer is YYY NSG does block all traffic by default

Take my test tomorrow. If i get this question, I'm going to go with NO: By default, a Network Security Group (NSG) in Azure does not block all network traffic. It allows all inbound and outbound traffic until rules are added explicitly to block or allow traffic. When a new NSG is created, it has no rules, and therefore no traffic is blocked. It's up to the user to add rules to the NSG to allow or deny traffic.

NYY is the answer. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#default-security-rules https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#application-security-groups Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without manual maintenance of explicit IP addresses.

seems the answer is correct https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

YYY Unless you've created a rule that allows port 80 inbound, the traffic is denied by the DenyAllInbound default security rule, and never evaluated by NSG2, since NSG2 is associated to the network interface. If NSG1 has a security rule that allows port 80, the traffic is then processed by NSG2. To allow port 80 to the virtual machine, both NSG1 and NSG2 must have a rule that allows port 80 from the internet. For more details : https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works