Register to Better Coder! It's free.
Enjoy the premium features and succeed at every job interview.

15 Azure Cloud questions to verify that you understand Azure Network Security Groups

Azure Network Security Groups are important for hardening your virtual network and increasing security of your cloud-hosted application. Check how well you understand them.

QUESTION 1:

What are the default inbound rules for Azure Network Security Group?

Experience Level: Junior
Tags: Azure CloudAzure Network Security Groups
Question category: Azure Cloud(786)NEW

Answer

AllowVNetInBound
ALLOWVNETINBOUND
PrioritySourceSource portsDestinationDestination portsProtocolAccess
65000VirtualNetwork0-65535VirtualNetwork0-65535AnyAllow
AllowAzureLoadBalancerInBound
ALLOWAZURELOADBALANCERINBOUND
PrioritySourceSource portsDestinationDestination portsProtocolAccess
65001AzureLoadBalancer0-655350.0.0.0/00-65535AnyAllow
DenyAllInbound
DENYALLINBOUND
PrioritySourceSource portsDestinationDestination portsProtocolAccess
655000.0.0.0/00-655350.0.0.0/00-65535AnyDeny
QUESTION 2:

What are the default outbound rules for Azure Network Security Group?

Experience Level: Junior
Tags: Azure CloudAzure Network Security Groups
Question category: Azure Cloud(786)NEW

Answer

AllowVnetOutBound
PrioritySourceSource portsDestinationDestination portsProtocolAccess
65000VirtualNetwork0-65535VirtualNetwork0-65535AnyAllow
AllowInternetOutBound
PrioritySourceSource portsDestinationDestination portsProtocolAccess
650010.0.0.0/00-65535Internet0-65535AnyAllow
DenyAllOutBound
PrioritySourceSource portsDestinationDestination portsProtocolAccess
655000.0.0.0/00-655350.0.0.0/00-65535AnyDeny
QUESTION 3:

What are the settings that you need to set for each Azure Network Security Group (NSG) rule?

Experience Level: Junior
Tags: Azure CloudAzure Network Security Groups
Question category: Azure Cloud(786)NEW

Answer

  • Name
  • Priority - 1 (highest) ... 65536 (lowest)
  • Source
  • Source ports
  • Destination
  • Destination ports
  • Protocol
  • Access - Allow/Deny
QUESTION 4:

What are the protocol values that can be set for Azure Network Security Group (NSG) rule?

Experience Level: Junior
Tags: Azure CloudAzure Network Security Groups
Question category: Azure Cloud(786)NEW

Answer

  • Any
  • TCP
  • UDP
  • ICMP
QUESTION 5:

What are the Source and Destination values that we can set for Azure Network Security Group (NSG)?

Experience Level: Junior
Tags: Azure CloudAzure Network Security Groups
Question category: Azure Cloud(786)NEW

Answer

  • Any
  • IP Address
  • Service Tag
  • Application security group
QUESTION 6:

How many IP addresses can be defined in a Azure Network Security Group (NSG) rule?

Experience Level: Junior
Tags: Azure CloudAzure Network Security Groups
Question category: Azure Cloud(786)NEW

Answer

Each rule cna have Source and Destination fields defined.

You can put one or more IP addresses into each field. Either comma separated list of IPs or CIDR ranges can be provided.

QUESTION 7:

Can you set multiple service tags or Application security groups (ASGs) to either Source or Destination of Azure Network Security Group (NSG)?

Experience Level: Junior
Tags: Azure CloudAzure Network Security Groups
Question category: Azure Cloud(786)NEW

Answer

No, you can't.

Only one service tag or Application security group can be set in Source/Destination.

QUESTION 8:

You configured Azure NSG to allow a incoming traffic flow via port 443, but it doesn't seem to work correctly. How can you analyze and fix the issue?

Experience Level: Senior
Tags: Azure CloudAzure Network Security GroupsAzure Virtual Networks
Question category: Azure Cloud(786)NEW

Answer

Use IP flow verify in Azure Network Watcher. IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen,
IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.
QUESTION 9:

You have deployed a VM with Windows OS to Azure VNET. You want to connect to it so you contigure your NSG to allow 3389 port using UDP protocol. Will the connection work?

Experience Level: Junior
Tags: Azure CloudAzure Network Security GroupsAzure Virtual MachinesAzure Virtual Networks
Question category: Azure Cloud(786)NEW

Answer

Not out of the box. By default RDP runs on port 3389 using TCP protocol. To use UDP you would need to change the VM settings.
QUESTION 10:

How can you monitor source IPs of traffic that comes from on-premises network to basic internal load balancer in Azure?

Experience Level: Junior
Tags: Azure CloudAzure Log Analytics WorkspaceAzure Network Security GroupsAzure Virtual Networks
Question category: Azure Cloud(786)NEW

Answer

The basic load balancer is in a virtual network (VNET). 

  • Add a network security group (NSG) and configure the security rules that allow the incoming traffic.
  • Create a Azure Log Analytics Workspace.
  • Configure Diagnostic settings to export logs and metrics to the Log Analytics Workspace.
You can also use NSG flow logs that use Azure Log Analytics Workspace for storing logs as well.
QUESTION 11:

What steps do you need to execute to enable NSG flow logging?

Experience Level: Junior
Tags: Azure CloudAzure Network Security GroupsAzure Virtual Networks
Question category: Azure Cloud(786)NEW

Answer

Network security group (NSG) flow logs is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an NSG. Flow data is sent to Azure Storage accounts from where you can access it as well as export it to any visualization tool, SIEM, or IDS of your choice.

  • Create a VM with a network security group
  • Enable Network Watcher and register the Microsoft.Insights provider
  • Enable a traffic flow log for an NSG, using Network Watcher's NSG flow log capability
  • Download logged data
  • View logged data
QUESTION 12:

How do you ensure that only connections from the Internet to VNET1\subnet0 are allowed over TCP port 1234?

Experience Level: Junior
Tags: Azure CloudAzure Network Security GroupsAzure Virtual Networks
Question category: Azure Cloud(786)NEW

Answer

  • Configure NSG rule, set source to Internet, target to any.
  • Assign the NSG to the subnet0
  • Set the Destination port to 1234, Protocol to TPC
QUESTION 13:

You have VMs in 3 subnets of the same Azure VNET. How many network security groups (NSGs) do you need in order to allow access from Internet to all the VMs?

Experience Level: Senior
Tags: Azure CloudAzure Network Security GroupsAzure Virtual Machines
Question category: Azure Cloud(786)NEW

Answer

You need one NSG that can be assigned to all subnets.
QUESTION 14:

What will happen with the approved JIT access request to Azure virtual machine (VM) if you delete the security rule in the network security group (NSG)?

Experience Level: Junior
Tags: Azure CloudAzure Network Security GroupsAzure Virtual Machines
Question category: Azure Cloud(786)NEW

Answer

The access request will be revoked.

The deleted NSG rule won't be recreated automatically.

QUESTION 15:

What will you do to ensure that the NetworkSecurityGroupRuleCounter log is stored to Azure Storage account and kept for 30 days?

Experience Level: Junior
Tags: Azure CloudAzure Network Security GroupsAzure Storage
Question category: Azure Cloud(786)NEW

Answer

  • Sign in to Azure Portal
  • Find your Network Security Group
  • Go to Diagnostic Settings
  • Add diagnostic setting link
  • Fill in Diagnostic settings name field
  • In the Log section, select NetworkSecurityGroupRuleCounter
  • In the Destination details section, select Archive to a storage account
  • In the Storage account field, select the storage account
  • In the Retention (days) field, enter 30
  • Click the Save button

Blog

15 Azure Cloud questions to verify that you understand Azure Network Security Groups

Azure Network Security Groups are important for hardening your virtual network and increasing security of your cloud-hosted application. Check how well you understand them.

Read article

25 Adobe XD questions that will help you to nail your job interview

Here's a comprehensive list of Adobe XD job interview questions along with answers that will help you to nail the job interview, identify knowledge gaps and learn new things about Adobe XD. Adobe XD is a powerful tool for creating prototypes and designing user experience.

Read article

25 Flexbox questions that will help you to nail your job interview

Here's a comprehensive list of Flexbox job interview questions along with answers that will help you to nail the job interview, identify knowledge gaps and learn new things about flexbox. Flexbox is a layout mode added in CSS3 to replace hacky float and table layouts. It allows responsive elements within a container to be automatically arranged depending upon screen size.

Read article

25 Git questions that will help you to nail your job interview

Here's a comprehensive list of Git job interview questions along with answers that will help you to nail the job interview, identify knowledge gaps and learn new things about Git. Git is a modern distributed version control system and is currently the most popular system in use.

Read article