Exam AZ-104 topic 5 question 106 discussion

Correct Answer B. 443 Using Bastion your RDP/SSH session is over TLS on port 443. https://learn.microsoft.com/en-us/azure/bastion/bastion-overview If you say port 22 then what about windows VM as it is not mentioned that the VM is windows or Linux? You will have to allow port 443 in NSG.

Correct answer A....As Bastion connects to VM via port 22/3389..Azure portal connects to Bastion via port 443..as the question is to inbound rule for vm from Bastion...Correct answer is PORT 22...option A

Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device. Your RDP/SSH session is over TLS on port 443. This enables the traffic to traverse firewalls more securely. Bastion supports TLS 1.2. Older TLS versions aren't supported.

If I saw this problem test without first seeing it here I'd probably pick 389. Thank you ExamTopics, hopefully my work reimburses me for the monthly $ :)

Azure Bastion uses an HTML5 based web client that is automatically streamed to local device. RDP/SSH session is over TLS on port 443.

Correct Answer - A We connect to Azure bastion over port 443 and then bastion connects to the VM over either 22 or 3389 depending on the OS of the system. Question is asking about connectivity from bastion to VM which will be 22 (as 3389 is not part of the options).

B is correct

Inbound traffic from Bastion to VM shall be 22 for SSH (Linux) and 3389 for RDP (Windows). Reference: https://learn.microsoft.com/en-us/azure/bastion/configuration-settings#ports:~:text=By%20default%2C%20the%20inbound%20ports%20used%20to%20connect%20are%203389%20for%20RDP%20and%2022%20for%20SSH. There is also an option to connect to Windows via SSH (port 22) Reference: https://learn.microsoft.com/en-us/azure/bastion/bastion-connect-vm-ssh-windows#:~:text=Inbound%20port%3A%20SSH%20(22)%20or 443 is wrong because that is the public facing port (Internet into Bastion). Question is asking about Bastion into VMs Therefore A is correct.

With Azure Bastion, you can connect to your virtual machines on your local or virtual peer network via TSL, port 443 directly from the Azure portal or a native client. https://azure.microsoft.com/de-de/products/azure-bastion

Port 443: Used for HTTPS connections. This is the port used by Azure Bastion to connect to the Azure portal and then to your VMs.

Answer is A. Bastion use either port 22 (SSH) or 3389 (RDP) to connect the VM.

Should be A. 22 since there is no 3389. https://learn.microsoft.com/nl-nl/azure/bastion/bastion-overview#:~:text=configure%20your%20NSGs%20to%20allow%20RDP/SSH%20only%20from%20Azure%20Bastion

chatgpt: To configure NSG1 to allow inbound access to the virtual machines via Azure Bastion, you should enable the necessary ports. Let’s break it down: Azure Bastion Ports: Azure Bastion provides secure RDP and SSH connectivity to your virtual machines. The following ports are relevant for Azure Bastion: Port 443: Required for HTTPS traffic to Azure Bastion. Port 3389/22: Not required to be opened on the AzureBastionSubnet. Azure Bastion doesn’t use these ports directly. Ingress Traffic Rules for NSG1: Create an inbound security rule in NSG1 to allow traffic from Azure Bastion to the virtual machines. Specifically, enable port 443 for inbound traffic from the Azure Bastion control plane. Summary: Configure an inbound rule in NSG1 with the following details: Source: Azure Bastion control plane (using the GatewayManager service tag). Destination port: 443 (for HTTPS traffic).

B is correct

To allow inbound access to the virtual machines via Azure Bastion, you should configure the inbound security rule for port 443. Azure Bastion uses SSL (HTTPS) to connect to your virtual machines through a web browser, which operates over port 443. So, the correct answer is: B. 443

Answer - B: the question mentioned "allow INBOUND access" Ingress Traffic from public internet: The Azure Bastion will create a public IP that needs port 443 enabled on the public IP for ingress traffic. Port 3389/22 are NOT required to be opened on the AzureBastionSubnet. Egress Traffic to target VMs: Azure Bastion will reach the target VMs over private IP. The NSGs need to allow egress traffic to other target VM subnets for port 3389 and 22. If answer was related to Egress Traffic, both A and C would be correct. https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg

https://learn.microsoft.com/nl-nl/azure/bastion/bastion-overview see drawing