How well do you know Azure network security group * 1. What is the purpose of the Network security group To Allow inbound traffic To Deny inbound traffic To allow and deny inbound or outbound traffic OK * 2. Review the screen shot attached and select the answer appropriately. Based on your understanding of the NSG , who created these inbound and outbound rules. This is default NSG security rules created by Azure at the time of NSG resource creation. This is no default NSG security rules created by Azure at the time of NSG resource creation. The network admin of the account created this NSG security rules. OK * 3. In the given rule set which rule will be applied first 65000 65001 65500 OK * 4. Your customer wants to delete the default rules. What will be the impact when you delete the default rules. Its not possible to delete the default NSG rules It will affect the inbound and outbound traffic. Azure will recreate the deleted security rules. OK * 5. Your customers want to all allow ICMP (East-West traffic only) which option they should select to allow ICMP traffic (east - west) TCP UDP ANY OK * 6. You customer is hosting number of Windows VM , they want to ensure all the licensing, a request is sent to the Key Management Service host servers that handle such queries. Which port will be used for outbound traffic. 1689 1688 1433 OK * 7. Which default rule is responsible for allowing ICMP traffic to flow through the VNET AllowVNetInBound AllowVNetInBound and AllowVnetOutBound AllowVnetOutBound OK * 8. You customer has deployed VPN gateway in a sub net and applied very detailed NSG rules. They are planning to do cross-VNET connectivity. What will be your best practice advise the customer. There wont be any issues and cross-vnet connectivity will work fine. The recommendation is not to apply NSG on a subnet that hosting the VPN Gateway. Azure wont allow to deploy NSG on a Subnet thats hosting the VPN Gateway. OK * 9. You are working for large retail chain and the security team wants to blockout 168.63.129.16. If you block the ip address what will be impact on infrastructure services such as DHCP, DNS,. There will be no impact and it will business as usual Azure services will use this ip address to communicate , if this address is blocked DNS , DHCP , health monitoring will be affected. DNS needs to this ip address and other services wont be affected. OK * 10. Your customer wants to white list all the storage account in East US region. Which of the following approaches you will recommend to your customer. Every week extract the Storage IP address from the Azure IP list and then build a power shell script to update the Azure provides Service Tag to white Storage accounts. Pre build all the storage accounts upfront and build NSG rules to white list only those IP address. Advise the customer not to delete the storage accounts. OK DONE