nerdexam
Microsoft

AZ-400 · Question #121

SIMULATION You need to prepare a network security group (NSG) named az400-9940427-nsg1 to host an Azure DevOps pipeline agent. The solution must allow only the required outbound port for Azure DevOps

The correct answer configures an outbound security rule on the NSG to allow TCP port 8080, which is the default port Azure DevOps Server uses for communication. By adding only this specific outbound allow rule and relying on Azure NSG's default 'Deny All' rules for inbound and ou

Submitted by rania.sa· Mar 6, 2026Implement and Manage Continuous Integration / Configure Secure Access to Pipeline Resources - specifically understanding required network ports and NSG configuration to enable Azure DevOps self-hosted pipeline agents to communicate securely within Azure infrastructure.

Question

SIMULATION You need to prepare a network security group (NSG) named az400-9940427-nsg1 to host an Azure DevOps pipeline agent. The solution must allow only the required outbound port for Azure DevOps and deny all other inbound and outbound access to the Internet. To complete this task, sign in to the Microsoft Azure portal. Answer: 1. Open Microsoft Azure Portal and Log into your Azure account. 2. Select network security group (NSG) named az400-9940427-nsg1 3. Select Settings, Outbound security rules, and click Add 4. Click Advanced 5. Change the following settings: Destination Port range: 8080 Protocol. TCP Action: Allow Note: By default, Azure DevOps Server uses TCP Port 8080. References: https://robertsmit.wordpress.com/2017/09/11/step-by-step-azure-network-security-groups-nsg- security-center-azure-nsg-network/ https://docs.microsoft.com/en-us/azure/devops/server/architecture/required-ports?view=azure- devops

Explanation

The correct answer configures an outbound security rule on the NSG to allow TCP port 8080, which is the default port Azure DevOps Server uses for communication. By adding only this specific outbound allow rule and relying on Azure NSG's default 'Deny All' rules for inbound and outbound internet traffic (priority 65500 DenyAllInBound and 65001 DenyAllOutBound after default rules), the solution satisfies the requirement of allowing only the required Azure DevOps port while blocking all other internet access. The steps correctly navigate to Outbound security rules rather than inbound, since the pipeline agent needs to reach out to Azure DevOps services, not receive incoming connections.

Topics

#Network Security Groups (NSG)#Azure DevOps Pipeline Agent#Outbound Security Rules#Azure Networking

Community Discussion

No community discussion yet for this question.

Full AZ-400 Practice