Review Mode Set 3- Question 15: AZ-104 – Implement and Manage Virtual Networking

[morgadob]

I need to understand this question better. The TCP, Port 443 traffic between TD1 and TD2 is being denied when using Network Watcher. https://portal.tutorialsdojo.com/courses/az-104-microsoft-azure-administrator-practice-exams/lessons/practice-exams-review-mode-15/quizzes/review-mode-set-3-az-104-azure-administrator/

The solution does not provide adequate information for me to understand why the traffic is denied:

“The statement that says: Traffic to TD1 is restricted by TDNSG1 is
incorrect. Rules are processed in priority order, with lower numbers
processed before higher numbers, because lower numbers have higher
priority. Since priority 300 inbound security rule allows all TCP
traffic from 10.0.1.0/24 to 10.0.2.0/24, the
processing stops. As a result, any rules that exist with lower
priorities (priority 310) are not processed. This means that TDNSG1 does not limit traffic to TD1. One of the reasons port 443 was unreachable from TD1 to TD2 is that TD1 is not configured to listen to port 443.”

Review Mode Set 3 – AZ-104 Azure Administrator

[JR-TutorialsDojo]

Hello morgadob,

Thanks for reaching out to us.

It’s important to pay close attention to explicit details in the scenario. For example, the statement “TD2 allows ICMP in its inbound Windows firewall” is clearly mentioned, which helps explain why ICMP traffic succeeds. In contrast, there is no mention of port 443 being allowed or selected as one of the inbound ports in the scenario. Even if the NSG permits traffic, the Windows firewall or the application itself must also be configured to accept connections on that port.

If all configurations are correct and TDNSG1 is associated with TD2, TCP traffic should be allowed as per rule 300. The key takeaway is that NSG rules alone don’t guarantee connectivity; they simply permit it. The actual success of a connection also depends on the destination VM being ready to accept it.

This information was clearly stated in the given explanation: “One of the reasons port 443 was unreachable from TD1 to TD2 is that TD1 is not configured to listen to port 443.”

Hope this clears things up! Let us know if you need further assistance.

Best regards,
JR @ Tutorials Dojo

[Jason Brown]

I was confused as well by this question. For the question “TDNSG1 is associated with the network interface of TD2.” I selected “No” which it says is wrong. Are you saying that since the destination is 10.0.2.0/24, it is implied that the NSG is attached to TD2s NIC? Also, (I know this may be a hard question to answer), should we expect questions on NSGs to incorporate Windows firewall into the equation?

[JR-TutorialsDojo]

Hello Jason Brown,

The rules for the NSG specifically apply to TCP traffic and do not explicitly address ICMP. However, since the ICMP test is successful, this implies that the NSG does not block ICMP traffic. This behavior suggests that the NSG is enforced at the NIC level, where ICMP traffic is implicitly allowed because there are no deny rules for that protocol.

Take note that there are questions in the actual exam that are difficult, tricky, and ambiguous. You have to be prepared to look for specific keywords or key phrases in order to find the most suitable answer. This is the style that we are trying to mimic in our practice tests. Some of the questions do not explicitly show the obvious keywords or phrases that will easily point to the answer.

I hope this helps! Let us know if you need further assistance.

Regards,
JR @ Tutorials Dojo