Comprehensive and Detailed Explanation From Exact Extract:

To meet the requirement of restricting inbound traffic and allowing outbound traffic, two components are most appropriate:

D. Firewall – A firewall enforces ingress and egress traffic policies. It can be configured to deny all inbound traffic by default and allow all outbound traffic, meeting the security policy requirement.

E. Network Security Group (NSG) – In cloud environments such as Azure, NSGs serve as virtual firewalls at the subnet or interface level. NSGs allow you to define rules that block or allow inbound and outbound traffic, and they are the preferred method for enforcing network access rules for cloud resources.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Cloud Network Security Configuration”:

“Network security groups and firewalls are key to enforcing inbound and outbound traffic restrictions in hybrid and public cloud environments.”

“NSGs are used to define network access control policies for cloud resources at the subnet or NIC level.”

Other options:

A. Application gateway controls HTTP/S traffic at Layer 7 but does not manage full access policy.

B. IPS detects/prevents malicious behavior but is not primarily used for general traffic restriction.

C. Port security restricts MAC addresses on switch ports, applicable in LANs, not cloud.

F. A screened subnet (DMZ) can provide additional isolation but is not required for basic traffic control.

================================================