You have a virtual network named VNETI that contains the subnets shown in the following...

Microsoft AZ-104 Question Answer

You have a virtual network named VNETI that contains the subnets shown in the following table.

You have Azure virtual machines that have the network configurations shown in the following table.

For NSG2, you create the inbound security rule shown in the following table.

For each of the following statements, select Yes If the statement is true. Otherwise, select No. NOTE Each correct selection is worth one point

Explanation:

No Yes Yes

In this question, we analyze Network Security Groups (NSGs) and their effect on connectivity between virtual machines (VMs) within a virtual network (VNet). Azure NSGs contain inbound and outbound security rules that are processed in priority order (from lowest number to highest), and the first matching rule determines the outcome. NSGs can be applied at both subnet and network interface (NIC) levels.

When an NSG is associated at both levels, both must allow the traffic — if either blocks it, the traffic is denied (Microsoft Azure documentation: “Network security groups – Azure Virtual Network”).

Given Configuration Summary

Subnets

Name

Subnet

NSG

Subnet1

10.10.1.0/24

NSG1

Subnet2

10.10.2.0/24

None

VMs

Subnet

NSG

VM1

Subnet1

10.10.1.5

NSG2

VM2

Subnet2

10.10.2.5

None

VM3

Subnet2

10.10.2.6

None

NSG Rules

NSG1 (applied at Subnet1):

Priority

Source

Destination

Port

Action

101

10.10.2.0/24

10.10.1.0/24

TCP/1433

Allow

NSG2 (applied at VM1 NIC):

Priority

Source

Destination

Port

Action

125

10.10.2.5

10.10.1.5

TCP/1433

Block

Traffic Analysis

VM2 → VM1 (TCP 1433)

NSG1 (Subnet1) allows traffic from 10.10.2.0/24 to 10.10.1.0/24 on TCP/1433.

NSG2 (VM1 NIC) explicitly blocks traffic from 10.10.2.5 (VM2) to 10.10.1.5 on TCP/1433.

✅ Subnet-level allows, but NIC-level denies → Effective result: Denied

Answer: ❌ No

VM1 → VM2 (TCP 1433)

Outbound from VM1 → no outbound deny rule.

Inbound on VM2 → no NSG (thus allowed).

✅ No restriction applies → Traffic allowed

Answer: ✅ Yes

VM2 → VM3 (TCP 1433)

Both VMs are on Subnet2, which has no NSG applied.

No rule blocks communication within the subnet.

✅ All traffic allowed by default.

Answer: ✅ Yes

Final Verified Answers (as per Microsoft Azure Documentation):

Statement

Answer

VM2 can connect to TCP port 1433 services on VM1

❌ No

VM1 can connect to TCP port 1433 services on VM2

✅ Yes

VM2 can connect to TCP port 1433 services on VM3

✅ Yes

Supporting Extract from Microsoft Azure Documentation:

“When multiple network security groups are associated, the network interface and subnet rules are combined using a deny-by-default model. For inbound traffic to be allowed, it must be permitted by both the subnet-level and network interface-level NSGs.”

“By default, virtual network traffic within the same subnet or between subnets in the same virtual network is allowed.”

(Source: Microsoft Learn — Azure Virtual Network NSG Concepts)

Microsoft AZ-104 View All Questions