Microsoft Azure Security Engineer Associate AZ-500 Practice Question
You manage an Azure Kubernetes Service (AKS) cluster that uses the Azure CNI network plugin. Workloads from several teams run in separate namespaces. The security team requires that pods be isolated so that traffic between namespaces is blocked unless explicitly allowed. You need to enforce this requirement without modifying the cluster network plugin or the container images. What should you do?
Enable the Azure network policy add-on for the cluster and apply Kubernetes NetworkPolicy objects to each namespace.
Deploy Azure Firewall and route all pod egress traffic through it, adding deny rules for other namespaces.
Enable Microsoft Defender for Cloud for Kubernetes and configure the "Block cross-namespace communication" security policy.
Associate a network security group with each node subnet that blocks traffic between the pod address ranges.
AKS supports Kubernetes network policies through either the Azure or Calico plug-ins. With the Azure CNI network plugin you can enable the Azure network policy add-on (for example, by running "az aks update --network-policy azure") and then apply Kubernetes NetworkPolicy resources that default-deny all traffic and selectively allow approved flows. This provides namespace-level and pod-level isolation inside the cluster. Azure Firewall and NSGs operate at the VNet or subnet boundary and cannot see pod-to-pod traffic that stays on the node's virtual NICs, so they cannot enforce the required isolation. Microsoft Defender for Cloud monitors and raises alerts but does not block traffic. Therefore, enabling network policies is the only action that meets the requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Azure network policy add-on?
Open an interactive chat with Bash
What are Kubernetes NetworkPolicy objects?
Open an interactive chat with Bash
Why can't Azure Firewall or NSGs enforce pod-to-pod isolation?
Open an interactive chat with Bash
Microsoft Azure Security Engineer Associate AZ-500
Secure compute, storage, and databases
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .