SC-500 Exam Dumps - Microsoft Certified: Cloud and AI Security Engineer Associate

Inbound from the internet: 443; Outbound to Subnet1: 3389

Azure Bastion requires inbound HTTPS access on TCP 443 from the internet to the AzureBastionSubnet so users can reach the Bastion service. For RDP to Windows virtual machines, Bastion then needs outbound access to the target subnet on TCP 3389. Port 22 would be required for SSH, but the scenario is specifically secure RDP. Other listed ports do not satisfy Bastion RDP access requirements. For this domain, least privilege means granting only the required data operation or allowing only the required network flow. The correct response avoids shared keys, broad peering, general contributor roles, or log-only controls when the scenario demands prevention, routing, event triggering, or account-specific configuration. The result is a direct exam-style implementation choice: it changes the required security behavior without relying on unrelated monitoring, manual cleanup, or excessive privilege. Official Microsoft source/topic: SC-500 Study Guide > Azure Bastion; Microsoft Learn > Azure Bastion NSG access and port requirements.

==============================================================

Azure Firewall application rules inspect HTTP and HTTPS traffic by FQDN or URL-oriented application targets. The scenario says the virtual machines may reach only updates.contoso.com and all other outbound traffic must be blocked. A network rule works at IP address, port, and protocol level, but it is not the best fit for URL/FQDN-based allowlisting. NAT rules translate inbound traffic and do not solve outbound web filtering. The important exam skill is separating data-plane access, management-plane administration, and network reachability. A storage, database, or firewall setting must be selected because it enforces the exact path requested in the scenario. Distractors often look plausible because they improve security generally, but they do not satisfy the protocol, scope, or automation requirement stated in the question. The result is a direct exam-style implementation choice: it changes the required security behavior without relying on unrelated monitoring, manual cleanup, or excessive privilege. Official Microsoft source/topic: SC-500 Study Guide > Azure Firewall; Microsoft Learn > Azure Firewall application rules and FQDN filtering.

==============================================================

VNet1: An Azure Private Link service; VNet2: A private endpoint

Private Link service and private endpoint provide one-way, explicitly scoped private connectivity. VNet1 hosts the target VMs and should expose only the intended service through an Azure Private Link service. VNet2, where VM3 runs, consumes that service through a private endpoint. VNet peering or VPN would create broader network reachability between the networks and would not inherently deny VM3 access to other resources in Sub1. Microsoft platform security questions usually hinge on where enforcement occurs: at the resource, server, subnet, firewall policy, private endpoint, or subscription level. The selected answer uses the control plane that owns that enforcement point. Other options are rejected when they only log activity, broaden network access, or protect a different service category. The result is a direct exam-style implementation choice: it changes the required security behavior without relying on unrelated monitoring, manual cleanup, or excessive privilege. Official Microsoft source/topic: SC-500 Study Guide > Private Link services and private endpoints; Microsoft Learn > Azure Private Link architecture.

==============================================================

Source: ASG1; Destination: ASG2

The requirement is identity-stable network filtering between virtual machines even if VM2 receives a different private IP address. Application security groups solve exactly that problem: rules refer to VM membership instead of a fixed IP. Because VM2 is a member of ASG1 and VM3 is a member of ASG2, the inbound allow rule on the shared NSG must use ASG1 as source and ASG2 as destination. Choosing IP addresses would fail the change-resilience requirement. The important exam skill is separating data-plane access, management-plane administration, and network reachability. A storage, database, or firewall setting must be selected because it enforces the exact path requested in the scenario. Distractors often look plausible because they improve security generally, but they do not satisfy the protocol, scope, or automation requirement stated in the question. The result is a direct exam-style implementation choice: it changes the required security behavior without relying on unrelated monitoring, manual cleanup, or excessive privilege. Official Microsoft source/topic: SC-500 Study Guide > NSGs and ASGs; Microsoft Learn > Application security groups in network security rules.

==============================================================