Azure NSG Configuration for Blocking TCP Port 8080
Question
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider.
Does this meet the goal?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B.B
You should use a policy definition.
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definitionNo, unregistering the Microsoft.ClassicNetwork provider does not meet the goal of automatically blocking TCP port 8080 between virtual networks when an NSG is created.
Unregistering the Microsoft.ClassicNetwork provider would only affect classic (ASM) virtual networks, which are a deprecated technology and no longer recommended for new deployments. It would not have any impact on the newer Azure Resource Manager (ARM) virtual networks, which are the recommended way of creating virtual networks in Azure.
To automatically block TCP port 8080 between virtual networks when an NSG is created, you can use Azure Policy. Specifically, you can create a custom policy that checks for the existence of NSGs that allow traffic on port 8080 between virtual networks, and deny the creation of any new NSGs that meet that criteria. This would ensure that any NSGs created in the subscription would automatically comply with the desired rule.
