Microsoft Azure Security Engineer Associate AZ-500 Practice Question
You administer an existing Azure Kubernetes Service (AKS) cluster that uses the Azure CNI network plugin and hosts workloads for several teams. All pods run in the same virtual-network subnet. A new requirement states that pods in the "finance" namespace must accept traffic only from pods in the "billing" namespace; traffic from every other namespace must be blocked. Communication between cluster nodes must remain unchanged. What should you do to meet the requirement?
Associate a user-defined route table to the pod subnet and add a route that drops packets whose source IP range is not assigned to the billing namespace.
Deploy an Azure Firewall in the virtual network and create application rules that allow traffic only from billing namespace pod IP addresses to the finance namespace.
Move finance pods to a separate subnet and configure network security group rules to allow traffic solely from the billing namespace subnet.
Enable Azure network policy on the AKS cluster and apply a Kubernetes NetworkPolicy that allows ingress to finance pods only from the billing namespace and denies other traffic.
AKS supports Kubernetes network policies, which let you whitelist or block pod-to-pod and namespace-to-namespace traffic without affecting the underlying node subnet or inter-node communication. Because the cluster already uses the Azure CNI plugin, you can enable Azure network policies on the existing cluster (for example, with az aks update --enable-network-policy --network-policy azure). After network policy support is enabled, you deploy a Kubernetes NetworkPolicy resource in the finance namespace that permits ingress only from pods that carry the label for the billing namespace and denies all other sources by default. Network security groups, user-defined routes, or Azure Firewall cannot selectively filter traffic between individual pods sharing the same subnet; they operate at the subnet or IP layer and would also disrupt node-level traffic or require unsustainable rule maintenance.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Azure CNI network plugin?
Open an interactive chat with Bash
What is a Kubernetes NetworkPolicy?
Open an interactive chat with Bash
How do you enable Azure network policy on an AKS cluster?
Open an interactive chat with Bash
Microsoft Azure Security Engineer Associate AZ-500
Secure compute, storage, and databases
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .