Your company is migrating several sites to Azure. You’re responsible for implementing network security groups and designing effective security rules to control network traffic. You need to ensure that virtual machine networking and Azure services networking are both secure.
The infrastructure team has two network security group security rules for inbound traffic to the back-end web servers. There’s an allow rule with a priority of 200, and a deny rule with a priority of 150.
The IT team wants to apply new and pre-existing Azure service tags for the virtual machine IP addresses.
You’re exploring how to use default rules to apply security to inbound traffic from virtual machines within your virtual network.
Question 1
Which of the security rules defined by the infrastructure team takes precedence?
A. The allow rule takes precedence.
B. The deny rule takes precedence.
C. The rule that was created first takes precedence.
Answer
B. The deny rule takes precedence.
Explanation
The deny rule takes precedence. Deny rules are processed first. The rule with priority 150 is processed before the rule with priority 200.
A and C are incorrect. Rules are processed according to the specified priority.
Question 2
How would you define a default inbound security rule?
A. Allow inbound coming from a virtual machine in another virtual network.
B. Allow traffic from any external source to any of the virtual machines.
C. Allow inbound coming from any virtual machine to any other virtual machine within the virtual network.
Answer
C. Allow inbound coming from any virtual machine to any other virtual machine within the virtual network.
Explanation
By default, inbound security rules allow traffic from any virtual machine to any other virtual machine within the virtual network.
A and B are incorrect. This rule isn’t a default inbound security rule.
Question 3
What’s a valid service tag for network security group rules?
A. Virtual Network
B. VPN Gateway
C. Database
Answer
A. Virtual Network
Explanation
Correct. Virtual Network is a valid service tag. Service tags represent a group of IP addresses. Other service tags are Internet, SQL, Storage, AzureLoadBalancer, and AzureTrafficManager.
B is incorrect. VPN Gateway isn’t a valid service tag.
C is incorrect. Database isn’t a valid service tag.
Microsoft Azure Administrator AZ-104 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Microsoft Azure Administrator AZ-104 exam and earn Microsoft Azure Administrator AZ-104 certification.