New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Microsoft AZ-700 Exam - Topic 3 Question 62 Discussion

Actual exam question for Microsoft's AZ-700 exam
Question #: 62
Topic #: 3
[All AZ-700 Questions]

You have an Azure virtual network named Vnet1.

You need to ensure that the virtual machines in Vnet1 can access only the Azure SQL resources in the East US Azure region. The virtual machines must be prevented from accessing any Azure Storage resources.

Which two outbound network security group (NSG) rules should you create? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer: A

Here are the steps and explanations for creating the object that will provide the IP addressing configuration of the on-premises network to the Site-to-Site VPN:

The object that you need to create is called a local network gateway. A local network gateway represents your on-premises network and VPN device in Azure. It contains the public IP address of your VPN device and the address prefixes of your on-premises network that you want to connect to the Azure virtual network1.

To create a local network gateway, you need to go to the Azure portal and selectCreate a resource. Search forlocal network gateway, selectLocal network gateway, then selectCreate2.

On theCreate local network gatewaypage, enter or select the following information and accept the defaults for the remaining settings:

Name: Type a unique name for your local network gateway.

IP address: Type the public IP address of your VPN device, which is 131.107.50.60 in this case.

Address space: Type the internal address range of your on-premises network, which is 10.10.0.0/16 in this case.

Subscription: Select your subscription name.

Resource group: Select your resource group name.

Location: Select the same region as your virtual network.

SelectReview + createand then selectCreateto create your local network gateway2.


by Melynda at Jun 24, 2024, 09:28 PM

Limited Time Offer

25%

Off

Get Premium AZ-700 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Lelia
3 months ago
A deny rule for 168.63.129.0/24 seems unnecessary to me.
upvoted 0 times
...
Mila
3 months ago
Sounds right, but isn't there a risk of blocking other services?
upvoted 0 times
...
Tawna
3 months ago
Wait, can we really block all Storage access like that?
upvoted 0 times
...
Crista
4 months ago
I think a deny rule for Storage is a must too.
upvoted 0 times
...
Glendora
4 months ago
Definitely need an allow rule for SQL in East US!
upvoted 0 times
...
Bernardo
4 months ago
I’m a bit confused about the IP ranges. I thought the deny rule should target the storage IPs directly, so maybe option C is worth considering too.
upvoted 0 times
...
Ivette
4 months ago
This question seems familiar; I think we practiced something similar where we had to restrict access. I wonder if option B is the right deny rule?
upvoted 0 times
...
Svetlana
4 months ago
I'm not entirely sure, but I feel like we should definitely have a deny rule for storage access. Maybe option D?
upvoted 0 times
...
Dolores
5 months ago
I remember that we need to allow traffic specifically to the SQL resources, so I think option A might be correct.
upvoted 0 times
...
Rasheeda
5 months ago
Alright, I think I've got it. The two rules we need are: 1) an allow rule with the IP range of Vnet1 as the source and destination of Sq1.EastUS, and 2) a deny rule with a source of VirtualNetwork and a destination of Storage.
upvoted 0 times
...
Nettie
5 months ago
I've got an idea - we can create an allow rule for the Azure SQL resources in East US, and then a deny rule for the entire VirtualNetwork destination to block access to Azure Storage. That should do the trick.
upvoted 0 times
...
Daron
5 months ago
Okay, let's see. We need to allow access to Azure SQL resources in the East US region, but block access to Azure Storage. I think the key is to create a deny rule for the Azure Storage destination.
upvoted 0 times
...
Rolande
5 months ago
Hmm, this looks like a tricky one. I'll need to carefully read through the requirements and think about the best way to restrict access while still allowing the necessary connections.
upvoted 0 times
...
Winfred
5 months ago
I'm a bit confused on the specifics here. Do we need to create multiple rules, or just one? And what should the source and destination be for the allow rule?
upvoted 0 times
...
Glory
5 months ago
Okay, I think I've got a handle on this. The key is to find a way to disable the geolocation tracking for contractors specifically, without affecting the full-time employees.
upvoted 0 times
...
Viola
5 months ago
I feel unsure about the specifics, but I think not including the instance type in the request could definitely lead to a failure.
upvoted 0 times
...
Karon
10 months ago
Alright, let's do this! Time to put on my network security wizard hat and nail this question.
upvoted 0 times
Raina
9 months ago
C) a deny rule that has a source of VirtualNetwork and a destination of 168.63.129.0/24
upvoted 0 times
...
Arlean
9 months ago
B) a deny rule that has a source of VirtualNetwork and a destination of Sq1
upvoted 0 times
...
Edelmira
9 months ago
A) an allow rule that has the IP address range of Vnet1 as the source and destination of Sq1.EastUS
upvoted 0 times
...
...
Reta
10 months ago
Haha, I bet the correct answer involves a lot of trial and error. Just like my last IT job, always guessing which firewall rules to set up!
upvoted 0 times
...
Dean
10 months ago
I'm not sure about option B. Why would I need to deny access to 168.63.129.0/24? That seems like an odd choice.
upvoted 0 times
Jesusita
9 months ago
User1: So, we need both options B and C to achieve the desired outcome.
upvoted 0 times
...
Shawnna
9 months ago
User3: Option B is to prevent access to Azure SQL resources, while option C is to block access to a specific IP range.
upvoted 0 times
...
Noah
10 months ago
User2: I think option C is to deny access to Azure Storage resources specifically.
upvoted 0 times
...
Sue
10 months ago
User1: Option B is to deny access from the virtual network to the Azure SQL resources.
upvoted 0 times
...
...
Carma
11 months ago
But we also need to allow access to Azure SQL resources in the East US region. So, we should create an allow rule for that.
upvoted 0 times
...
Princess
11 months ago
I agree with Salome. We need to prevent the virtual machines from accessing Azure Storage.
upvoted 0 times
...
Tijuana
11 months ago
A and D seem like the obvious choices here. I need to allow access to the East US SQL resources and deny access to all Azure Storage resources.
upvoted 0 times
Pauline
9 months ago
That way we can prevent access to any Azure Storage resources.
upvoted 0 times
...
Kimbery
10 months ago
We also need to create a deny rule for the IP address range of Vnet1 to Storage.
upvoted 0 times
...
Regenia
10 months ago
Agreed, that will allow access to the East US SQL resources.
upvoted 0 times
...
Antonio
10 months ago
I think we should create an allow rule for the IP address range of Vnet1 to Sq1.EastUS
upvoted 0 times
...
...
Salome
11 months ago
I think we should create a deny rule for Azure Storage resources.
upvoted 0 times
...

Save Cancel