AZ-700 Question #258: Real Exam Question with Answer & Explanation

Question

You have an Azure subscription that contains the following resources: - A virtual network named Vnet1 - Two subnets named subnet1 and AzureFirewallSubnet - A public Azure Firewall named FW1 - A route table named RT1 that is associated to Subnet1 - A rule routing of 0.0.0.0/0 to FW1 in RT1 After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machine operating systems were activated. You need to ensure that the virtual machines can be activated. What should you do?

Options

• AOn FW1, create an outbound service tag rule for AzureCloud.
• BOn FW1, create an outbound network rule that allows traffic to the Azure Key Management
• CTo Subnet1, associate a network security group (NSG) that allows outbound access to port 1688.
• DDeploy an application security group that allows outbound traffic to 1688.

Explanation

The virtual machines in Subnet1 are unable to activate because the Azure Firewall, which intercepts all outbound internet traffic, is blocking the necessary communication.

Common mistakes.

• A. An outbound service tag rule for AzureCloud is too broad and does not specifically address the port 1688 requirement for KMS activation through the firewall.
• C. While port 1688 is correct for KMS, an NSG on Subnet1 would not be effective because the traffic is already being routed to FW1 by the UDR (0.0.0.0/0), making the firewall the blocking point.
• D. An application security group (ASG) helps group VMs for NSG rules, but it does not directly configure outbound access through an Azure Firewall; ASGs work with NSGs, and the firewall is the primary block.

Concept tested. Azure Firewall outbound rules for Windows activation

Reference. https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/secure-vnet-dmz#allow-kms-outbound-network-access

No community discussion yet for this question.