Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

🚀 Get 20% OFF All Azure Products Today — Azure Super Sale!

Find answers, ask questions, and connect with our
community around the world.

Home Forums Azure Port 80 blocked by default through Policy Question

  • Port 80 blocked by default through Policy Question

     Irene-TutorialsDojo updated 5 months ago 3 Members · 4 Posts
    Azure

  • geraldv

    Member
    September 29, 2025 at 11:19 pm

    The question:

    There is a compliance requirement that port 80 should be automatically blocked between virtual networks whenever a new network security group is created. The solution must minimize administrative effort.

    Answer suggested:

    In this scenario, you can create a custom policy to automatically block port 80 whenever a new network security group is created.

    Your answer suggests “Yes”

    Query

    Can Azure Policy actively inject a “deny” rule during the creation of new NSG’s?”

    “AllowVNetInBound” would allow Port 80 by default, and so a “deny” rule of higher priority needs to be added.

    For that matter can Azure policy inject any rule into an NSG on creation of an NSG?

    Thanks in advance for your feedback.

  • samabc

    Member
    September 30, 2025 at 10:01 am

    Good catch. I felt suspicious of this question but didn’t check it. I plugged the question into perplexity.ai and it says “…While Azure Policy is effective for auditing and ensuring that NSGs
    exist or checking their settings, it cannot dynamically inject or
    enforce specific NSG rules (like denying port 80) at creation or update
    time.”

  • geraldv

    Member
    September 30, 2025 at 7:06 pm

    Thanks, that would mean the answer should be “No” as it is not the solution.
    The problem is, if this question came from an actual exam question, then what was the correct answer for the exam?

    • Irene-TutorialsDojo

      Administrator
      October 7, 2025 at 1:07 pm

      Hello geraldv,

      Thank you for raising this important point. You are correct that Azure Policy does not directly “inject” rules into a network security group (NSG) at the moment of creation. Instead, Azure Policy works through its effects. With a custom policy definition, compliance can be enforced either by denying the creation of NSGs that do not meet the requirement or by automatically remediating NSGs after they are created through the DeployIfNotExists or Modify effects.

      This distinction means that Azure Policy does not literally write the deny rule for port 80 inline, but it can still ensure that every NSG ends up compliant through enforcement or remediation. That is why the solution is still considered valid for minimizing administrative effort — once the policy is in place, administrators do not need to manually add rules each time an NSG is created.

      We have updated the explanation in the question to reflect this nuance so that it aligns more closely with the official Azure documentation. Thank you again for helping us make this clearer for all learners.

      If you have further questions or need additional clarification, please don’t hesitate to contact us.

      Best,

      Irene @ Tutorials Dojo

Viewing 1 - 3 of 3 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now
Skip to content