Microsoft Azure Administrator (AZ104) Practice Exam

What can be done to automatically block TCP port 8080 between virtual networks in Azure?

• A. Assign a built-in policy definition to the subscription
• B. Create a network security group
• C. Implement Azure Firewall
• D. Connect the networks using virtual network peering

The correct answer is: Assign a built-in policy definition to the subscription

To automatically block TCP port 8080 between virtual networks in Azure, assigning a built-in policy definition to the subscription is the most effective approach. Azure Policy allows you to manage your Azure resources by defining rules and effects for your resources. A built-in policy can be tailored to enforce security measures, including blocking specific ports across virtual networks. When this policy is assigned to a subscription, it can ensure compliance and prevent traffic on the specified TCP port across the specified networks without requiring manual configuration for each resource. Using network security groups (NSGs) is also a common method for controlling inbound and outbound traffic at the network interface level or subnet level. However, while you can create rules to block port 8080 within an NSG, managing this across multiple networks in a cohesive manner becomes complex and less automated compared to the centralized governance of Azure Policy. Implementing Azure Firewall would provide a robust solution for managing network security, including blocking specific ports; however, it represents a more sophisticated and potentially costly option compared to simply leveraging Azure Policy. Connecting networks using virtual network peering does not directly help in managing network traffic or restrictions between networks. It mainly facilitates resources within two networks to communicate directly, which could be counterproductive if the goal is to block certain