nerdexam
ExamsAZ-801Questions#197
MicrosoftMicrosoft

AZ-801 · Question #197

AZ-801 Question #197: Real Exam Question with Answer & Explanation

This question tests understanding of Azure NSG default outbound security rules and how they govern VM-to-Internet connectivity. The key insight is that default NSG rules permit outbound Internet traffic from all associated VMs regardless of their listening ports.

Secure Windows Server on-premises and hybrid infrastructures

Question

You have an Azure subscription that contains a network security group (NSG) named NSG1 and a virtual network named VNet1. NSG1 contains only default security rules. VNet1 contains the subnets shown in the following table. Subnet Name IP address space Subnet1 10.10.0.0/24 Subnet2 172.16.0.0/24 Subnet3 192.168.10.0/24 The subscription contains virtual machines that run Windows Server as shown in the following table. VM Name Connected to Listening ports Associated NSG VM1 Subnet1 3389 NSG1 VM2 Subnet2 3389 NSG1 VM3 Subnet3 3389, 8080 NSG1 Which virtual machine can communicate with a host on the Internet on TCP port 80? To answer, select the appropriate options in the answer area.

Explanation

This question tests understanding of Azure NSG default outbound security rules and how they govern VM-to-Internet connectivity. The key insight is that default NSG rules permit outbound Internet traffic from all associated VMs regardless of their listening ports.

Approach. All three VMs (VM1, VM2, and VM3) can communicate with a host on the Internet on TCP port 80. Azure NSGs include a built-in default outbound rule called 'AllowInternetOutBound' (priority 65001) that permits all outbound traffic from any VM to any Internet destination on any port. Since NSG1 contains only default rules and no custom rules blocking outbound traffic, this rule applies unrestricted to VM1, VM2, and VM3. The 'listening ports' column (3389, 8080) is a deliberate distractor - it describes inbound ports the VMs accept, not restrictions on outbound connections the VMs initiate.

Concept tested. Azure NSG default security rules - specifically the 'AllowInternetOutBound' default outbound rule that permits all associated VMs to initiate outbound TCP/UDP connections to the Internet on any port unless explicitly overridden by a higher-priority custom deny rule.

Reference. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#default-security-rules

Topics

#Azure Networking#Network Security Groups (NSG)#Outbound Connectivity#Default Security Rules

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full AZ-801 PracticeBrowse All AZ-801 Questions