HOTSPOT -
You assign User8 the Owner role for RG4, RG5, and RG6.
In which resource groups can User8 create virtual networks and NSGs by using the Azure portal? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Box 1: RG6 only -
The policy does not allow the creation of virtual networks/subnets in RG5. Only NSGs can be created in RG4.
Box 2: The policy does not allow the creation of NSGs in RG5.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/overview
It should be RG4 on the first box, and RG4 and RG6 on the second box
In RG4 only allowed resrource type is NSG which is not a requirement in first box. R6 is the right answer.
Correct. Guys look at the Policy definition for RG6. Not allowed resource types is: virtualNetworks/virtualNetworkPeerings So for Box1: It is: RG4 only As most of you also mention RG5 has not allowed resource types: vitrualNetowkrs/subents Same goes for RG6 on the resource type section.
Box1: RG5, RG6 Creating a subnet is optional when creating a VNET. You can create only the VNET and the policy will allow it. Tested in lab.
Box 1: RG6 only - The policy does not allow the creation of virtual networks/subnets in RG5. Only NSGs can be created in RG4. RG4 allows only NSG, so No VNET allowed RG5 prevents from NSG creation and from Subnet, so supposed VNET (even without subnet) is KO RG6 excludes only NetworkPeerings so it's OK as he has the owner role Box 2: RG4 and RG6 only - The policy does not allow the creation of NSGs in RG5. RG4 allows only NSG, so OK RG5 prevents from NSG creation, so KO RG6 excludes only NetworkPeerings so it's OK for NSG as he has the owner role
Box1: RG5, RG6 Creating a subnet is optional when creating a VNET. You can create only the VNET and the policy will allow it. Tested in lab.
1. RG6 only 2. RG4 and RG6 https://learn.microsoft.com/en-us/azure/governance/policy/overview#policy-definition - Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list - Not allowed resource types (Deny): Prevents a list of resource types from being deployed.
Gotten this in May 2023 exam.
VNETs: RG6 only NSGs: RG4 and RG6
In exam 1/28/24
Allowed resource types: Defines the resource types that you can deploy. Its effect is to deny all resources that aren’t part of this defined list (Allow NSG in RG4, implicit deny RG5, RG6) Not allowed resource types: Prevents a list of resource types from being deployed (Deny NSG in RG5) Box1: RG4, RG5, RG6 Box2: RG4
Box1: 6 only Box2: 4 & 6
in exam 20.05.2023
Answer for Box 1 should be: RG5 and RG6 only. Explanation: - RG4: Policy allows creation of NSGs, but nothing else. - RG5: Policy does NOT allow creation of NSGs and specifically subnets, but allows creation of other resources including VNets. - RG6: Policy does NOT allow creation of VNet Peering, but allows creation of other resources. Answer for Box 2 should be: RG4 and RG6 only. Explanation: - RG4: Policy allows creation of NSGs, but nothing else. - RG5: Policy does NOT allow creation of NSGs and subnets, but allows creation of other resources. - RG6: Policy does NOT allow creation of VNet Peering, but allows creation of other resources including NSGs.
Answers are correct.
Box1:5,6 --> Not allowed resource types:virtualNetworks/subnets. This will not allow us to create any subnet. Hence from the Azure portal, we can create any VNet inside WhizlabRg5 with reason:when we create a VNet from azure portal, by default, a subnet is created.But we can create a VNet without any subnet from CLI o PowerShell
Sorry, Box 1:Only 6 because the question specify from Azure portal, no CLI or PowerShell
Let’s analyze one by one for the boxes. RG4 has policy definition that has Allowed Resource Type value that only allows Resource Type which is newtorkSecurityGroups that is why inside RG4 besides Network Security group we can not create any other resource. RG5, has NotAllowedResourceType which does not allow to create virtual network subnet inside the resource group, however question in box-1 one asks about can we create vnet ? Yes, we can but we will create it without subnet when we create vnet in the portal near to the name of Default Subnet there is delete icon as well we can delete it and create vnet without subnet. However inside this RG5 we will not able to create network security group as we see this is also in the not allowed resource type for this resource group.
RG6, inside this resource group except vnet peering we will be able to create to vnet and network security groups as. Based on that the answer for the first box will be. RG5, RG6. For the second box answer will be RG4, RG6. Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list. BOX-1 RG5/RG6 BOX-2 RG4/RG6 BR
#1 is RG4 only, VNETS are allowed, no locks. RG6 is wrong since vnets are not allowed #2 is correct... RG4 & RG6
It should be RG4 and RG6 for both, For creating the VNet, While the policy allows the creation and management of network security groups in RG4, it does not directly address the creation of virtual networks. Therefore, the creation of virtual networks should be allowed by default in RG4. For RG6, the policy specifically prohibits the creation or modification of virtual network peerings but It does not mention anything about the creation of virtual networks themselves. As there is no explicit restriction on the creation of virtual networks, the creation of virtual networks should be allowed in RG6. For the second part, creation of Network security group only being denied on RG5 and it's allowed for both RG4 and RG6.
Explanation: Box 1: RG6 only - The policy does not allow the creation of virtual networks/subnets in RG5. Only NSGs can be created in RG4. Box 2: The policy does not allow the creation of NSGs in RG5.
Box1: RG5, RG6 Creating a subnet is optional when creating a VNET. You can create only the VNET and the policy will allow it. Tested in lab.
In Exam20/07/2024