Technical Lab: Create and configure NSG inbound and outbound security rules
Questionsβ
Question 1 β Multiple Choiceβ
A security team needs to ensure that no outbound traffic to the internet is allowed from a specific subnet, except for the Windows Update service. The existing NSG rules on the subnet allow all outbound traffic by default.
What is the correct approach to implement this control without impacting other internal services?
- A) Add an outbound rule blocking the Service Tag
Internetwith higher priority than the defaultAllowInternetOutBoundrule, and an outbound rule allowing the Service TagWindowsUpdatewith even higher priority. - B) Remove the default
AllowInternetOutBoundrule from the NSG and add an outbound rule allowing the Service TagWindowsUpdate. - C) Add an outbound rule blocking all destinations (
*) with higher priority than the defaultAllowInternetOutBoundrule, without adding any allow rules. - D) Replace the default
AllowInternetOutBoundrule with an outbound rule that only allows the Service TagWindowsUpdate.
Question 2 β Technical Scenarioβ
An administrator configured the following NSG associated with a VM's NIC:
| Priority | Name | Port | Protocol | Source | Destination | Action | Direction |
|---|---|---|---|---|---|---|---|
| 100 | Allow-RDP | 3389 | TCP | 10.0.1.0/24 | * | Allow | Inbound |
| 200 | Deny-All-Inbound | * | * | * | * | Deny | Inbound |
| 65000 | AllowVNetInBound | * | * | VirtualNetwork | VirtualNetwork | Allow | Inbound |
An operator in subnet 10.0.2.5 tries to connect via RDP to the VM and the connection is refused. What is the root cause?
- A) The
Deny-All-Inboundrule has priority 200, which is processed before the defaultAllowVNetInBoundrule, blocking traffic from10.0.2.5because it is not in the range allowed by rule 100. - B) The
AllowVNetInBoundrule with priority 65000 would allow the traffic, but is overridden by theDeny-All-Inboundrule with priority 200 before being evaluated. - C) The NSG associated with the NIC does not process subnet rules; therefore, the
Allow-RDPrule is ignored. - D) Port 3389 is blocked by default in NSGs associated with NICs and requires explicit opening in the subnet NSG as well.
Question 3 β True or Falseβ
When an NSG is associated simultaneously with a subnet and the NIC of a VM within that subnet, inbound traffic is evaluated first by the NIC NSG rules and then by the subnet NSG rules.
Question 4 β Technical Scenarioβ
A VM hosts a web application that must accept HTTP and HTTPS traffic from any source, but only from within the virtual network for SSH management connections (port 22). The administrator created the following inbound rules in the NIC NSG:
Priority 100 | Allow-HTTP | TCP 80 | * -> * | Allow
Priority 110 | Allow-HTTPS | TCP 443 | * -> * | Allow
Priority 120 | Allow-SSH-VNet | TCP 22 | VirtualNetwork | Allow
Priority 130 | Deny-SSH-Public | TCP 22 | * | Deny
Priority 200 | Deny-All | * | * | Deny
An auditor points out that the configuration presents a security flaw. What is the identified problem?
- A) The
Deny-Allrule with priority 200 is redundant because the defaultDenyAllInBoundrule already exists with priority 65500, making the configuration confusing but not insecure. - B) The
Allow-SSH-VNetrule with priority 120 allows SSH traffic from any address within theVirtualNetworkService Tag, which includes peered VNets and VPN-connected networks, expanding the scope beyond the declared intention. - C) The
Allow-HTTPandAllow-HTTPSrules should have lower priority than theDeny-Allrule, otherwise web traffic is blocked before being evaluated. - D) The
Deny-SSH-Publicrule is unreachable because theAllow-SSH-VNetrule with priority 120 already allows all SSH traffic before it is evaluated.
Question 5 β Multiple Choiceβ
An engineer needs to allow VMs in a subnet to communicate with Azure Key Vault without exposing traffic to the public internet. He chooses to create an outbound rule in the NSG using a Service Tag.
