Notifications
Clear all
Topic starter
08/05/2022 11:25 am
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
✑ A virtual network that has a subnet named Subnet1
✑ Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1 ✑ A virtual machine named VM1 that has the required Windows Server
configurations to allow Remote Desktop connections
NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
✑ Priority: 100
✑ Source: Any
✑ Source port range: *
✑ Destination: *
✑ Destination port range: 3389
✑ Protocol: UDP
✑ Action: Allow
VM1 connects to Subnet1. NSG1-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You modify the custom rule for NSG-VM1 to use the internet as a source and TCP as a protocol.
Does this meet the goal?
- A . Yes
- B . No
Suggested Answer: B
Explanation:
NSGs deny all inbound traffic except from virtual network or load balancers. For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, and then the rules in a network security group associated to the network interface.
By default NSG rule to allow traffic through RDP port 3389 is not created automatically during the creation of VM , unless you change the setting during creation. Subnets usually do not have any NSG associated unless you go out of the way to do so, which this scenario does. when you create that extra NSG, it won't have an RDP rule by default, thus blocking inbound connections.
Request first goes to NSG -subnet1 and as there is no allow rule for RDP so it will block the request by default.Since the Subnet NSG (the one with the default rules) is evaluated first, it blocks the inbound RDP connection.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-
connection
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-
rules
Explanation:
NSGs deny all inbound traffic except from virtual network or load balancers. For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, and then the rules in a network security group associated to the network interface.
By default NSG rule to allow traffic through RDP port 3389 is not created automatically during the creation of VM , unless you change the setting during creation. Subnets usually do not have any NSG associated unless you go out of the way to do so, which this scenario does. when you create that extra NSG, it won't have an RDP rule by default, thus blocking inbound connections.
Request first goes to NSG -subnet1 and as there is no allow rule for RDP so it will block the request by default.Since the Subnet NSG (the one with the default rules) is evaluated first, it blocks the inbound RDP connection.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-
connection
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-
rules