Table of Contents
Why Is Azure Policy the Best Way to Restrict Deployments to Specific Azure Regions?
Learn how to enforce data residency and sovereignty for your AZ-500 exam using Azure Policy’s “allowed locations” policy. Restrict resource deployment to approved Azure regions to meet compliance and data sovereignty requirements.
Question
You can enforce data residency and sovereignty using which of the following?
A. Azure Security Center
B. Azure Policy
C. Azure Storage Encryption
D. Azure Automation
Answer
B. Azure Policy
Explanation
The correct answer is B. Azure Policy is the native Azure governance service designed to enforce organizational standards and compliance, making it the correct tool for enforcing data residency and sovereignty by restricting resource deployment to specific geographic locations.
Azure Policy enables you to configure an “allowed locations” policy to limit deployment to your approved Azure regions only.
How Azure Policy Enforces Data Residency
Azure Policy allows administrators to create, assign, and manage policies that enforce rules over resources. To address data residency and sovereignty, the key feature is the “Allowed locations” policy definition.
- What it does: This built-in policy definition allows you to specify a whitelist of Azure regions where users in your organization are permitted to deploy resources.
- Enforcement: When this policy is assigned, any attempt to create a resource in a region that is not on the allowed list will be blocked by the Azure Resource Manager before the deployment even begins. This provides proactive, preventative enforcement.
- Implementation: An administrator assigns the “Allowed locations” policy to a specific scope, such as a management group or subscription. During assignment, they provide the list of approved regions (e.g., “Germany West Central,” “Germany North”). This ensures all child resources inherit the policy, guaranteeing that data remains within the approved geographic boundaries.
Why Other Options Are Incorrect
A. Azure Security Center (Microsoft Defender for Cloud): This service assesses your security posture and provides recommendations. It might recommend that you limit resource locations, but it does not have the power to enforce this rule at the time of deployment. Its role is advisory and detective, not preventative.
C. Azure Storage Encryption: This feature protects data at rest by encrypting it. While a critical security control, it is entirely unrelated to controlling the physical location where the data is stored. Data can be encrypted in any region.
D. Azure Automation: This service is used to automate operational tasks using runbooks. While you could write a complex script to periodically scan for and delete non-compliant resources, this is a reactive, inefficient, and error-prone approach. Azure Policy provides native, real-time enforcement, which is the correct and recommended method.
Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.