New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Microsoft AZ-104 Exam - Topic 3 Question 129 Discussion

Actual exam question for Microsoft's AZ-104 exam
Question #: 129
Topic #: 3
[All AZ-104 Questions]

You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.

Another administrator plans to create several network security groups (NSGs) in the subscription.

You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.

Solution: You configure a custom policy definition, and then you assign the Azure policy to the subscription.

Does this meet the goal?

Show Suggested Answer Hide Answer
Suggested Answer: A

In Azure, Azure Policy is a governance tool used to enforce organizational standards and assess compliance across Azure resources. It allows administrators to define and assign policy definitions that automatically audit, deny, or modify resource configurations at deployment or runtime.

In this scenario, the requirement is that every time a Network Security Group (NSG) is created, it should automatically contain a rule that blocks TCP port 8080 traffic between virtual networks.

The Microsoft Azure Policy documentation confirms that you can create a custom policy definition using the Microsoft.Network/networkSecurityGroups/securityRules resource type. Within the policy's JSON definition, you can specify conditions such as:

The resource type to which the policy applies (networkSecurityGroups).

The enforcement mode (deny or deployIfNotExists).

The required configuration, such as a specific inbound or outbound rule (in this case, a rule denying TCP 8080).

By using the DeployIfNotExists effect in the policy, Azure automatically ensures that the NSG includes the required rule. If the rule does not exist, Azure deploys it automatically during resource creation.

Assigning this custom policy definition at the subscription level ensures it is inherited by all resource groups and applies to all virtual networks created in that subscription. This meets the goal because the requirement is to enforce a security configuration across all NSGs, regardless of which resource group or virtual network they belong to.

Therefore, configuring and assigning a custom Azure Policy to the subscription fully satisfies the requirement.


by Alise at Jan 29, 2026, 04:15 AM

Limited Time Offer

25%

Off

Get Premium AZ-104 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Charlesetta
5 days ago
This sounds similar to a practice question we did on Azure policies. I remember that assigning the policy to the subscription level should apply it to all resources, but I’m not 100% confident.
upvoted 0 times
...
Sage
10 days ago
I think creating a custom policy definition could work, but I'm not entirely sure how to ensure it specifically targets TCP port 8080 across all virtual networks.
upvoted 0 times
...
Doretha
15 days ago
I'm a little confused about how the policy will interact with the existing NSGs. Do we need to do anything special to make sure it applies to all the NSGs, or will it just work automatically? I'd want to test this out in a non-production environment first to be sure.
upvoted 0 times
...
Selma
20 days ago
Sounds good to me. As long as the policy definition is correct, assigning it to the subscription should do the trick. I'd double-check the policy to ensure it's blocking the right traffic, but this seems like a straightforward way to meet the requirement.
upvoted 0 times
...
Desire
25 days ago
Okay, let me think this through. We need to block port 8080 between the VNets, and the solution says to use a custom policy definition. I'd start by reviewing the policy definition to make sure it's set up properly, then assign it to the subscription as described.
upvoted 0 times
...
Reita
1 month ago
Hmm, I'm a bit unsure about this. Wouldn't we need to create the NSGs first, and then apply the policy to those? I'm not sure if the policy can create the NSGs automatically.
upvoted 0 times
...
Amie
1 month ago
This seems like a straightforward policy assignment to block port 8080 traffic between the VNets. I'd review the policy definition to ensure it's configured correctly, then assign it to the subscription.
upvoted 0 times
...

Save Cancel