What should you do?

You have an Azure subscription that contains the following resources:

✑ A virtual network named Vnet1

✑ Two subnets named subnet1 and AzureFirewallSubnet

✑ A public Azure Firewall named FW1

✑ A route table named RT1 that is associated to Subnet1

✑ A rule routing of 0.0.0.0/0 to FW1 in RT1

After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated.

You need to ensure that the virtual machines can be activated.

What should you do?

A. Deploy an application security croup mat allows outbound traffic to 1688.

B. Deploy an Azure Standard Load Balancer that has an outbound NAT rule

C. On fW1.configure a DNAT rule for port 1688.

D. Add an internet route to RI1 for the Azure Key Management Service (KMS).

View Answer

Answer: C

Explanation:

To ensure that the virtual machines can be activated, you need to allow outbound traffic to the Azure Key Management Service (KMS) for activation. The KMS uses the TCP port 1688 for activation services.

The virtual machines in Subnet1 are routing all their traffic (0.0.0.0/0) to the Azure Firewall FW1 based on the rule in the route table RT1. Therefore, you need to configure FW1 to allow traffic to KMS for activation.

The best option here would be:

C. On FW1, configure a DNAT rule for port 1688.

This DNAT rule will translate the destination for outbound traffic on port 1688 to the correct KMS endpoint for activation. It’s important to note that while DNAT is typically used for inbound connections, Azure Firewall rules can also be used to ensure proper handling of outbound traffic to specific public services.

Options A and B are not relevant in this context because:

A. Application security groups (ASGs) are used to group together VMs and define network security policies based on those groups. However, in this scenario, the issue is not with grouping the VMs but rather allowing traffic through the firewall to the KMS service.

B. Deploying an Azure Standard Load Balancer with an outbound NAT rule is not necessary since you already have a firewall in place that can be configured to allow the required outbound traffic.

Option D, adding an internet route to RT1 for the Azure Key Management Service (KMS), is not the correct approach because the route table already contains a default route (0.0.0.0/0) that sends all traffic to FW1. The key is to configure FW1 to allow traffic to KMS.