Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You create a resource lock, and then you assign the lock to the subscription.
Does this meet the goal?
Click on the arrows to vote for the correct answer
A. B.B
How can I freeze or lock my production/critical Azure resources from accidental deletion? There is way to do this with both ASM and ARM resources using Azure resource lock.
https://blogs.msdn.microsoft.com/azureedu/2016/04/27/using-azure-resource-manager-policy-and-azure-lock-to-control-your-azure-resources/No, the solution provided does not meet the stated goal of automatically blocking TCP port 8080 between virtual networks when an NSG is created.
A resource lock is a setting that can be applied to a resource group or individual resources within a resource group to prevent accidental deletion or modification. It does not provide any network security functionality.
To meet the goal of automatically blocking TCP port 8080 between virtual networks when an NSG is created, you can use Azure Policy with a custom policy definition. Azure Policy is a service that enables you to create, assign, and manage policies to enforce compliance with organizational standards and requirements.
Here are the steps to create a custom policy definition to block TCP port 8080 between virtual networks when an NSG is created:
Sign in to the Azure portal (https://portal.azure.com/).
In the left navigation pane, click on "Policy" under the "Governance" section.
Click on "Definitions" and then click on the "Add" button.
In the "Basics" tab, provide a name for the policy definition and a description (optional).
In the "Policy rule" tab, use the following JSON code as the policy rule definition:
json{ "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Network/networkSecurityGroups" }, { "not": { "field": "name", "startsWith": "[concat(parameters('virtualNetworkNamePrefix'), '-nsg-')]" } } ] }, "then": { "effect": "deny", "details": [ { "type": "Microsoft.Network/networkSecurityGroups/securityRules", "name": "DenyPort8080", "existenceCondition": { "allOf": [ { "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", "equals": "Allow" }, { "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", "equals": "Inbound" }, { "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", "equals": "8080" } ] } } ] } } This policy rule denies the creation of any NSG rule that allows inbound traffic on TCP port 8080, except for rules that belong to NSGs with names that start with the specified virtual network name prefix.
Click on "Review + create" to review the policy definition and then click on "Create" to create the policy definition.
Once the policy definition is created, click on "Assignments" and then click on the "Assign" button.
In the "Basics" tab of the "Assign policy" page, provide a name for the policy assignment, select the scope of the assignment (e.g., the subscription), and select the policy definition that you created.
Click on "Next: Parameters" and then specify the virtual network name prefix parameter value that you used in the policy rule definition.
Click on "Next: Review + create" and then click on "Create" to create the policy assignment.
After you create the policy assignment, any NSG rule that allows inbound traffic on TCP port 8080 between virtual networks (except for rules that belong to NSGs with names that start with the specified virtual network name prefix) will be automatically blocked when an NSG is created.