-
Hello geraldv,
Thank you for raising this important point. You are correct that Azure Policy does not directly “inject” rules into a network security group (NSG) at the moment of creation. Instead, Azure Policy works through its effects. With a custom policy definition, compliance can be enforced either by denying the creation of NSGs that do not meet the requirement or by automatically remediating NSGs after they are created through the DeployIfNotExists or Modify effects.
This distinction means that Azure Policy does not literally write the deny rule for port 80 inline, but it can still ensure that every NSG ends up compliant through enforcement or remediation. That is why the solution is still considered valid for minimizing administrative effort — once the policy is in place, administrators do not need to manually add rules each time an NSG is created.
We have updated the explanation in the question to reflect this nuance so that it aligns more closely with the official Azure documentation. Thank you again for helping us make this clearer for all learners.
If you have further questions or need additional clarification, please don’t hesitate to contact us.
Best,
Irene @ Tutorials Dojo
