AZ-500 Question #50: Real Exam Question with Answer & Explanation

Question

Hotspot Question You have an Azure subscription named Sub1. You create a virtual network that contains one subnet. On the subnet, you provision the virtual machines shown in the following table. Currently, you have not provisioned any network security groups (NSGs). You need to implement network security to meet the following requirements: - Allow traffic to VM4 from VM3 only. - Allow traffic from the Internet to VM1 and VM2 only. - Minimize the number of NSGs and network security rules. How many NSGs and network security rules should you create? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:

Explanation

The optimal solution requires 2 NSGs: one applied to the subnet containing VM3 and VM4 (or just VM4's NIC) and one applied to the subnet or NICs for VM1 and VM2 to allow inbound Internet traffic. With 2 NSGs you need 3 rules total: (1) an inbound rule on the VM4 NSG allowing traffic from VM3 only, (2) an inbound rule on the VM1/VM2 NSG allowing traffic from the Internet, and (3) a deny rule to block other traffic - though Azure's default deny rules may reduce the need for explicit deny rules, making 3 custom rules sufficient to meet all requirements while minimizing rule count. By strategically placing NSGs at the subnet or NIC level and leveraging default deny behavior, you achieve all security requirements with the minimum number of NSGs and rules.

No community discussion yet for this question.