AZ-700 Question #229: Real Exam Question with Answer & Explanation

Question

You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains a subnet named Subnet1. You deploy an instance of Azure Application Gateway v2 named AppGw1 to Subnet1. You create a network security group (NSG) named NSG1 and link NSG1 to Subnet1. You need to ensure that AppGw1 will only load balance traffic that originates from VNet1. The solution must minimize the impact on the functionality of AppGw1. What should you add to NSG1?

Options

• Aan outbound rule that has a priority of 4096 and blocks all internet traffic
• Ban inbound rule that has a priority of 4096 and blocks all internet traffic
• Can inbound rule that has a priority of 100 and blocks all internet traffic
• Dan outbound rule that has a priority 100 and blocks all internet traffic

Explanation

To restrict Azure Application Gateway v2 to only load balance traffic originating from VNet1, an inbound NSG rule with a low priority (high number) should be added to block all internet traffic.

Common mistakes.

• A. An outbound rule would control traffic leaving the Application Gateway, not traffic entering it from the internet.
• C. An inbound rule with priority 100 is a high priority (low number) and could inadvertently block essential Application Gateway management or health probe traffic, impacting its functionality.
• D. An outbound rule would control traffic leaving the Application Gateway, which is not the requirement for restricting inbound traffic origination.

Concept tested. Application Gateway VNet-only traffic restriction via NSG

Reference. https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-nsg-waf-policy

No community discussion yet for this question.