Microsoft Updated SC-900 Exam Questions and Answers by lachlan

Azure Bastion is a managed PaaS service that provides secure and seamless RDP/SSH connectivity to your Azure virtual machines directly from the Azure portal over TLS/HTTPS. SCI and Azure security documentation summarize it as eliminating public IP exposure on VMs by using a fully managed bastion host deployed inside your virtual network. Users connect through their browser and the service brokers the RDP or SSH session, which “protects your VMs from exposing RDP/SSH to the Internet.” Bastion does not provide access to Azure Files, SQL Managed Instance, or App Service; it is specifically built to secure management access to VMs without requiring a VPN or public endpoints. Therefore, the resource type Azure Bastion securely connects to is Azure virtual machines.

In Microsoft’s cloud responsibility model, Software as a Service (SaaS) is the offering where the cloud provider operates the full application stack and the customer’s responsibility is limited to data and access. Microsoft’s guidance explains that with SaaS, the provider manages the application, runtime, middleware, operating system, virtualization, servers, storage, and networking, while customers focus on “information and identities” and how users access the app. This aligns with your requirement to “manage only the data, user accounts, and user devices” for a cloud-based app. In contrast, PaaS still leaves you responsible for the application and data, and IaaS shifts even more components (OS, middleware, and apps) to you. Microsoft’s shared responsibility descriptions consistently note that SaaS is chosen when organizations want to reduce operational overhead and concentrate on securing and governing their data and identities, leveraging provider controls for platform and infrastructure. Therefore, to meet the scenario of managing only data, user accounts, and devices while the provider runs the rest, SaaS is the correct cloud model.

In Azure networking, each Network Security Group (NSG) is created with a built-in set of default security rules. Microsoft’s documentation for NSGs explains: “Azure creates several default security rules within each network security group. You can’t remove the default security rules, but you can override them by creating rules with a higher priority.” The rule processing model is priority-based: “Security rules are processed in priority order, with lower numbers processed before higher numbers. Once a rule matches traffic, processing stops.” Because the defaults have relatively low precedence (high priority numbers), an administrator can create an explicit allow or deny rule with a lower priority number to supersede the default behavior.

This is why the correct completion is override rather than copy or delete. You cannot delete the default rules; they remain present to provide baseline behavior (such as denying inbound traffic from the internet by default and allowing virtual network traffic). Instead, you override the defaults by adding your own NSG rules—using lower priority numbers—to achieve the desired access control outcome while preserving Azure’s baseline protections and evaluation logic.