A company has an Azure virtual network with a subnet that hosts a public web application. They want to allow inbound HTTPS traffic (port 443) only from the source IP range 203.0.113.0/24, and block all other inbound traffic. They associate a network security group (NSG) with the subnet. What is the minimum number of inbound security rules required in the NSG to achieve this?
Trap 1: 0 (no additional rules needed because the default rules block all…
The default rules block traffic from the internet, so no HTTPS traffic would be allowed. An explicit allow rule is required.
Trap 2: 2 (one allow rule for HTTPS and one deny rule for all other traffic)
An explicit deny rule is unnecessary because the NSG already includes a default deny all inbound rule. Adding an explicit deny would be redundant.
Trap 3: 3 (one allow HTTPS, one allow for Azure Load Balancer health…
The default rules already allow Azure Load Balancer health probes. No additional rule is needed for that, and the explicit deny is still redundant.
- A
0 (no additional rules needed because the default rules block all inbound traffic)
Why wrong: The default rules block traffic from the internet, so no HTTPS traffic would be allowed. An explicit allow rule is required.
- B
1
One allow rule for HTTPS from the specific IP range is sufficient. The default deny rule blocks all other traffic automatically.
- C
2 (one allow rule for HTTPS and one deny rule for all other traffic)
Why wrong: An explicit deny rule is unnecessary because the NSG already includes a default deny all inbound rule. Adding an explicit deny would be redundant.
- D
3 (one allow HTTPS, one allow for Azure Load Balancer health probes, and one deny all)
Why wrong: The default rules already allow Azure Load Balancer health probes. No additional rule is needed for that, and the explicit deny is still redundant.