HOTSPOT
-
You have an Azure subscription named Sub1 that contains the resource groups shown in the following table.
You create the Azure Policy definition shown in the following exhibit.
You assign the policy to Sub1.
You plan to create the resources shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure#conditions The condition states "While match and notMatch are case-sensitive, all other conditions that evaluate a stringValue are case-insensitive. Case-insensitive alternatives are available in matchInsensitively and notMatchInsensitively." This shows that the "notContains" as a string comparison is actually case-INSENSITIVE. The other thing we have to look at is if (not same region of RG). This sums up, if we look at another perspective, is if (RG same region AND contains "obj") -> accept else -> deny Therefore the answer should be Y N Y
This is the one
AND=allof OR= anyof So, yyy
Tested in lab. All are yes. Policy says: If anyof meaning condition 1 or 2. If 1 or 2 satisfied policy will block. 1) Location of resource must be same as RG. 2) Name of resource must contains obj/OBJ. If any of these are not satisifed the policy will block. For option 1, 3 - Location is same as RG and name contains obj/OBJ. so Yes. For option 2 - policy can't evaluate location for resource group so the policy is not valid and will not evaluate for name too. so even you put name as obj/OBJ or anything like "test" you can create RG. so Yes. Answer: YYY
- The question has notContains and NOT Contains - "if anyof" so only one of the conditions needs to be matched on to deny 1 and 3 are in the same location as the RGs they are in and contain obj so Y 2 is not in the same location as the RG so even if it contains obj it will be N YNY
Azure Policy is generally case-insensitive, including the notContains operator. This means that, in most situations, the policy will evaluate without considering the case of the characters.
Not, sure about this one!
IPobject1 is a Public IP address and OBJ3 is a Virtual Network. In that case it makes sense. So i will go for the given answers is correct.
Answer is correct. The mode is set to "All," which suggests that the rule applies to all cases. The first condition checks the value of the "location" field and compares it to the location of the resource group. If the two values are not equal, the condition is satisfied. The second condition checks the value of the "name" field and verifies that it does not contain the substring "obj." If either of these conditions is met, the action specified in the "then" block will be executed which means the action will be denied. IProject1 > East US , RG2 > East US then the condition is not satisfied means "Yes" to IProject1. obj1 >> contains obj >> second condition satisfied means "NO" to obj1 OBJ3 and RG1 both are in West US, none of the conditions are satisfied. Means "Yes" to OBJ3
It's IPobject, not IProject, so it contains obj
You're right! My bad. Then the answer should be NO,NO,Yes.
Shouldn't IPobject1 be yes since it contains "obj"?
THE QUESTION STATES IF IT DOES NOT CONTAIN EITHER OBJ OR A RG GROUP THEN DENY. ONLY #2 MATCHES THAT RULE. Y,N,Y
all of objects contain "obj", so if policy will be applied on Sub1 level - it's all "No"
All are No. Simply because Field names are case-insensitive so OBJ is obj is IPobject and since anyof the condition matchs, all are No.
only the match selectors are casesensitive; https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azpolicyassignment?view=azps-10.0.0#example-1-policy-assignment-at-subscription-level
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure The mode determines which resource types are evaluated for a policy definition. The supported modes are: all: evaluate resource groups, subscriptions, and all resource types indexed: only evaluate resource types that support tags and location For example, resource Microsoft.Network/routeTables supports tags and location and is evaluated in both modes. However, resource Microsoft.Network/routeTables/routes can't be tagged and isn't evaluated in Indexed mode. We recommend that you set mode to all in most cases.
Tested in the lab its YNN
Apologies tested again all 3 are yes
notContains: The notcontains comparison in Azure Policy is case-insensitive YNY
YNY (Answer is correct) 1 & 3 : IpObject1 contains obj and is located in the same region than the RG. Same for OBJ3 (plus contains is case insensitive) 2. We can create obj1 because there isn't any RG to check the location.
exam 20240715