Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam AZ-103 topic 4 question 23 discussion

Actual exam question from Microsoft's AZ-103
Question #: 23
Topic #: 4
[All AZ-103 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You configure a custom policy definition, and then you assign the policy to the subscription.
Does this meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: A ūüó≥ÔłŹ
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.
Reference:
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
akamal
Highly Voted 3 years, 7 months ago
it's A, https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition Example #7
upvoted 12 times
wideawake
3 years, 5 months ago
example 7 policy will block creation of NSGs if the specific port is used in the security rules. it not add the rules auto
upvoted 1 times
dreamweaver
3 years, 4 months ago
the question doesnt ask you to add rules. "You need to ensure that when an NSG is created, it automatically blocks TCP port 808" it is asking you to validate that a NSG has a setting and Policy does that. And it can do it for ports.
upvoted 1 times
...
...
...
docent
Highly Voted 3 years, 8 months ago
Isn't this A? A policy would allow you to do sth, but now assign specific parameters to a resource?
upvoted 10 times
msg1021
3 years, 7 months ago
agree , policy for compliance not for security or network . It should be B
upvoted 1 times
GSH
3 years, 7 months ago
Geez, are you kidding me? How'd you get this far into the questions!
upvoted 3 times
...
...
...
JayLearn2022
Most Recent 9 months, 3 weeks ago
There are several versions of this question. The following are the correct and incorrect answers that can be presented. Correct Answer: Meets the goal. -Solution: You configure a custom policy definition, and then you assign the policy to the subscription. Incorrect Answers: Does not meet the goal. -Solution: You create a resource lock, and then you assign the lock to the subscription. -Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider -Solution: You assign a built-in policy definition to the subscription.
upvoted 2 times
...
NickyDee
2 years, 11 months ago
given answer is correct { "count": { "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]", "where": { "allOf": [ { "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction", "equals": "Inbound" }, { "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access", "equals": "Allow" }, { "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange", "equals": "3389" } ] } }, "greater": 0 }
upvoted 2 times
...
simanastasiya
3 years ago
in exam az-104 29nov 2020
upvoted 2 times
...
pouya1
3 years, 3 months ago
The given answer is correct. https://github.com/Azure/Community-Policy/commit/10a43b7fd74bde35cf2a4d138072d5032e91c8e1
upvoted 2 times
...
Steve_az
3 years, 4 months ago
Same Question with 4 different solution. Please refer below for correct answer. You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups. Another administrator plans to create several network security groups (NSGs) in the subscription. You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks. 1) Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider.Does this meet the goal? No 2) Solution: You assign a built-in policy definition to the subscription. Does this meet the goal? No 3) Solution: You create a resource lock, and then you assign the lock to the subscription. Does this meet the goal? No 4) Solution: You configure a custom policy definition, and then you assign the policy to the subscription. Does this meet the goal? Yes
upvoted 9 times
...
AzExam2020
3 years, 5 months ago
B, Policy is not for allowing network traffics, NSG should be used to allow/block inbound and outbound traffic on ports.
upvoted 1 times
...
Omnipitus
3 years, 5 months ago
Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management - from https://docs.microsoft.com/en-us/azure/governance/policy/overview - so you can use Policy to block a port
upvoted 1 times
...
eltucutu
3 years, 5 months ago
Thats correct: https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure: { "count": { "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]", "where": { "allOf": [ { "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction", "equals": "Inbound" }, { "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access", "equals": "Allow" }, { "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange", "equals": "3389" } ] } }, "greater": 0 }
upvoted 6 times
...
nfett
3 years, 6 months ago
Answer is correct. reviewing the policy defintions shows that a custom policy can be defined to perform this work. be easier to apply on NSG & fast.
upvoted 2 times
...
AzureArchitect
3 years, 6 months ago
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure, i guess A is correct as given in example
upvoted 1 times
...
Cloudyuga
3 years, 6 months ago
Yes answer is correct as per below link https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
upvoted 3 times
...
Eitant
3 years, 7 months ago
Answer is correct: Look on example 7 on this link https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure
upvoted 7 times
...
jeroenj33
3 years, 7 months ago
Policies can block ports example "SSH access from the Internet should be blocked" is a predefined policy, it's possible to create a custom policy to block port 8080
upvoted 7 times
...
ExamGuy01
3 years, 7 months ago
You can create a policy that will block a port ref: https://markgossa.blogspot.com/2018/11/azure-policy-deny-inbound-rdp-from.html
upvoted 4 times
GSH
3 years, 7 months ago
I don't know who markgossa is, but I am sure Microsoft doesn't care about him nor his opinion. If link not from MS, don't bother...
upvoted 7 times
...
...
P0d
3 years, 7 months ago
Policy Cannot block Ports
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...