ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-304 All Questions

View all questions & answers for the AZ-304 exam
Go to Exam

Exam AZ-304 topic 5 question 22 discussion

Actual exam question from Microsoft's AZ-304
Question #: 22
Topic #: 5
[All AZ-304 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company plans to deploy various Azure App Service instances that will use Azure SQL databases. The App Service instances will be deployed at the same time as the Azure SQL databases.
The company has a regulatory requirement to deploy the App Service instances only to specific Azure regions. The resources for the App Service instances must reside in the same region.
You need to recommend a solution to meet the regulatory requirement.
Solution: You recommend using an Azure policy to enforce the resource group location.
Does this meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by [deleted] at March 13, 2021, 7:29 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Jindrich
Highly Voted 4 years, 3 months ago
The answer is NO since RG is just a logical group and its location does not enforce added resources to be placed physically in the same region/location.
upvoted 52 times
Oracleist
4 years, 2 months ago
why are u talking about rg if the policy allowed location apply at subs level?
upvoted 2 times
rdemontis
3 years, 7 months ago
Exactly! Policy assignments "applies to all resources within the Resource Manager scope of that assignment. Subscopes can be excluded, if necessary." So if you assign a policy to a resource group all contained resources are affected as well. https://docs.microsoft.com/en-us/azure/governance/policy/overview Answer is correct
upvoted 6 times
joefdez
3 years, 3 months ago
That statement will be valid if the definition would be allowed locations for resources. However, the solution says for resource groups, which does not enforce the resources inside. Therefore, Answer is No.
upvoted 2 times
JayBee65
3 years ago
That is wrong. "An assignment is a policy definition or initiative that has been assigned to a specific scope. ... This design means that a definition applied to a resource group is ALSO APPLIED to resources in that resource group" It could not be more clear
upvoted 1 times
...
...
...
...
sunmonkey
4 years, 2 months ago
You are correct. Enforcing a location for the resource group does not enforce the location of the resources added to the resource group. You can still deploy resources in the resource group to a different region other than the one specified for the resource group.
upvoted 4 times
...
...
iPilot
Highly Voted 4 years, 2 months ago
ANSWER IS CORRECT
upvoted 28 times
MRabi
4 years ago
please explain
upvoted 2 times
Mikeliz
4 years ago
You'll will have to create resources in a resource group, policy on location enforcement will do.
upvoted 2 times
keilah123
4 years ago
Wrong. You can create resources in one location and put it on a resource group that are on other locations. The solution will not meet the goal
upvoted 7 times
VincentZhang
3 years, 8 months ago
After applying the policy of same location, how can you put a resource which was created from anther location? please discuss.
upvoted 1 times
Nemo634
3 years, 4 months ago
we have to kind of policies, "Allowed locations" and "Allowed locations for resource groups". The 1st one is used for deploying items inside RGs. The 2nd one is for RG metadata placement. There is big difference between applied policy and it's scope. The 1st one applied to RG will meet requirements. The 2nd one doesn't.
upvoted 2 times
...
...
...
...
...
ZodiaC
3 years, 6 months ago
1000000000% WRONG DONT BELIEVE!
upvoted 1 times
JayBee65
3 years ago
Your explanation is so helpful. 10000000000000% helpful. Not
upvoted 1 times
...
...
...
omerco61
Most Recent 2 years, 4 months ago
A https://learn.microsoft.com/en-us/azure/governance/policy/overview#:~:text=Definition%20Structure.-,Assignments,groups%2C%20subscriptions%2C%20or%20management%20groups%20that%20the%20definition%20is%20assigned%20to.,-Assignments%20are%20inherited
upvoted 2 times
...
Marciojsilva
2 years, 7 months ago
Selected Answer: B
The answer is NO since RG is just a logical group and its location does not enforce added resources to be placed physically in the same region/location.
upvoted 1 times
...
raaahul
2 years, 7 months ago
NO since RG is just a logical group and its location does not enforce added resources to be placed physically in the same region/location.
upvoted 1 times
...
Snownoodles
2 years, 8 months ago
Selected Answer: B
Policy only enforces RG, doesn't enforce resources
upvoted 1 times
...
Snownoodles
2 years, 10 months ago
Yes Policy can be inherited from RG to resources
upvoted 1 times
Snownoodles
2 years, 10 months ago
Please ignore my previous comment. The answer should be "No" after I reviewed the Azure Policy "Allowed locations for resource group": "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Resources/subscriptions/resourceGroups" }, { "field": "location", "notIn": "[parameters('listOfAllowedLocations')]" } ] }, This policy only applies to RG in policy definition. Even though it can be inherited/cascaded, it won't limit other resources inside the RG because it specifies "RG" only.
upvoted 1 times
...
...
buhnkpze
2 years, 11 months ago
Selected Answer: B
resource group location is unrelated to resource
upvoted 3 times
sKaiNL
2 years, 9 months ago
Indeed. It is a solid No. It is easy to see by creating a policy and assigning it to a RG. There are 2 settings for the policy: Allowed locations and Allowed locations for resource group (which the questions asks) The latter has no effect on the resources you create in the RG; they can be in any region. So it is not relevant and the answer is NO.
upvoted 1 times
...
...
AD3
3 years, 3 months ago
A is the answer. There is no need to argue. The resource group is going to be available only in the regions that are supported. The resource is created only after the resource group is created. All the resources creation (see the terraform) the resource group is a mandatory field. So adding the policy on the resource group will indirectly restrict creation of the resource too.
upvoted 2 times
...
icedog
3 years, 3 months ago
Selected Answer: A
https://docs.microsoft.com/en-us/azure/governance/policy/overview "The assignment applies to all resources within the Resource Manager scope of that assignment. " The RGs are the scope Poorly worded question, I suspect the actual question on the exam be a lot clearer
upvoted 2 times
...
us3r
3 years, 4 months ago
Selected Answer: A
do not distract people. Az.Policy is the answer for this part of series.
upvoted 3 times
...
Gall
3 years, 4 months ago
Selected Answer: A
You can assign the policy to RG - "Allow locations", then all resources placed in has to meet this requirement. I've checked
upvoted 3 times
Snownoodles
2 years, 10 months ago
This question applies "Allowed locations for resource groups", not "Allow locations". So the answer should be "No"
upvoted 2 times
...
...
TariqKipkemei
3 years, 5 months ago
Answer is correct as at 24/Jan/2022. From portal ,I created a resource group in South Africa north and assigned it 'allowed locations' policy restricted to South Africa north. I then tried to create a vm in EastUS but got a validation failed message due to the policy restriction.
upvoted 11 times
...
Eitant
3 years, 6 months ago
Selected Answer: B
The policy will enforce the resource group location but not the resources inside it. You can create a RG in one region and resources in another region.
upvoted 2 times
JayBee65
3 years ago
Nonesense. "Assignments are inherited by all child resources. This design means that a definition applied to a resource group is also applied to resources in that resource group. However, you can exclude a subscope from the assignment." https://docs.microsoft.com/en-us/azure/governance/policy/overview
upvoted 2 times
...
...
student22
3 years, 8 months ago
B - No --- Need to enforce the resource location, not resource group location.
upvoted 2 times
...
tteesstt
3 years, 8 months ago
Answer is Yes. The following is available policy in Azure: Allowed locations This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.
upvoted 3 times
...
tteesstt
3 years, 8 months ago
Policy on Resource Group location does not affect where you can deploy your resources to. Answer is no.
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel