Technical Lab: Configure an NSG for Remote Server Administration, Including Azure Bastion
Questionsβ
Question 1 β Multiple Choiceβ
An operations team needs to administer Windows and Linux VMs in a production VNet without exposing RDP (3389) and SSH (22) ports directly to the internet. The adopted solution was Azure Bastion in the Standard tier. After deployment, the administrator needs to configure the NSGs correctly to ensure that Bastion works and that target VMs do not receive direct RDP/SSH connections from the internet.
Which set of NSG rules represents the correct and sufficient configuration?
A) NSG on AzureBastionSubnet: allow inbound on ports 443 and 8080 from the Internet tag; NSG on VM subnets: allow inbound on ports 3389 and 22 from the Internet tag.
B) NSG on AzureBastionSubnet: allow inbound on port 443 from the Internet tag and on port 8080 from the GatewayManager tag; NSG on VM subnets: allow inbound on ports 3389 and 22 only from the VirtualNetwork service tag.
C) NSG on AzureBastionSubnet: allow inbound on port 443 from the Internet tag and on port 443 from the GatewayManager tag; NSG on VM subnets: allow inbound on ports 3389 and 22 only from the AzureBastionSubnet IP prefix.
D) No NSG should be associated with the AzureBastionSubnet, as Azure Bastion manages its own security internally; NSG on VM subnets: block inbound on ports 3389 and 22 from the Internet tag.
Question 2 β Technical Scenarioβ
An administrator tries to connect to a Linux VM via Azure Bastion through the Azure portal. Bastion is correctly deployed in the AzureBastionSubnet with an associated public IP. The connection attempt fails with a timeout error.
The NSG configuration on the VM subnet is as follows:
Inbound rules:
Priority 100 | Source: Internet | Destination: Any | Port: 22 | Action: Deny
Priority 200 | Source: VirtualNetwork | Destination: Any | Port: 22 | Action: Allow
Priority 65000 | Source: VirtualNetwork | Destination: Any | Port: Any | Action: Allow (default)
Priority 65500 | Source: Any | Destination: Any | Port: Any | Action: Deny (default)
What is the cause of the timeout in the Bastion connection?
A) The VirtualNetwork tag does not cover traffic originated from Azure Bastion, as Bastion uses a separate IP space that does not belong to the VNet.
B) Priority 100 rule blocks Bastion traffic before priority 200 rule is evaluated, because the Internet tag includes Bastion's public IP.
C) Traffic from Bastion to the target VM originates from the AzureBastionSubnet, whose IP prefix is contained in the VirtualNetwork tag, but port 22 needs to be specifically allowed from the AzureBastionSubnet tag.
D) The NSG on the VM subnet is blocking traffic because the default rule with priority 65500 takes precedence over the priority 200 rule for Bastion-originated connections.
Question 3 β True or Falseβ
Azure Bastion in the Basic tier supports the IP-based connection feature, which allows connecting to VMs by IP address even when those VMs are not registered in Microsoft Entra ID or domain-joined.
True or False?
Question 4 β Multiple Choiceβ
When designing remote access security for a hybrid environment, the architect needs to decide between two approaches:
| Approach | Description |
|---|---|
| A | Allow RDP port (3389) in the NSG only for corporate office IPs via inbound rule |
| B | Deploy Azure Bastion and block direct RDP/SSH via NSG, allowing only traffic from the AzureBastionSubnet |
The security requirement demands that remote access credentials never travel over the internet in clear text and that access be auditable per session.
Which statement technically justifies choosing approach B over approach A?
A) Approach A exposes the RDP protocol directly to the internet, even if restricted by IP, and RDP traffic is not encrypted by default above the transport layer, while Bastion encapsulates the entire session in HTTPS/TLS 443.
B) Approach A is unfeasible because NSGs do not support individual source IP addresses in inbound rules, only service tags and CIDR prefixes.
C) Approach B eliminates the need for any NSGs on VM subnets, simplifying security management.
D) Approach A is secure as long as MFA is enabled in Microsoft Entra ID for access accounts, making approach B a preference choice, not a security one.
