Microsoft Azure Administrator (AZ104) Practice Exam

What configuration must be done to ensure automatic blocking of TCP port 8080 when NSGs are created across multiple virtual networks?

• A. Resource lock configuration
• B. Custom policy definition assignment
• C. Resource Manager registration
• D. Role-based access control settings

The correct answer is: Custom policy definition assignment

To ensure automatic blocking of TCP port 8080 when Network Security Groups (NSGs) are created across multiple virtual networks, a custom policy definition assignment is necessary. Azure Policy provides a way to create, assign, and manage policies that enforce different rules and effects over your resources, helping to guarantee compliance and governance. By defining a custom policy that specifically targets the creation of NSGs, you can set the requirement that TCP port 8080 should be automatically blocked. This policy can be assigned to the appropriate scope, such as a subscription or resource group, ensuring that every time a new NSG is created, it automatically adheres to the defined rules, including block rules for TCP port 8080. This mechanism helps maintain consistent security posture across all virtual networks within the scope of the policy. Other options listed, such as resource lock configuration, resource manager registration, and role-based access control settings, do not serve the specific function of automatically enforcing security rules against NSGs upon their creation. Resource locks prevent accidental deletion or modification but do not influence network security configurations. Role-based access control manages permissions for users and groups but does not enforce security settings within NSGs. Resource Manager registration is related to enabling specific resource types in an environment but is not relevant