AZ-500 Secure networking • Complete Question Bank
Complete AZ-500 Secure networking question bank — all 0 questions with answers and detailed explanations.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Prevents resource creation or update that violates policy
Creates a warning event in activity log but allows request
Adds additional fields to the resource during creation or update
Adds, updates, or removes properties on a resource
Policy rule is ignored (used for testing)
Drag a concept onto its matching description — or click a concept then click the description.
Filters traffic at subnet or NIC level
Groups VMs by application workload for rule application
Protects against distributed denial-of-service attacks
Secure RDP/SSH access to VMs without public IP
Extends VNet identity to Azure services over optimized route
Drag a concept onto its matching description — or click a concept then click the description.
Ingest logs from various sources
Define conditions to generate alerts
Visualize data with interactive dashboards
Group related alerts for investigation
Automate response actions using Logic Apps
Refer to the exhibit.
```json
{
"properties": {
"format": "Json",
"networkWatcherResourceGroupName": "NetworkWatcherRG",
"storageAccount": {
"id": "/subscriptions/.../resourceGroups/NetworkWatcherRG/providers/Microsoft.Storage/storageAccounts/flowlogs"
},
"enabled": true,
"retentionPolicy": {
"days": 30,
"enabled": true
},
"trafficAnalytics": {
"enabled": true,
"workspaceId": "/subscriptions/.../resourceGroups/LogAnalytics/providers/Microsoft.OperationalInsights/workspaces/LAWS1"
}
}
}
```Refer to the exhibit.
```json
{
"properties": {
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
"then": {
"effect": "deny",
"details": {
"field": "Microsoft.Network/virtualNetworks/subnets",
"existenceCondition": {
"field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup",
"exists": "false"
}
}
}
},
"parameters": {}
}
}
```Refer to the exhibit.
```json
{
"properties": {
"protocol": "Any",
"sourceAddresses": ["*"],
"destinationAddresses": ["*"],
"destinationPorts": ["*"],
"sourcePorts": ["*"],
"access": "Allow",
"priority": 100,
"direction": "Inbound",
"ruleType": "BasicRule"
}
}
```{
"properties": {
"policy": {
"rules": [
{
"name": "AllowInternal",
"ruleType": "ApplicationRule",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"*.contoso.com"
],
"sourceAddresses": [
"10.0.0.0/16"
],
"destinationAddresses": [
"172.16.0.0/12"
]
}
]
}
}
}Refer to the exhibit. KQL query in Microsoft Sentinel: ``` AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" | where Category == "AzureFirewallApplicationRule" | where OperationName == "AzureFirewallApplicationRuleHit" | where msg_s contains "Deny" | project TimeGenerated, msg_s | take 10 ```
{
"name": "AllowSSHOnly",
"properties": {
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "22",
"sourceAddressPrefix": "10.0.0.0/24",
"destinationAddressPrefix": "10.0.1.0/24",
"access": "Allow",
"priority": 100,
"direction": "Inbound"
}
}{
"properties": {
"type": "Microsoft.Network/azureFirewalls",
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"applicationRuleCollections": [
{
"properties": {
"priority": 200,
"action": {
"type": "Allow"
},
"rules": [
{
"name": "AllowGoogle",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"sourceAddresses": ["10.0.0.0/8"],
"targetFqdns": ["*.google.com"]
}
]
}
}
],
"networkRuleCollections": [
{
"properties": {
"priority": 100,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "DenyAll",
"protocols": ["Any"],
"sourceAddresses": ["*"],
"destinationAddresses": ["*"],
"destinationPorts": ["*"]
}
]
}
}
]
}
}{
"properties": {
"addressSpace": {
"addressPrefixes": ["10.0.0.0/16"]
},
"subnets": [
{
"name": "subnetA",
"properties": {
"addressPrefix": "10.0.1.0/24",
"networkSecurityGroup": {
"id": "/subscriptions/.../nsgA"
}
}
},
{
"name": "subnetB",
"properties": {
"addressPrefix": "10.0.2.0/24",
"networkSecurityGroup": {
"id": "/subscriptions/.../nsgB"
}
}
}
]
}
}{
"properties": {
