exam questions

Exam AZ-700 All Questions

View all questions & answers for the AZ-700 exam

Exam AZ-700 topic 3 question 37 discussion

Actual exam question from Microsoft's AZ-700
Question #: 37
Topic #: 3
[All AZ-700 Questions]

HOTSPOT
-

You have an Azure subscription that contains the resource groups shown in the following table.



You have the virtual networks shown in the following table.



Vnet1 contains two virtual machines named VM1 and VM2. Vnet2 contains two virtual machines named VM3 and VM4.

You have the network security groups (NSGs) shown in the following table that include only default rules.



You have the Azure load balancers shown in the following table.



For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
NoeHdzMll
Highly Voted 2 years, 2 months ago
1. NO. A backend pool can only contain resources from one virtual network. VM2 (VNet1) VM3 (VNet2) 2.YES. using the frondend Ip address. 3. NO. the defualt NSGs are blocking any ingress internet traffic
upvoted 26 times
SaadKhamis
1 year, 10 months ago
3. Tested in the lab and confirmed answer to be NO. A rule for port 80 must be added to the NSG to be able to reach VM1 using port 80.
upvoted 9 times
...
JohnnyChimpo
1 year, 10 months ago
3 is YES - Default NSG rules all have a AllowAzureLoadBalancerInbound rule
upvoted 8 times
occupatissimo
1 year, 9 months ago
that's for LB probes, not for client traffic
upvoted 5 times
...
...
TJ001
2 years, 1 month ago
I agree with this answer NO,YES,NO
upvoted 2 times
TJ001
2 years, 1 month ago
I have to correct ...3. YES because it is public load balancer and default NSG allows inbound from load balancer...
upvoted 8 times
...
...
Madball
2 years, 1 month ago
Completely agree with this.
upvoted 2 times
...
...
Lazylinux
Highly Voted 1 year, 6 months ago
No YES YES for sure..all seem to agree on 1 and 2 but not 3..here is why 3 is YES - as per some others comments All incoming traffic from Load Public Balancer are Allowed via service tags which are logical collection of IP address from Azure, think logic!! it is Azure trusted service, why would they BLOCK it!! read further here https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
upvoted 6 times
magnem66
1 year, 6 months ago
Here's the reason they block it by default. https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-overview The relevant section is "Secure by default" 3 is NO.
upvoted 5 times
...
...
cannoe
Most Recent 1 week, 1 day ago
3. is Yes - the request is not directly coming from the client, it is from the Load Balancer and by default has the AllowAzureLoadBalancerInbound (use for healthprobe, DNS, DHCP)
upvoted 1 times
...
sotec
1 year, 3 months ago
What NSG is linked to VM1? Is the VM1 in the subnet1 or subnet2? The NSG is working in subnet1 or subnet2?
upvoted 3 times
...
_Cris
1 year, 5 months ago
appears on exam, 19 Sept 2023
upvoted 4 times
...
occupatissimo
1 year, 10 months ago
3. always start learning from overview: https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-overview Standard -> Standard load balancers and standard public IP addresses are closed to inbound connections unless opened by Network Security Groups. Basic -> open to the internet by default In this case SKU is missing ....
upvoted 1 times
occupatissimo
1 year, 10 months ago
however basic is never for production so .... 3 is N
upvoted 2 times
Tasli6
1 year, 8 months ago
Yes, but there is a rule allowing port 80 on the LB1 therefore its open.
upvoted 2 times
...
...
azure_dori
1 year, 6 months ago
You're absolutely right. The third question is NO. I deduce that the LB SKU is Standard, because for Basic the backend pool can only be a scale/availability set.
upvoted 3 times
...
...
sierra1784
1 year, 10 months ago
3. NO - When you create NSGs to filter traffic coming through an Azure Load Balancer, the source port and address range applied are from the originating computer, not the load balancer frontend.
upvoted 2 times
...
flurgen248
1 year, 10 months ago
1. No - It's in another VNET and would need another backend pool 2. Yes - It's in the same VNET, so default rules allow it. 3. No - Virtual machines in load-balanced pools: The source port and address range applied are from the originating computer, not the load balancer. The destination port and address range are for the destination computer, not the load balancer. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#azure-platform-considerations So the NSG would still block traffic internet traffic, because the Source IP isn't from the load balancer.
upvoted 2 times
...
hal01
1 year, 11 months ago
NO,YES,No NO, VM2 in not in the VNET 2 so it's an another network and cannot be add to the backend pool YES, because they can use the public ip address NO, because the the network security groups (NSGs) include only default rules
upvoted 2 times
...
_fvt
1 year, 11 months ago
N - VM2 is not in the same VNet and cannot be added to the backend pool Y - VM4 is in the same VNet than Lb2 so it can access his fronted IP therefore access VM3 through it Y - VM1 is in Lb1 backend pool. Lb1 is a public LB and rule specify port 80 NSGs should not be an isse there because it's specifed that they have defualt rules only. These default rules allow Inbound Loadbalancers traffic; VNet to VNet traffic (inbound and outbound); and outbounf internet access. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
upvoted 1 times
_fvt
1 year, 11 months ago
After further reading, the 3rd should be "No": Azure Load Balancer is not an App Gateway / a Reverse Proxy and doesn't replace the client IP address. https://stackoverflow.com/questions/59541796/how-to-restrict-direct-access-from-internet-to-azure-public-loadbalancer-backend "for example, client1 send a request to backend via LB front IP, it will generate a flow source client1, source port, protocol, destination LB IP, destination port. When hitting the load balancer, with Inbound NAT rules, it will change to source client1, source port, protocol, destination VM IP, dest port but the source IP for incoming traffic does not change, the NSG rule still is evaluated with the same source IP in the inbound rules. with LB or not, it will work the same for a client for NSG rules."
upvoted 5 times
...
...
alkorkin
2 years, 1 month ago
3. Will be YES just in case we have Basic LB. Standard requires NSG in order to explicitly open access from the Internet
upvoted 2 times
...
DeepMoon
2 years, 2 months ago
1. No - Lb2 is a ILB in US West. VM2 is in East US. ILB cannot use cross region load balancing. https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-basic-upgrade-guidance#basic-load-balancer-sku-vs-standard-load-balancer-sku 2. Yes- VM3 is connected to Lb2 and backend port 1433 3. Yes - Port 80 is opened on Lb1.
upvoted 3 times
DeepMoon
2 years, 2 months ago
Box 1 : can be Yes depending on the load balancer SKU being basic or standard. That is currently not given. So you cannot definitively answer this question.
upvoted 1 times
tester2023
2 years, 1 month ago
The issue isn't SKU-related. The issue with adding the VM is that it is on a different vNet than the LB, which isn't allowed.
upvoted 1 times
...
...
TJ001
2 years, 1 month ago
3- port is defined in LB1 but not in the default NSG attached
upvoted 1 times
TJ001
2 years, 1 month ago
my bad ...did not watch that the load balancer is a public so 3. YES
upvoted 2 times
magnem66
1 year, 6 months ago
You were right the first time. Port 80 needs to be open on the NSG. So 3 is NO.
upvoted 2 times
...
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago