Microsoft Azure Administrator (legacy) — Question 70

You have an Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address.
The virtual machines host several applications that are accessible over port 443 to user on the Internet.
Your on-premises network has a site-to-site VPN connection to VNet1.
You discover that virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accesses by the Internet users.
What should you do?

Answer options

• A. Create a deny rule in a network security group (NSG) that is linked to Subnet1.
• B. Modify the address space of Subnet1.
• C. Modify the address space of the local network gateway.
• D. Remove the public IP addresses from the virtual machines.

Correct answer: A

Explanation

The correct answer is A because creating a deny rule in the NSG attached to Subnet1 can specifically restrict RDP access from the Internet while allowing it from the on-premises network. Options B and C do not address the RDP access restrictions and would not achieve the required outcome. Option D would prevent all remote access to the virtual machines, which is not the desired solution.