Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You configure a custom policy definition, and then you assign the policy to the subscription.
Does this meet the goal?
Click on the arrows to vote for the correct answer
A. B.A
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definitionThe solution provided in the scenario may not meet the goal of automatically blocking TCP port 8080 between the virtual networks.
Creating a custom policy definition and assigning it to the subscription will only enforce the policy on resources created in the future and will not retroactively apply the policy to existing resources. It is not clear whether the other administrator will create the NSGs before or after the policy is assigned to the subscription.
Even if the policy is assigned before the NSGs are created, it may not be sufficient to block TCP port 8080 between the virtual networks. The policy would need to specifically target the creation of NSGs and include a rule that blocks TCP port 8080 between the virtual networks.
Therefore, the best solution to automatically block TCP port 8080 between the virtual networks is to use Azure Firewall to create a network rule that blocks traffic on TCP port 8080 between the virtual networks. Azure Firewall is a managed, cloud-based network security service that can provide granular network security policies and is designed to work with virtual networks.
Alternatively, the other administrator could create NSGs with a rule that specifically blocks TCP port 8080 between the virtual networks. However, this would require manual intervention and may not be scalable or enforceable in the long term.