You manage a virtual network named vnet1 that contains a subnet named subnet1.
You deploy 30 Azure Virtual Machines (VMs) in subnet1. Five of these Azure VMs are used for a distributed database, 20 VMs are used by a batch application, and the other VMs host a web application. The private IP address for all Azure VMs changes frequently.
The distributed database VMs should be accessed by the batch application VMs only.
You need to restrict network access in subnet1.
Which two services or features should you use? Each correct answer presents part of the solution.
You should use ASGs. You can use an ASG to group the network interface cards (NICs) used by the distributed database VMs and another ASG to group the batch application VM NICs. You can use these groups to configure NSG rules later.
You should also use NSGs. You can create an NSG with rules to allow network connectivity between the NICs from the batch application group with the distributed database and deny network connectivity for the other VMs. You should attach this NSG to all VMs in subnet1.
You should not use Azure Firewall. Azure Firewall is a managed network security service from Azure that protects the Azure virtual network. You can use Azure Firewall to centralize network connectivity policies by using Application fully qualified domain name (FQDN) and Network traffic filtering rules. You should not use Azure Firewall to identify which network traffic comes from a batch application VM to distributed database VMs because the private IP address for all Azure VMs changes frequently.
You should not use a Network rule. This is a type of rule used by Azure Firewall to define the source address, protocol, destination port, and destination address. A network rule is similar to an NSG rule.
You should not use Service tags. A Service tag represents a group of IP address prefixes from a given Azure service. You can use a service tag to make it easier to configure NSG rules or Azure Firewall network rules for Azure services, like ApiManagement or AzureCosmosDB.