Describe core infrastructure security services in Azure Flashcards
Describe Distributed Denial of Service attacks
The aim of a Distributed Denial of Service (DDoS) attack is to overwhelm the resources on your applications and servers, making them unresponsive or slow for genuine users.
3 most frequent types of DDoS attacks are:
-Volumetric attacks: these are volume-based attacks that flood the network layer with seemingly legitimate traffic, overwhelming the available bandwidth.
-Protocol attacks: Protocol attacks render a target inaccessible by exhausting server resources with false protocol requests that exploit weaknesses in layer 3 (network) and layer 4 (transport) protocols.
-Resource (application) layer attacks: these attacks target app packets, to disrupt the transmission of data between hosts.
What is Azure DDoS Protection?
It is a service that is designed to help protect your applications and servers by analyzing network traffic and discarding anything that looks like a DDoS attack.
It protects at layer 3 (network layer) and layer 4 (transport layer).
Key benefits provided are:
1.) Always-on traffic monitoring: 24/7
2.) Adaptive real-time turning:
-DDoS Protection telemetry, monitoring, and alerting:
Describe Azure Firewall
Azure Firewall is a managed, cloud-based network security service that provides threat protection for your cloud workloads and resources running in Azure.
You can deploy Azure Firewall on any virtual network but the best approach is to use it on a centralized virtual network. The advantage of this is the ability to centrally exert control of network traffic for all your VNets across different subs.
Azure Firewall is offered in 3 different SKUs: Standard, Premium, and Basic. All of these SKUs provide the following key features:
-Built-in high availability and availability zones:
-Network and application level filtering: Use IP address, port, and protocol to support qualified domain name filtering
-Outbound SNAT and inbound DNAT to communicate with internet resources:
-Multiple public IP addresses:
-Threat intelligence:
-Integration with Azure Monitor.
Describe the Web Application Firewall
Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities. It can protect against distributed denial of service (DDoS) attacks that occur at the application layer.
Describe network segmentation in Azure
Think of network segmentation as in an office setting, where HR, sales, and customer service all sit together in separate locations. The same concept applies to corporate IT networks. The main reasons for network segmentation are:
-The ability to group related assets that are a part of workload operations.
-Isolation of resources.
-Governance policies set by the organization
This also supports the Zero Trust model and layered approach to security.
Azure Virtual Networks (VNet)
Azure Virtual Network (VNet) is the fundamental building block for your organization’s private network in Azure. It enables orgs to segment their network.
Describe Azure Network Security Groups (NSGs)
Network security groups (NSGs) let you FILTER network traffic to and from Azure resources in an Azure virtual network; like a virtual machine.
Describe inbound and outbound security rules - Network Security Groups (NSGs)
By default, it has created 3 inbound and 3 outbound rules.
Each rule specifies one or more of the following:
-Name: Every rule needs a unique name describing its purpose.
-Priority: Rules are processed in priority order, lower numbers processed before higher numbers.
-Source or destination: Specify either individual IP address or an IP address range, service tag, or app security group.
-Protocol: What network protocol will the rule check?
-Direction: Whether the rule should be applied to inbound or outbound
-Port range: You can specify an individual or range of ports.
-Action: Decide what will happen when this rule is triggered.
Descriptions for the default inbound rules are as follows:
-In summary, any virtual network subnet or network interface card to which this NSG is assigned will only allow inbound traffic from an Azure Virtual Network or an Azure load balancer. All other inbound network traffic is denied.
What is the difference between Network Security Groups (NSGs) and Azure Firewall?
They both protect Virtual Network resources. The Azure Firewall service complements network security group functionality. Together, they provide better “defense-in-depth” network security. Network security groups provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in each subscription. Azure Firewall is a fully stateful, centralized network firewall as-a-service, which provides network and application-level protection across different subscription and virtual networks.
Describe Azure Bastion
Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal. It is a PaaS service.
Bastion provides secure RDP and SSH connectivity to all VMs in the virtual network and peered virtual networks.
Key benefits of Azure Bastion:
-RDP and SSH directly in the Azure portal.
-Remote sessions over Transport Layer Security (TLS) and firewall traversal for RDP/SSH
-No Public IP required on the Azure VM:
-No hassle managing NSGs:
-Protection against port scanning:
-Hardening in one place to protect against zero-day exploits:
Describe Azure Key Vault
Azure Key Vault is a cloud service for securely storing and accessing secrets.
Azure Key Vault helps solve the following problems:
-Secret management: you can use Key Vault to store securely and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
-Key Management: It makes it easier to create and control the encryption keys used to encrypt your data.
-Certificate management: It lets you provision, manage, and deploy your public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate for use with Azure and internally connected resources.
