Learn which Azure Function app’s outbound traffic is controlled by the network security group NSG1 based on the app’s hosting plan and virtual network integration.
Table of Contents
Question
You have an Azure subscription. The subscription contains a virtual network named VNet1 that contains the subnets shown in the following table.
| Name | Associated network security goup (NSG) |
|---|---|
| Subnet1 | NSG1 |
| Subnet2 | NSG1 |
| Subnet3 | NSG1 |
| Subnet4 | NSG1 |
The subscription contains the function apps shown in the following table.
| Name | Description |
|---|---|
| App1 | Uses the Azure Functions Premuim plan and has virtual network integration with VNet1/Subnet1 |
| App2 | Uses an App Service plan in the Basic pricing tier and has virtual network integration with VNet1/Subnet2 |
| App3 | Uses an App Service plan in the Premium pricing tier and has virtual network integration with VNet1/Subnet3 |
| App4 | Uses an App Service plan in the issolated pricing tier and is deployed to VNet1/Subnet4 |
The outbound traffic of which app is controlled by using NSG1?
A. App4 only
B. App3 and App4 only
C. App2, App3, and App4 only
D. App1, App2, App3, and App4
Answer
A. App4 only
Explanation
Network security groups (NSGs) control inbound and outbound traffic for Azure resources deployed in a virtual network. However, the applicability of NSGs to Azure Function apps depends on their hosting plan and virtual network integration setup.
- App1 uses the Azure Functions Premium plan. When using the Premium plan, the function app runs in a dedicated environment and can be integrated with a virtual network. However, in this case, NSG1 does not control App1’s outbound traffic because Azure Functions Premium has direct outbound connectivity and bypasses NSGs.
- App2 uses the Basic App Service plan. Basic plans do not support full virtual network integration. Instead, they use a feature called VNet Integration which routes outbound traffic through an Azure Virtual Network. However, this outbound traffic is not subject to NSG rules.
- App3 uses the Premium App Service plan. Like the Basic plan, the Premium plan uses VNet Integration for outbound traffic, which is not controlled by NSGs.
- App4 uses the Isolated App Service plan and is deployed directly into VNet1/Subnet4. In the Isolated tier, the function app runs in a dedicated Azure App Service Environment (ASE) which allows full virtual network integration. In this case, since the app is deployed directly into the virtual network, its outbound traffic is controlled by the associated NSG, which is NSG1.
Therefore, only App4’s outbound traffic is controlled by using NSG1.
Microsoft AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft AZ-500 exam and earn Microsoft AZ-500 certification.