ISC2 Certified Cloud Security Professional (CCSP) Practice Question

In an Azure virtual network, a security team must ensure that production application VMs in the web subnet accept HTTP and HTTPS traffic from the Internet, block all other inbound connections, and allow SSH only from the corporate office's public IP address. The control must provide stateful packet filtering at layer 3/4, be applied directly to the subnet, and introduce no additional per-hour service cost. Which Azure network security control should be implemented?

Attach an Azure Network Security Group to the web subnet and create rules permitting TCP 80/443 from any source and TCP 22 only from the corporate office IP.
Provision Azure Bastion and configure its access policies to allow only HTTP, HTTPS, and SSH from approved sources.
Implement an Azure Application Gateway with a Web Application Firewall (WAF) and limit source IPs in the listener configuration.
Deploy Azure Firewall in the virtual network and define network and application rules to control HTTP, HTTPS, and SSH access.

Report Issue

Answer Description

Azure Network Security Groups (NSGs) are designed to perform stateful layer 3/4 packet filtering and can be associated with individual subnets or network interfaces. Administrators create inbound and outbound security rules that explicitly allow or deny traffic such as HTTP (TCP 80), HTTPS (TCP 443), and SSH (TCP 22) from specified source IP addresses. NSGs are a built-in capability of the Azure virtual network fabric and do not incur extra hourly charges.

Azure Firewall also provides stateful filtering but is a separate managed service that incurs additional costs and is typically used for centralized, large-scale filtering across multiple subnets. Azure Application Gateway with WAF works at layer 7 as a reverse proxy and does not natively control SSH or general inbound port access to VMs. Azure Bastion offers secure browser-based RDP/SSH without public IPs but is not intended to enforce granular port-based filtering for other traffic types. Therefore, configuring an NSG on the web subnet most directly meets all stated requirements.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.