ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 4 question 121 discussion

Actual exam question from Microsoft's AZ-500
Question #: 121
Topic #: 4
[All AZ-500 Questions]

HOTSPOT
-

You have an Azure subscription named Sub1 that contains two resource groups named RGnet and NET.

You have the Azure Policy definition shown in the following exhibit.



You assign the policy definition to Sub1 and NET.

You plan to deploy the resources shown in the following table.



For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by danielklein09 at April 24, 2024, 6:18 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Codelawdepp
Highly Voted 1 year, 1 month ago
I explain it as follows (I hope this is correct): Answer: Y Y N You can deploy VNet1 to RGnet = yes, because RGnet includes "net", but it also belongs to "Microsoft.Network/" and is therefore not blocked according to the rule. You can deploy storage1 to NET = yes, because RGnet includes "net", but ASG1 also belongs to "Microsoft.Network/" and is therefore not blocked according to the rule. You can deploy storage1 to RGnet = no, because RGnet includes "net" and storage1 does not belong to "Microsoft.Network/" and is therefore blocked according to the rule.
upvoted 15 times
ITFranz
7 months ago
To support The answer. Application Security Groups (ASGs) in Azure belong to the Microsoft.Network resource provider. ASGs are used to group virtual machines and define network security policies based on those groups, operating at the application layer (Layer 7) of the OSI model Azure storage accounts do not belong to Microsoft.Network roles. Storage accounts are part of the Microsoft.Storage resource provider namespace. Key points: Storage accounts are managed by the Microsoft.Storage resource provider15. The full resource provider namespace for storage accounts is Microsoft.Storage Answer = YYN
upvoted 2 times
...
...
nExoR
Highly Voted 11 months, 1 week ago
policy say: if ResourceGroupName contains 'net' *AND* ResourceType is Network then DENY. A: vnet1 is deployed in RG 'RGnet' and is network: DENY B: ASG is deployed in RG 'NET' and is network type, 'constains' is case-insensitive so both are true: DENY C: SA is not type network N,N,Y
upvoted 8 times
xRiot007
10 months, 2 weeks ago
ResourceType is NOT Network - the prop is "notLike", so your answers are reversed.
upvoted 2 times
...
...
alzdashti
Most Recent 2 months, 2 weeks ago
ANSWER Y Y N The policy has an "allOf" condition with two criteria that must both be true for the policy to deny a deployment: The resource group name contains "net" The resource type is NOT like "Microsoft.Network/*" (using "notLike") When both conditions are met, the effect is "deny".
upvoted 1 times
...
JaridB
1 year, 2 months ago
1. Yes 2. No 3. Yes
upvoted 2 times
...
Pamban
1 year, 2 months ago
It evaluates the resource group name contains "net" and not the resource name. "contains" condition is case-insensitive unless it uses matchInsensitively . therefore answer is Y Y N Link: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure-policy-rule#conditions
upvoted 3 times
...
Apptech
1 year, 2 months ago
allOf is used to check that ALL conditions (1. name contains "net" / 2. not from type Microsoft.Network) are true. If all conditions are true then the effect is a deny. ASG1 and storage1 don't have names which contain "net". --> Condition1 is false --> then clause does not execute. Vnet1 contains "net" but is from type Microsoft.Network/* But Condition2 says "notlike" Microsoft.Network/* --> for that reason same as before: In all 3 cases not all of the conditions hit and then clause does not get in effect. Y / Y / Y
upvoted 2 times
Pamban
1 year, 2 months ago
It evaluates the resource group name contains "net" and not the resource name. "contains" condition is case-insensitive unless it uses matchInsensitively . therefore answer is Y Y N Link: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure-policy-rule#conditions
upvoted 5 times
Apptech
1 year, 1 month ago
yes, after reading again I agree. Thx
upvoted 1 times
...
...
...
danielklein09
1 year, 2 months ago
Yes - No - Yes
upvoted 3 times
Apptech
1 year, 1 month ago
Application security group is from type Microsoft.network --> https://learn.microsoft.com/en-us/azure/templates/microsoft.network/applicationsecuritygroups?pivots=deployment-language-bicep
upvoted 3 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel