Technical Lab: Create and configure inbound NAT rules
Questionsβ
Question 1 β Multiple Choiceβ
An engineer needs to access via RDP three distinct virtual machines that are behind a single Azure Load Balancer with a single public IP address. The VMs do not have individual public IPs.
Which Load Balancer feature allows mapping distinct external ports (for example, 50001, 50002, 50003) to port 3389 of each VM individually?
A) Load balancing rules with session persistence configured by source IP
B) Inbound NAT rules associated directly to each target NIC
C) Health probes with distinct protocols per instance
D) Outbound rules with static port mapping per backend pool
Question 2 β Technical Scenarioβ
An administrator configures an inbound NAT rule on a Standard Load Balancer with the following definitions:
Frontend IP: 20.10.5.100
Frontend port: 8080
Backend port: 80
Target VM NIC: nic-webserver-01
Protocol: TCP
Floating IP: Disabled
When trying to access http://20.10.5.100:8080, the connection is refused. The VM is running, the web service responds locally on port 80, and the rule is successfully provisioned. What should be checked first?
A) If the frontend IP is associated to a conflicting load balancing rule on port 8080
B) If the Network Security Group associated to the VM's NIC or subnet allows TCP traffic on port 80 Inbound
C) If the backend pool contains other VMs besides nic-webserver-01
D) If the health probe is configured for port 8080 instead of port 80
Question 3 β Multiple Choiceβ
When comparing individual inbound NAT rules with inbound NAT rule pools in an Azure Load Balancer, which statement correctly describes the behavioral difference between the two models?
A) NAT rule pools require all backend VMs to use the same destination port, while individual rules allow distinct ports per VM
B) NAT rule pools automatically assign frontend port ranges to backend pool instances, while individual rules map a specific frontend port to a specific NIC
C) Individual rules only work with Basic Load Balancer, while NAT rule pools are exclusive to Standard Load Balancer
D) NAT rule pools require floating IP enabled, while individual rules are incompatible with floating IP
Question 4 β Technical Scenarioβ
A team uses a Virtual Machine Scale Set (VMSS) with 5 instances behind a Standard Load Balancer. To allow SSH access to each instance individually, the architect opts to create an inbound NAT rule pool with the following configuration:
Frontend port range start: 50000
Backend port: 22
Protocol: TCP
Backend pool: vmss-backend-pool
After deployment, the engineer tries to access instance 0 via ssh user@<frontend-ip> -p 50000 and gets no response. Instance 1 responds normally on port 50001. What is the most likely cause?
A) The NAT rule pool does not support SSH protocol; only RDP is allowed in port ranges
B) VMSS instance 0 was removed from the backend pool due to health probe failure, and port 50000 is no longer mapped
C) The frontend port range start must be greater than 1024, and port 50000 is below this limit
D) VMSS instances require individual NAT rules; NAT rule pools are incompatible with scale sets
Question 5 β True or Falseβ
When Floating IP is enabled on an inbound NAT rule of a Standard Load Balancer, the target VM's operating system must be configured to listen on the Load Balancer's frontend IP address, and not just on the NIC's private IP, for the connection to be established correctly.
( ) True
( ) False
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
Inbound NAT rules are the correct mechanism to map specific external frontend ports to internal ports of individual VMs. The association is made directly to the target VM's NIC, allowing multiple VMs to be accessed through distinct ports on the same public IP.
The main misconception represented by the distractors is confusing the purpose of other Load Balancer components. Load balancing rules distribute traffic among multiple instances of a backend pool, not to specific instances. Health probes monitor availability and have no port routing function. Outbound rules control outbound traffic from VMs, not inbound traffic directed to them.
Choosing alternative A, for example, would lead to traffic being distributed among instances, not guaranteeing individual access to a specific VM.
Answer Key β Question 2β
Answer: B
Even with the inbound NAT rule correctly provisioned and the service responding locally, the NSG (Network Security Group) acts as an independent control layer from the Load Balancer. Traffic translated by the NAT rule arrives at the VM's NIC on the backend port (80), and the NSG evaluates this traffic before delivering it to the application. If there's no inbound rule allowing TCP/80 in the NIC or subnet NSG, the packet will be silently dropped.
Alternative A represents a common misconception: load balancing rules and NAT rules can coexist on different ports without conflict. Alternative C is irrelevant because individual NAT rules are associated to a specific NIC, not to the pool. Alternative D confuses the health probe function, which serves to determine backend health and doesn't directly interfere with NAT flow.
Answer Key β Question 3β
Answer: B
The central distinction is the association model. Individual rules require the administrator to explicitly map each frontend port to a specific NIC. NAT rule pools automate this process for dynamic backends: the Load Balancer assigns a frontend port range and maps each pool instance to a port within that range, without manual intervention per instance.
Alternative A reverses the logic: it's the pool model that standardizes the destination port (backend port), while varying the frontend ports. Alternative C is false because both models are available in Standard Load Balancer; NAT rule pools don't exist in Basic, but individual rules work in both SKUs. Alternative D doesn't reflect any real floating IP requirement for NAT rule pools.
Answer Key β Question 4β
Answer: B
In an inbound NAT rule pool, the assignment of frontend ports to VMSS instances is done dynamically based on the order and availability of instances in the backend pool. When an instance is removed from the pool due to health probe failure (or other reasons like redeployment), the corresponding port is no longer mapped. The fact that instance 1 responds on port 50001 confirms that the pool and general mapping are working, isolating the problem to instance 0 specifically.
Alternative A is false: NAT rule pools support generic TCP, including SSH. Alternative C is incorrect as 50000 is within valid ranges for frontend ports. Alternative D directly contradicts the main use case of NAT rule pools, which were designed exactly to simplify individual access to scale set instances.
Answer Key β Question 5β
Answer: True
When Floating IP is enabled, the Load Balancer doesn't perform destination IP translation before delivering the packet to the VM. The packet arrives at the NIC with the destination IP still being the Load Balancer's frontend IP. Therefore, the application or operating system needs to have this IP configured as an additional IP on the loopback interface or on the NIC itself for the network stack to accept and process the packet.
This behavior is different from the default mode (Floating IP disabled), where the Load Balancer replaces the destination IP with the VM's private IP before delivery, and the application doesn't need any additional IP configuration. Floating IP is necessary in scenarios like high availability clusters (for example, SQL Server Always On) where the cluster's virtual IP needs to be directly recognized by the active VM.