Which Service Tag should be used in the outbound rule and what is the expected behavior?
- A)
AzureKeyVault, which represents the public IP addresses of Key Vault managed by Microsoft; traffic will exit via the public internet, but limited to the service endpoint. - B)
AzureKeyVault, which includes only the private IPs of Key Vault accessible via Private Endpoint, ensuring traffic never exits via the internet. - C)
AzureKeyVault, which represents the IP ranges managed by Microsoft for the service; the NSG will allow traffic to these IPs, but the guarantee of no internet exposure depends on additional configurations like Service Endpoints or Private Endpoints. - D)
Storage, because Key Vault stores secrets internally in Azure Storage and this is the correct Service Tag for this service.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: A
The order of NSG rule evaluation is determined by priority: the lower the number, the higher the priority. To block the internet but allow WindowsUpdate, it is necessary to:
- An allow rule for
WindowsUpdatewith numerically lower priority (example: 100). - A block rule for
Internetwith numerically higher priority than the previous one, but lower than the defaultAllowInternetOutBoundrule (priority 65001).
Default NSG rules cannot be removed or modified (alternatives B and D are wrong for assuming this). Alternative C would also block internal services by denying * without first opening necessary exceptions.
The main conceptual error in the distractors is assuming that default rules are editable or that a general denial is sufficient without protecting desired exceptions with adequate priority.
Answer Key β Question 2β
Answer: A
NSG rules are evaluated in ascending priority order. For inbound traffic coming from 10.0.2.5:
- Priority 100 (
Allow-RDP): checks if the source is in10.0.1.0/24. The address10.0.2.5does not belong to this range. The rule does not apply. - Priority 200 (
Deny-All-Inbound): matches any source. Traffic is denied here.
The default AllowVNetInBound rule (65000) is never evaluated because the priority 200 rule has already made a decision. This is the expected behavior: the NSG stops processing rules as soon as it finds the first match.
Alternative B describes the mechanism correctly but reverses the override logic. Alternatives C and D introduce behaviors that do not exist in the NSG processing model.
Answer Key β Question 3β
Answer: False
The behavior is the inverse: for inbound traffic, the subnet NSG rules are evaluated first, and only then the NIC NSG rules. For outbound traffic, the order reverses: NIC first, subnet after.
This behavior is non-obvious because intuitively one would expect the NIC, being closer to the VM, to be the first control point. In practice, inbound traffic first crosses the subnet boundary before reaching the network interface. Understanding this order is critical for diagnosing why traffic is blocked even with permissive rules in the NIC NSG.
Answer Key β Question 4β
Answer: B
The VirtualNetwork Service Tag does not represent only the local VNet. It includes:
- The local VNet address space
- Address spaces of peered VNets
- Networks connected via VPN Gateway or ExpressRoute
If the intention is to restrict SSH only to administrators within the local VNet, using VirtualNetwork may expose SSH access to external networks connected by peering or VPN, contrary to the declared security policy. The correct approach would be to use the exact CIDR of the local VNet or management subnet.
Alternative A describes a real redundancy, but does not constitute a security flaw. Alternative D is wrong because rule 130 is still reachable for traffic that does not match rule 120 (sources outside the VirtualNetwork Service Tag). Alternative C reverses the priority logic.
Answer Key β Question 5β
Answer: C
The AzureKeyVault Service Tag represents the public IP ranges managed by Microsoft for the Key Vault service in a given region. Using this tag in an NSG rule allows VMs to reach these IPs, but traffic may still transit via the public internet depending on the network topology.
To guarantee that traffic does not exit via the internet, it is necessary to configure complementarily:
- Service Endpoints: route traffic through Microsoft's backbone, without private IP in Key Vault.
- Private Endpoints: assign a private IP to Key Vault within the VNet, eliminating any public exposure.
Alternative B is wrong because Service Tags have no relation to Private Endpoints and do not limit private IPs. Alternative D confuses the service's internal storage layer with the network plane. The NSG alone does not guarantee the absence of internet exposure; it only controls which destinations are allowed or denied on egress.