It should be RG4 on the first box, and RG4 and RG6 on the second box

Box 1: RG6 only - The policy does not allow the creation of virtual networks/subnets in RG5. Only NSGs can be created in RG4. RG4 allows only NSG, so No VNET allowed RG5 prevents from NSG creation and from Subnet, so supposed VNET (even without subnet) is KO RG6 excludes only NetworkPeerings so it's OK as he has the owner role Box 2: RG4 and RG6 only - The policy does not allow the creation of NSGs in RG5. RG4 allows only NSG, so OK RG5 prevents from NSG creation, so KO RG6 excludes only NetworkPeerings so it's OK for NSG as he has the owner role

Let’s analyze one by one for the boxes. RG4 has policy definition that has Allowed Resource Type value that only allows Resource Type which is newtorkSecurityGroups that is why inside RG4 besides Network Security group we can not create any other resource. RG5, has NotAllowedResourceType which does not allow to create virtual network subnet inside the resource group, however question in box-1 one asks about can we create vnet ? Yes, we can but we will create it without subnet when we create vnet in the portal near to the name of Default Subnet there is delete icon as well we can delete it and create vnet without subnet. However inside this RG5 we will not able to create network security group as we see this is also in the not allowed resource type for this resource group.

Box1:5,6 --> Not allowed resource types:virtualNetworks/subnets. This will not allow us to create any subnet. Hence from the Azure portal, we can create any VNet inside WhizlabRg5 with reason:when we create a VNet from azure portal, by default, a subnet is created.But we can create a VNet without any subnet from CLI o PowerShell

In exam 1/28/24

Box1: RG5, RG6 Creating a subnet is optional when creating a VNET. You can create only the VNET and the policy will allow it. Tested in lab.

Explanation: Box 1: RG6 only - The policy does not allow the creation of virtual networks/subnets in RG5. Only NSGs can be created in RG4. Box 2: The policy does not allow the creation of NSGs in RG5.

Answers are correct.

Answer for Box 1 should be: RG5 and RG6 only. Explanation: - RG4: Policy allows creation of NSGs, but nothing else. - RG5: Policy does NOT allow creation of NSGs and specifically subnets, but allows creation of other resources including VNets. - RG6: Policy does NOT allow creation of VNet Peering, but allows creation of other resources. Answer for Box 2 should be: RG4 and RG6 only. Explanation: - RG4: Policy allows creation of NSGs, but nothing else. - RG5: Policy does NOT allow creation of NSGs and subnets, but allows creation of other resources. - RG6: Policy does NOT allow creation of VNet Peering, but allows creation of other resources including NSGs.

It should be RG4 and RG6 for both, For creating the VNet, While the policy allows the creation and management of network security groups in RG4, it does not directly address the creation of virtual networks. Therefore, the creation of virtual networks should be allowed by default in RG4. For RG6, the policy specifically prohibits the creation or modification of virtual network peerings but It does not mention anything about the creation of virtual networks themselves. As there is no explicit restriction on the creation of virtual networks, the creation of virtual networks should be allowed in RG6. For the second part, creation of Network security group only being denied on RG5 and it's allowed for both RG4 and RG6.

in exam 20.05.2023

1. RG6 only 2. RG4 and RG6 https://learn.microsoft.com/en-us/azure/governance/policy/overview#policy-definition - Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list - Not allowed resource types (Deny): Prevents a list of resource types from being deployed.

VNETs: RG6 only NSGs: RG4 and RG6

Box1: 6 only Box2: 4 & 6

#1 is RG4 only, VNETS are allowed, no locks. RG6 is wrong since vnets are not allowed #2 is correct... RG4 & RG6

Allowed resource types: Defines the resource types that you can deploy. Its effect is to deny all resources that aren’t part of this defined list (Allow NSG in RG4, implicit deny RG5, RG6) Not allowed resource types: Prevents a list of resource types from being deployed (Deny NSG in RG5) Box1: RG4, RG5, RG6 Box2: RG4

New-AzResourceGroup -Name TestResourceGroup -Location centralus New-AzVirtualNetwork -Name MyVirtualNetwork -ResourceGroupName TestResourceGroup -Location centralus -AddressPrefix "10.0.0.0/16" The portal requires that you define one subnet when you create a virtual network, even though a virtual network isn't required to have any subnets. https://learn.microsoft.com/en-us/azure/virtual-network/manage-virtual-network