Exam AZ-305 topic 4 question 11 discussion

Parent policy must be in the same region as child policy! You get this information when creating a Firewall Policy. Parent Policy drop down list only shows policies in the same region. Existing Firewall Policies are located in different regions. To link them to a new parent policy, each region must have a new parent policy => 3 new policies.

Tested in Portal. 1. Created 1 named "Parent" policy in West Europe Created 1 named "Child" policy - in West US - unable to set "Parent" as parent policy. Changed region to West Europe, could directly chose "Parent" as parent. 2. Created second policy named "Parent2" in West US. Went to the "Child" policy, still located in West Europe. Tried to choose Parent policy from the menu. The only parent that showed up was "Parent" also located in West Europe. Conclusion: You can't set a Parent Policy from different region to a child in a given region. Therefore we need 3 different region policies to be set as parents if we do not change the child's regions.

ou can create one global parent Azure Firewall policy that applies mandatory rules across all existing Azure Firewall policies (child policies

The parent policy and the child policy must be in the same region.

Am I the only one that wants to go for C. 2? You create one policy as stated in the text. What is the minimum number of ADDITIONAL (adding onto the one that you already created) policies you need to create?

D is correct

Crappy wording. Create is not deploy. 1 parent policy needs to be created. 1 parent policy needs to be deployed 3 times. But I'll go with D since I have learned to not read into the question what does not already exist. No assumptions can be made that someone is using automation to deploy a single policy 3 times..

B. 1 - You don't need to create three new policies. The existing policies are already in place for each region. The question only asks for a parent policy that manages rules across all regions, so you need to create just one parent policy

I'm so glad this wasn't a question that required mapping actually policy and firewalls and regions - considering the regions are all named differently to the regions they are in

Tested in a LAB. Answer is correct. Root policy must be in the same region as a child policy.

Should not the answer be "0" ? If we update existing firewall policies with global configurations in all three regions then there may not be any need to have parent policy in any region.

Sorry but there isn't a strict requirement for the parent policy to be in the same region as the child policies. The parent policy and child policies can be associated with Azure Firewall instances in different regions. This is one of the benefits of Azure Firewall Manager—it allows you to manage firewall policies across regions from a centralized location.

Hierarchical policies New policies can be created from scratch or inherited from existing policies. Inheritance allows DevOps to create local firewall policies on top of organization mandated base policy. Policies created with non-empty parent policies inherit all rule collections from the parent policy. The parent policy and the child policy must be in the same region. A firewall policy can be associated with firewalls across regions regardless where they are stored: https://learn.microsoft.com/en-us/azure/firewall-manager/policy-overview#hierarchical-policies

B: Firewall Policy is the recommended method to configure your Azure Firewall. It's a global resource that can be used across multiple Azure Firewall instances in Secured Virtual Hubs and Hub Virtual Networks. Policies work across regions and subscriptions.

Should be B. As the global parent policy, all else Hierarchical policies should call local policies, different than we call child of global.

The question states: You need to deploy a new Azure Firewall policy that will contain mandatory rules for all Azure Firewall deployments. The new policy will be configured as a parent policy for the existing policies. It also states that the policies are already created. If you need one for all of them, you only need to create 1, the "Firewall Policy" that is a global resource. Since this works as hub and spoke, you only need one to centrally manage the 3 policies that exist already.

o have the existing policies linked to a new parent policy, each region must have a separate parent policy. Therefore, a minimum of 3 additional Azure Firewall policies would need to be created. The answer is D.