A subnet contains several application servers. You need to allow inbound TCP 3389 only from a management subnet named Subnet-Mgmt and deny RDP from all other sources. What should you do?
Trap 1: Create a route table that sends RDP traffic to the management…
Route tables do not implement port-based access control.
Trap 2: Deploy a private endpoint for each application server.
Private endpoints are for Azure PaaS services, not exposing VM RDP selectively.
Trap 3: Enable service endpoints on the application subnet.
Service endpoints are unrelated to RDP access control.
- A
Create an NSG rule allowing TCP 3389 from the Subnet-Mgmt address range and rely on the default deny afterward.
This is the correct way to permit RDP from a specific source while denying other sources.
- B
Create a route table that sends RDP traffic to the management subnet.
Why wrong: Route tables do not implement port-based access control.
- C
Deploy a private endpoint for each application server.
Why wrong: Private endpoints are for Azure PaaS services, not exposing VM RDP selectively.
- D
Enable service endpoints on the application subnet.
Why wrong: Service endpoints are unrelated to RDP access control.