"priority": 100,
"ruleCollectionType": "FilteringRuleCollection",
"ruleType": "NetworkRule",
"rules": [
{
"name": "AllowSQL",
"protocols": ["TCP"],
"sourceAddresses": ["10.0.1.0/24"],
"destinationAddresses": ["AzureCloud.southeastasia"],
"destinationPorts": ["1433"]
}
]
}
}{
"properties": {
"networkSecurityGroup": {
"id": "/subscriptions/.../resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/nsg-web"
},
"networkSecurityGroupRules": [
{
"name": "AllowHTTP",
"properties": {
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "80",
"sourceAddressPrefix": "Internet",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 100,
"direction": "Inbound"
}
},
{
"name": "AllowHTTPS",
"properties": {
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "443",
"sourceAddressPrefix": "Internet",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 110,
"direction": "Inbound"
}
},
{
"name": "DenyAll",
"properties": {
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Deny",
"priority": 200,
"direction": "Inbound"
}
}
]
}
}{
"properties": {
"isEnabled": true,
"mode": "Prevent",
"targetResources": [
"Microsoft.Network/virtualNetworks"
],
"conditions": [
{
"field": "Microsoft.Network/virtualNetworks/subnets/properties/privateEndpointNetworkPolicies",
"equals": "Disabled"
}
]
}
}{
"properties": {
"rules": [
{
"name": "AllowVNetInbound",
"direction": "Inbound",
"priority": 100,
"sourceAddressPrefixes": ["VirtualNetwork"],
"destinationAddressPrefixes": ["VirtualNetwork"],
"access": "Allow",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*"
},
{
"name": "DenyInternetInbound",
"direction": "Inbound",
"priority": 200,
"sourceAddressPrefixes": ["Internet"],
"destinationAddressPrefixes": ["*"],
"access": "Deny",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*"
}
]
}
}{
"properties": {
"format": "Json",
"rules": [
{
"name": "BlockHighRiskIPs",
"priority": 100,
"ruleType": "MatchRule",
"matchConditions": [
{
"matchVariables": [
{
"variableName": "RemoteAddr"
}
],
"operator": "IPMatch",
"negationCondition": false,
"matchValues": [
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16"
]
}
],
"action": "Block"
}
]
}
}Get-AzNetworkSecurityGroup -Name 'WebNSG' -ResourceGroupName 'ProdRG' | Get-AzNetworkSecurityRuleConfig -Name 'AllowSSH' | Format-List
resource firewall 'Microsoft.Network/azureFirewalls@2023-11-01' = {
name: 'hub-firewall'
location: resourceGroup().location
properties: {
sku: { name: 'AZFW_VNet', tier: 'Standard' }
applicationRuleCollections: [
{
name: 'AllowMicrosoft'
priority: 110
action: { type: 'Allow' }
rules: [
{
name: 'AllowAzurePortal'
sourceAddresses: [ '10.0.0.0/8' ]
protocols: [ { protocolType: 'Https', port: 443 } ]
targetFqdns: [ '*.portal.azure.com' ]
}
]
}
]
}
}{
"properties": {
"format": "JSON",
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
"then": {
"effect": "deny",
"details": {
"field": "Microsoft.Network/virtualNetworks/subnets",
"exists": true
}
}
}
}
}PS C:\> Get-AzNetworkInterface -Name 'nic-web-01' -ResourceGroupName 'RG-Prod' | Select-Object -ExpandProperty IpConfigurations Name : ipconfig1 PrivateIpAddress : 10.0.1.4 PublicIpAddress : Primary : True Subnet : /subscriptions/.../subnets/web ApplicationSecurityGroups : [] LoadBalancerBackendAddressPools : []
Refer to the exhibit.
```json
{
"properties": {
"policyRule": {
"if": {
"anyOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups/securityRules"
},
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {},
"displayName": "Block NSG rules and subnet changes"
}
}
```{
"properties": {
"rules": [
{
"name": "DenyInternetAccess",
"description": "Deny outbound internet access for all VMs.",
"ruleType": "FirewallPolicyRuleCollectionGroup",
"ruleCollections": [
{
"ruleCollectionType": "FirewallPolicyFilterRuleCollection",
"name": "DefaultFilterRuleCollection",
"priority": 200,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "DenyInternet",
"protocols": [
"Any"
],
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"Internet"
],
"destinationPorts": [
"*"
]
}
]
}
]
}
]
}
}