Challenge - 5 Problems

🎖️

NSG Mastery Badge

Get all challenges correct to earn this badge!

Test your skills under time pressure!

❓ service_behavior

intermediate

2:00remaining

Understanding NSG Inbound Rule Priority

You have an Azure Network Security Group (NSG) with two inbound rules:

Rule 100: Allow TCP port 80 from any source
Rule 200: Deny all inbound traffic

What will happen to an inbound TCP request on port 80?

AThe request is denied because rule 200 has a higher priority number than rule 100.

BThe request is denied because deny all overrides allow rules regardless of priority.

CThe request is allowed because rule 100 permits TCP port 80 before the deny all rule.

DThe request is allowed only if it comes from a specific IP range.

Attempts:

2 left

❓ Configuration

intermediate

2:00remaining

Outbound NSG Rule Effect on Internet Access

You configure an NSG with the following outbound rules:

Rule 100: Deny outbound traffic to internet IP ranges
Rule 200: Allow outbound traffic to all destinations

What will be the effect on outbound internet access?

AOutbound internet traffic is denied because rule 100 blocks it before rule 200 allows all traffic.

BOutbound internet traffic is allowed because rule 200 allows all traffic regardless of rule 100.

COutbound internet traffic is denied only if the source IP is in a specific subnet.

DOutbound internet traffic is allowed only during business hours.

Attempts:

2 left

❓ security

advanced

2:00remaining

Impact of Overlapping NSG Rules on Security

An NSG has these inbound rules:

Rule 100: Allow TCP port 22 from IP range 10.0.0.0/24
Rule 150: Deny TCP port 22 from IP range 10.0.0.0/16

What is the effective behavior for a connection attempt on TCP port 22 from IP 10.0.1.5?

AThe connection is allowed because rule 100 allows 10.0.0.0/24 which includes 10.0.1.5.

BThe connection is denied because 10.0.1.5 is in 10.0.0.0/16 and rule 150 denies it before rule 100 allows a smaller range.

CThe connection is allowed because deny rules are ignored if an allow rule exists.

DThe connection is denied only if it comes from outside 10.0.0.0/24.

Attempts:

2 left

❓ Architecture

advanced

2:00remaining

Designing NSG Rules for Multi-Tier Application

You have a three-tier application with web, app, and database subnets. You want to allow inbound HTTP traffic only to the web subnet, allow app subnet to communicate with database subnet on port 1433, and block all other traffic.

Which NSG rule set correctly implements this?

AWeb subnet NSG: Allow inbound TCP 80 from internet; App subnet NSG: Allow inbound TCP 1433 from app subnet; Database subnet NSG: Allow inbound TCP 1433 from app subnet; All NSGs: Deny all other traffic.

B.ciffart rehto lla yneD :sGSN llA ;tenbus ppa morf 3341 PCT dnuobni wollA :GSN tenbus esabataD ;tenbus ppa morf 3341 PCT dnuobni wollA :GSN tenbus ppA ;tenretni morf 08 PCT dnuobni wollA :GSN tenbus beW

CWeb subnet NSG: Allow inbound TCP 80 from internet; App subnet NSG: Allow inbound TCP 1433 from web subnet; Database subnet NSG: Allow inbound TCP 1433 from app subnet; All NSGs: Deny all other traffic.

DWeb subnet NSG: Allow inbound TCP 80 from internet; App subnet NSG: Allow inbound TCP 1433 from web subnet; Database subnet NSG: Allow inbound TCP 1433 from app subnet; All NSGs: Allow all outbound traffic.

Attempts:

2 left

✅ Best Practice

expert

2:00remaining

Optimizing NSG Rules for Performance and Security

You manage an NSG with many rules. You notice latency in rule processing and want to optimize.

Which practice will best improve NSG performance and maintain security?

ARemove all deny rules and rely on default deny behavior to reduce rule count.

BAdd more rules with specific IP addresses to increase granularity and security.

CPlace deny rules at the lowest priority numbers to ensure they are evaluated last.

DConsolidate rules by combining CIDR ranges where possible and order rules by priority with most used rules first.

Attempts:

2 left