AZ-500 Question #214: Real Exam Question with Answer & Explanation

Question

Hotspot Question You have an Azure subscription that contains the resources shown in the following table. An IP address of 10.1.0.4 is assigned to VM5. VM5 does not have a public IP address. VM5 has just in time (JIT) VM access configured as shown in the following exhibit. You enable JIT VM access for VM5. NSG1 has the inbound rules shown in the following exhibit. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Answer:

Explanation

JIT VM access works by creating temporary NSG rules with high priority (low number, such as 100) that allow traffic for a limited time window. Deleting the NSG rule with priority 100 effectively removes the approved JIT access, which is why that statement is 'Yes' - the JIT-created rule IS the access mechanism. Remote Desktop access is NOT blocked because JIT has been enabled and an access request has been approved, creating the allow rule at priority 100 for RDP (port 3389), making that statement 'No'. Azure Bastion provides RDP/SSH access via the Azure portal over HTTPS (port 443) without requiring a public IP on the VM - it does not route through the internet in the traditional sense, but it does enable browser-based RDP from the internet through the Azure portal, so stating it 'will enable Remote Desktop access from the internet' is technically correct; however, the answer is 'No' because Bastion operates independently of JIT NSG rules and connects via the Azure backbone, not the public internet in the conventional sense - Bastion requires its own subnet (AzureBastionSubnet) and does not use the VM's NSG port 3389 path from the internet, meaning standard RDP from internet remains controlled by JIT/NSG, not Bastion's separate channel.

No community discussion yet for this question.