Knowledge check

1.

Contoso's security team discovers that a compromised web-tier VM can initiate connections directly to the database tier on port 1433. No NSG is attached to the database subnet. What is the most effective first step to close this lateral movement path?

Install a host-based firewall on each database server to block inbound connections from web-tier IPs.

Create and attach an NSG to the database subnet with a deny-all inbound rule, then add an allow rule for port 1433 scoped to the web tier only.

Move the database VMs to a separate virtual network and use virtual network peering to allow web-tier access.

2.

A team uses IP-based NSG rules to control access between 40 application-tier VMs and 20 database-tier VMs. When new VMs are added, rules frequently break because IP addresses change. What change resolves this maintenance problem while preserving the security boundary?

Replace the NSG with an Azure Firewall rule collection that references VM names instead of IP addresses.

Use application security groups to group application-tier and database-tier VMs, then write NSG rules referencing the ASGs instead of individual IPs.

Switch to a flat virtual network with no subnets so VM scaling doesn't affect routing.

3.

Contoso wants to ensure that no team in any subscription can create an NSG rule that allows RDP (port 3389) inbound from the internet. They want to block this even if they have Owner permissions on their subscription. Which Azure Virtual Network Manager capability enforces this?

A security admin rule with action Always Deny on destination port 3389 from source Any applied to a network group covering all subscriptions.

An Azure Policy with Deny effect that prevents creation of NSG rules with port 3389.

A network security group attached to the virtual network gateway subnet with a deny rule for port 3389.

Check your knowledge

Feedback