AZ-700 · Question #332
AZ-700 Question #332: Real Exam Question with Answer & Explanation
The correct answer is D: an outbound rule that blocks traffic to a service tag.. The Azure Instance Metadata Service (IMDS) is reachable at the link-local address 169.254.169.254. To block a VM from reaching it, you need an outbound NSG rule (IMDS traffic originates from the VM). Using a service tag (rather than a hard-coded IP address) minimizes administrati
Question
You have an Azure subscription that contains a virtual machine named VM1 and a network security group (NSG) named NSG1. NSG1 has the default rules configured. VM1 runs Windows Server 2022 and contains a single NIC named NIC1. NIC1 is associated with NSG1. You need to prevent access to the Azure Instance Metadata Service (IMDS) REST API on VM1. The solution must minimize administrative effort. What should you add to NSG1?
Options
- Aan outbound rule that blocks traffic to an IP address.
- Ban inbound rule that blocks traffic to an IP address.
- Can inbound and outbound rule that blocks traffic to an application security group.
- Dan outbound rule that blocks traffic to a service tag.
Explanation
The Azure Instance Metadata Service (IMDS) is reachable at the link-local address 169.254.169.254. To block a VM from reaching it, you need an outbound NSG rule (IMDS traffic originates from the VM). Using a service tag (rather than a hard-coded IP address) minimizes administrative effort because service tags are managed by Microsoft and automatically kept up to date. An inbound rule would not help since the VM initiates the connection to IMDS, not the other way around. An application security group is unnecessary here and adds complexity.
Community Discussion
No community discussion yet for this question.