AZ-305 · Question #107
AZ-305 Question #107: Real Exam Question with Answer & Explanation
This question tests knowledge of Azure Bastion and its integration with Azure AD/MFA for secure remote management of virtual machines from the internet without exposing RDP/SSH ports publicly.
Question
Hotspot Question You have an Azure subscription that contains a virtual network named VNET1 and 10 virtual machines. The virtual machines are connected to VNET1. You need to design a solution to manage the virtual machines from the internet. The solution must meet the following requirements: - Incoming connections to the virtual machines must be authenticated by using Azure Multi-Factor Authentication (MFA) before network connectivity is allowed. - Incoming connections must use TLS and connect to TCP port 443. - The solution must support RDP and SSH. What should you Include In the solution? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:
Options
- __typehotspot
- variantdropdown
Explanation
This question tests knowledge of Azure Bastion and its integration with Azure AD/MFA for secure remote management of virtual machines from the internet without exposing RDP/SSH ports publicly.
Approach. The correct solution requires Azure Bastion as the service and an Azure Active Directory Conditional Access policy with MFA. Azure Bastion provides browser-based RDP and SSH connectivity over TLS on port 443, eliminating the need to expose port 3389 or 22 to the internet. To enforce MFA before network connectivity is established, you configure Azure AD Conditional Access with MFA, which authenticates users through the Azure portal before they can initiate a Bastion session. This combination satisfies all requirements: MFA pre-authentication, TLS on port 443, and support for both RDP and SSH protocols.
Concept tested. Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP/SSH connectivity to virtual machines directly through the Azure portal over TLS (port 443). When combined with Azure AD Conditional Access and MFA, it ensures that users are authenticated with MFA before any network-level connectivity to the VMs is allowed. This replaces the need for jump servers, VPNs, or exposing public IP addresses with open RDP/SSH ports, aligning with Zero Trust network principles.
Reference. https://docs.microsoft.com/en-us/azure/bastion/bastion-overview and https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
Community Discussion
No community discussion yet for this question.