Question 5 β Technical Scenarioβ
An organization is migrating to Azure Bastion and needs to ensure that remote administration sessions are recorded for auditing and compliance purposes. The security team requests that the content of RDP and SSH sessions be recorded and stored.
The architect verifies that Bastion is deployed in the Standard tier. What additional configuration is needed to meet the session recording requirement?
A) Enable Diagnostic Settings on the Azure Bastion resource and direct logs to a Log Analytics Workspace, which automatically records the visual content of sessions.
B) Enable the Session Recording feature in Azure Bastion, available in the Standard tier, and configure a storage account to receive the recording files.
C) Configure Azure Monitor to capture network packets on the AzureBastionSubnet via Network Watcher, reconstructing sessions from captured data.
D) Integrate Azure Bastion with Microsoft Sentinel via native connector, which automatically records session content in a dedicated Log Analytics Workspace table.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: C
The NSG on AzureBastionSubnet must allow inbound on port 443 from the Internet tag (end-user traffic to Bastion) and on port 443 from the GatewayManager tag (Azure control plane management traffic). Traffic from Bastion to VMs originates from the AzureBastionSubnet IPs, so allowing ports 3389 and 22 specifically from that IP prefix is the most restrictive and correct rule.
Option A exposes RDP and SSH directly from the internet, defeating the purpose of Bastion. Option B uses the VirtualNetwork tag for VMs, which is functional but less restrictive than referencing only the AzureBastionSubnet prefix. Option D is incorrect: the AzureBastionSubnet can and should have an associated NSG with rules required by the service documentation.
Answer Key β Question 2β
Answer: C
Session traffic that Azure Bastion forwards to the target VM originates from the AzureBastionSubnet IP addresses, which are within the same VNet. The VirtualNetwork tag covers this address space, so priority 200 rule should, in principle, allow the connection. The issue is that priority 100 rule blocks Internet, and Bastion's public IP is not the source of traffic to the VM. The actual source is the private IP from the AzureBastionSubnet.
The observed behavior indicates that priority 200 rule should work, but in many environments the Bastion subnet is not explicitly covered by the existing rule due to specificity issues. The most precise solution is to create a rule that explicitly allows port 22 from the AzureBastionSubnet CIDR prefix, ensuring no ambiguity in evaluation. Option B is incorrect because traffic to the VM doesn't come from Bastion's public IP. Option D is wrong because lower numerical priority rules are evaluated first, not last.
Answer Key β Question 3β
Answer: False
The IP-based connection feature is only available in the Standard tier of Azure Bastion, not in the Basic tier. The Basic tier only supports connection to VMs in the same VNet or in peered VNets, identified by the VM resource in the Azure portal. The Standard tier expands capabilities with features like IP-based connection, native tunneling, and session recording support. Confusing tier capabilities is a common error that can lead to inadequate sizing decisions.
Answer Key β Question 4β
Answer: A
The central technical justification is that the RDP protocol, when directly exposed on port 3389, transmits the session with the protocol's native encryption, but the attack surface is significantly larger: the RDP endpoint is accessible for brute force attempts, protocol vulnerability exploitation, and credential stuffing attacks. Azure Bastion encapsulates all communication in HTTPS/TLS on port 443, eliminating RDP/SSH protocol exposure to the internet and centralizing the audit point.
Option B is incorrect: NSGs fully support individual IP addresses and CIDR prefixes as sources. Option C is wrong because VM subnets still need properly configured NSGs. Option D inappropriately minimizes the risks of direct RDP exposure; MFA protects credentials but doesn't eliminate protocol or exposed service vulnerabilities.
Answer Key β Question 5β
Answer: B
The Session Recording feature is a specific functionality of Azure Bastion's Standard tier that allows recording the visual content of RDP and SSH sessions and storing them in an administrator-configured storage account. This functionality directly addresses the session content auditing requirement.
Option A describes Diagnostic Settings, which record session metadata like IPs, users, and timestamps, but do not record visual session content. Option C is operationally unfeasible for session reconstruction and is not a supported approach for this purpose. Option D confuses log integration with session recording: Microsoft Sentinel can receive audit events from Bastion but does not automatically record session content.