Microsoft Azure Security Engineer Associate AZ-500 Practice Question
Your Azure VNet has WebSubnet (web-tier VM scale set) and AppSubnet (application VMs). Requirements:
Allow Internet → web tier on TCP 443.
Allow web tier → app tier on TCP 8080.
Block any traffic initiated from AppSubnet to the Internet or WebSubnet. You must minimise NSG rules and ensure policies automatically cover new scale-out instances. What should you configure?
Use Azure Virtual Network Manager to create security admin rule collections that allow and deny the required traffic.
Associate both subnets with a single Network Security Group that contains individual CIDR-based allow and deny rules for each subnet.
Create two Application Security Groups (one for the web tier and one for the app tier) and reference them in the required NSG rules.
Deploy an Azure Firewall in a dedicated subnet and configure user-defined routes so all traffic is forced through the firewall.
Application Security Groups (ASGs) let you attach VM NICs to logical groups and reference those groups in NSG rules. Create one ASG for the web tier and one for the app tier, then:
On the NSG for WebSubnet, add an inbound rule that allows source Internet to destination Web-ASG on TCP 443.
Add a rule that allows traffic from Web-ASG to App-ASG on TCP 8080; the stateful NSG permits the return traffic automatically.
On the NSG for AppSubnet, add a high-priority deny outbound rule that blocks any destination Internet or Web-ASG, satisfying the isolation requirement. Because new VM instances are automatically added to their ASG when the scale set grows, no extra rules are needed, meeting the minimal-rule and autoscaling requirements. CIDR-based rules, Azure Firewall, or Virtual Network Manager security admin rules would meet the traffic requirements but add unnecessary maintenance or cost.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Application Security Group (ASG) in Azure?
Open an interactive chat with Bash
Why are ASGs better than CIDR-based NSG rules for managing traffic in Azure VNets?
Open an interactive chat with Bash
What is the difference between Azure NSGs and Azure Firewalls?
Open an interactive chat with Bash
Microsoft Azure Security Engineer Associate AZ-500
Secure networking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .