What should you do?

You have an Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address.

The virtual machines host several applications that are accessible over port 443 to user on the Internet.

Your on-premises network has a site-to-site VPN connection to VNet1.

You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.

You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accesses by the Internet users.

What should you do?
A . Modify the address space of the local network gateway.
B . Remove the public IP addresses from the virtual machines.
C . Modify the address space of Subnet1.
D . Create a deny rule in a network security group (NSG) that is linked to Subnet1.

View Answer

Answer: D

Explanation:

You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.

You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by using the RDP or SSH protocol over the site-to-site VPN connection. You don’t have to allow direct RDP or SSH access over the internet. And this can be achieved by configuring a deny rule in a network security group (NSG) that is linked to Subnet1 for RDP / SSH protocol coming from internet.

Modify the address space of Subnet1: Incorrect choice

Modifying the address space of Subnet1 will have no impact on RDP traffic flow to the virtual network.

Modify the address space of the local network gateway: Incorrect choice

Modifying the address space of the local network gateway will have no impact on RDP traffic flow to the virtual network.

Remove the public IP addresses from the virtual machines: Incorrect choice

If you remove the public IP addresses from the virtual machines, none of the applications be accessible publicly by the Internet users.

Reference:

https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices