Secure Networking for Microsoft Azure Security Technologies
This page covers the Secure Networking domain of the Microsoft Azure Security Technologies certification. Master Cybersecurity offers 81 practice questions in this domain, drawn from the same content we use across our timed exam simulations. Below are five sample questions with full answer explanations.
Sample Practice Questions
Question 1
HOTSPOT - You implement the planned changes for ASG1 and ASG2. In which NSGs can you use ASG1, and the network interfaces of which virtual machines can you assign to ASG2? Hot Area:Question 2
HOTSPOT - You are evaluating the security of the network communication between the virtual machines in Sub2. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:Explanation
Box 1: Yes. All traffic is allowed out to the Internet so you can ping the public IP. NSG1, NSG2, NSG3, and NSG4 have the outbound security rules shown in the following table. Box 2: Yes. VM3 is on Subnet12. There is no NSG attached to Subnet12 so the traffic will be allowed by default. Box 3: No (because VM5 is in a separate VNet). Note: Sub2 contains the virtual machines shown in the following table.Question 3
HOTSPOT - You are evaluating the effect of the application security groups on the network communication between the virtual machines in Sub2. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:Explanation
Box 1: No. VM4 is in Subnet13 which has NSG3 attached to it. VM1 is in ASG1. NSG3 would only allow ICMP pings from ASG2 but not ASG1. Only TCP traffic is allowed from ASG1. NSG3 has the inbound security rules shown in the following table. Box 2: Yes. VM2 is in ASG2. Any protocol is allowed from ASG2 so ICMP ping would be allowed. Box3. VM1 is in ASG1. TCP traffic is allowed from ASG1 so VM1 could connect to the web server as connections to the web server would be on ports TCP 80 or TCP 443.Question 4
You need to meet the technical requirements for VNetwork1. What should you do first?- A. Create a new subnet on VNetwork1.
- B. Remove the NSGs from Subnet11 and Subnet13.
- C. Associate an NSG to Subnet12.
- D. Configure DDoS protection for VNetwork1.
Explanation
The correct answer is: A. Create a new subnet on VNetwork1..
Creating a new subnet on VNetwork1 is the first step toward deploying Azure Firewall because the firewall has a non-negotiable subnet requirement: it must live in a subnet that is named exactly AzureFirewallSubnet, with a CIDR of /26 or larger, and that subnet must exist before you can place the firewall resource. Without this subnet, the firewall deployment refuses to start, regardless of any other VNet configuration. Removing NSGs from existing subnets, associating an NSG with another subnet, or enabling DDoS protection are downstream concerns that may or may not be relevant, but none of them addresses the prerequisite that a dedicated subnet exist for the firewall first. Creating the subnet is the gating action that unblocks the rest of the configuration sequence.Question 5
HOTSPOT - You are evaluating the security of VM1 , VM2 , and VM3 in Sub2 . For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:Explanation
VM1: Yes. NSG2 applies to VM1 and this allows inbound traffic on port 80. VM2: No. NSG2 and NSG1 apply to VM2. NSG2 allows the inbound traffic on port 80 but NSG1 does not allow it. VM3: Yes. There are no NSGs applying to VM3 so all ports will be open.
Other Microsoft Azure Security Technologies domains
- Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel (102 questions)
- Secure Compute Storage and Databases (146 questions)
- Secure Identity and Access (176 questions)