You hosts a line-of-business (LOB) web application in a virtual network (VNet) in Azure. A site-to-site virtual private network (S2S VPN) connection links your on-premises environment with the Azure VNet.
You plan to use a network security group (NSG) to restrict inbound traffic into the VNet to the following IPv4 address ranges:
Your solutions must meet the following technical requirements:
* Limit rule scope only to the three IPv4 address ranges.
* Minimize the number of NSG rules.
* Minimize future administrative maintenance effort.
What should you do?
You should pass the three IPv4 address ranges into the NSG rule as a comma-separated list. NSGs in Azure allow you to specify individual IP addresses or address ranges either individually or as a comma-separated list. This reduces the number of NSG rules you would otherwise have to create to meet your use case.
You should not pass the IPv4 address range 192.168.0.0/22 into the NSG rule. Doing so would include other IPv4 network addresses besides the four included in the scenario requirements. Route summarization, also called supernetting, refers to identifying multiple contiguous IPv4 network addresses under a single, larger, network address.
You should not define an ASG that includes the three IPv4 address ranges. In fact, ASGs are bound to the IP address configurations of virtual machines (VMs) running in Azure, not on-premises network address ranges.
You should not define an NSG rule that includes the VirtualNetwork service tag. Service tags (and ASGs) represent keyword identifiers that make it easier to reference multiple hosts and/or networks in NSG rules. In this case, you need to write a rule that allows inbound connections from on-premises IPv4 address ranges, not the VNet itself.