HOTSPOT
-
You have an Azure subscription named Sub1 that contains two resource groups named RGnet and NET.
You have the Azure Policy definition shown in the following exhibit.
You assign the policy definition to Sub1 and NET.
You plan to deploy the resources shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
I explain it as follows (I hope this is correct): Answer: Y Y N You can deploy VNet1 to RGnet = yes, because RGnet includes "net", but it also belongs to "Microsoft.Network/" and is therefore not blocked according to the rule. You can deploy storage1 to NET = yes, because RGnet includes "net", but ASG1 also belongs to "Microsoft.Network/" and is therefore not blocked according to the rule. You can deploy storage1 to RGnet = no, because RGnet includes "net" and storage1 does not belong to "Microsoft.Network/" and is therefore blocked according to the rule.
To support The answer. Application Security Groups (ASGs) in Azure belong to the Microsoft.Network resource provider. ASGs are used to group virtual machines and define network security policies based on those groups, operating at the application layer (Layer 7) of the OSI model Azure storage accounts do not belong to Microsoft.Network roles. Storage accounts are part of the Microsoft.Storage resource provider namespace. Key points: Storage accounts are managed by the Microsoft.Storage resource provider15. The full resource provider namespace for storage accounts is Microsoft.Storage Answer = YYN
policy say: if ResourceGroupName contains 'net' *AND* ResourceType is Network then DENY. A: vnet1 is deployed in RG 'RGnet' and is network: DENY B: ASG is deployed in RG 'NET' and is network type, 'constains' is case-insensitive so both are true: DENY C: SA is not type network N,N,Y
ResourceType is NOT Network - the prop is "notLike", so your answers are reversed.
Yes - No - Yes
Application security group is from type Microsoft.network --> https://learn.microsoft.com/en-us/azure/templates/microsoft.network/applicationsecuritygroups?pivots=deployment-language-bicep
It evaluates the resource group name contains "net" and not the resource name. "contains" condition is case-insensitive unless it uses matchInsensitively . therefore answer is Y Y N Link: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure-policy-rule#conditions
allOf is used to check that ALL conditions (1. name contains "net" / 2. not from type Microsoft.Network) are true. If all conditions are true then the effect is a deny. ASG1 and storage1 don't have names which contain "net". --> Condition1 is false --> then clause does not execute. Vnet1 contains "net" but is from type Microsoft.Network/* But Condition2 says "notlike" Microsoft.Network/* --> for that reason same as before: In all 3 cases not all of the conditions hit and then clause does not get in effect. Y / Y / Y
It evaluates the resource group name contains "net" and not the resource name. "contains" condition is case-insensitive unless it uses matchInsensitively . therefore answer is Y Y N Link: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure-policy-rule#conditions
yes, after reading again I agree. Thx
yes, after reading again I agree. Thx
1. Yes 2. No 3. Yes
ANSWER Y Y N The policy has an "allOf" condition with two criteria that must both be true for the policy to deny a deployment: The resource group name contains "net" The resource type is NOT like "Microsoft.Network/*" (using "notLike") When both conditions are met, the effect is "deny".