Describe basic security capabilities in Azure

Question 1

Distributed Denial of Service attacks (DDOS)

Answer 1

• DDoS attacks aim to overwhelm application and server resources, making them unresponsive or slow for legitimate users.
• DDoS attacks target public-facing devices accessible through the internet.
• The three most frequent types of DDoS attacks are volumetric attacks, protocol attacks, and resource/application layer attacks.
• Volumetric attacks flood the network with high volumes of seemingly legitimate traffic, consuming available bandwidth.
• Protocol attacks exploit weaknesses in layer 3 and layer 4 protocols, exhausting server resources with false protocol requests.
• Resource/application layer attacks target web application packets, disrupting data transmission between hosts.
• Volumetric attacks are measured in bits per second, protocol attacks are measured in packets per second.
• DDoS attacks can cause service disruptions, downtime, and financial losses for organizations.
• Organizations should implement DDoS mitigation strategies, such as traffic filtering, rate limiting, and utilizing DDoS protection services or solutions.
• Regular monitoring and incident response planning are essential to quickly detect and mitigate DDoS attacks.

Question 2

Azure DDoS Protection

Answer 2

• Azure DDoS Protection helps protect applications and servers by analysing network traffic and discarding potential DDoS attacks.
• It uses Microsoft’s global network to provide DDoS mitigation capacity in every Azure region.
• Azure DDoS Protection ensures that during an attack, your computing needs can scale to meet demand while managing cloud consumption.
• There are three tiers of Azure DDoS Protection: Default DDoS infrastructure protection, DDoS Network Protection, and DDoS IP Protection.
• Default DDoS infrastructure protection is automatically enabled for all Azure properties at no additional cost, providing always-on traffic monitoring and real-time mitigation of common network-level attacks.
• DDoS Network Protection offers enhanced DDoS mitigation features for specific Azure resources in a virtual network, with logging, alerting, and telemetry capabilities.
• DDoS IP Protection is a pay-per-protected IP model that includes core engineering features and additional value-added services like DDoS rapid response support, cost protection, and discounts on WAF (Web Application Firewall).
• Azure DDoS Protection helps ensure that legitimate customer traffic flows into Azure without interruption, while blocking and mitigating DDoS attack traffic.
• Implementing Azure DDoS Protection can help safeguard applications and servers from the impact of DDoS attacks, ensuring uninterrupted service availability.

Question 3

Azure Firewall

Answer 3

• Azure Firewall is a managed, cloud-based network security service that provides protection for Azure virtual network (VNet) resources.
• It is recommended to deploy Azure Firewall on a centralized virtual network to exert control over network traffic for all VNets across different subscriptions.
• By routing traffic through Azure Firewall, you can centrally manage and apply firewall rules to protect both cloud-based VNets and on-premises networks.
• Azure Firewall allows you to scale up usage to accommodate changing network traffic flows, eliminating the need to budget for peak traffic.
• When traffic is routed through Azure Firewall as the subnet default gateway, it is subject to the configured firewall rules for inspection and filtering.
• Azure Firewall provides a secure and reliable solution for network security, enabling you to protect your resources from attackers and control network traffic across your Azure infrastructure.
• Implementing Azure Firewall can help ensure the security and integrity of your network communications within Azure and between Azure and your on-premises environments.
• It offers features such as network and application-level filtering, threat intelligence integration, and support for high availability and scalability.
• Azure Firewall simplifies network security management by providing a centralized and flexible solution that can adapt to the changing needs of your network environment.

Question 4

key features of Azure Firewall

Answer 4

• Built-in high availability and availability zones ensure that Azure Firewall is highly resilient and can be configured to span multiple availability zones for increased availability.
• Azure Firewall provides both network and application-level filtering, allowing you to control traffic based on IP address, port, protocol, and fully qualified domain names (FQDNs).
• It supports outbound source network address translation (SNAT) and inbound destination network address translation (DNAT) to enable communication between resources in the virtual network and internet destinations.
• Azure Firewall allows you to associate multiple public IP addresses, providing flexibility in your network configuration.
• Threat intelligence-based filtering can be enabled to identify and block traffic from known malicious IP addresses and domains, enhancing the security of your network.
• Integration with Azure Monitor allows you to collect, analyze, and act on telemetry from Azure Firewall logs, enabling effective monitoring and troubleshooting.

Question 5

Web Application Firewall (WAF)

Answer 5

• Web applications are often targeted by malicious attacks that exploit vulnerabilities. Protecting against these attacks solely through application code can be challenging and time-consuming.
• A centralized Web Application Firewall (WAF) provides protection for your web applications by mitigating common exploits and vulnerabilities.
• Using a centralized WAF simplifies security management and allows for quicker response times to security threats.
• With a WAF, you can patch a known vulnerability in one place, rather than securing each individual web application separately.
• A WAF gives application administrators greater confidence in the security of their web applications, as it provides assurance against threats and intrusions.
• The WAF acts as a barrier between the web application and potential attackers, filtering and blocking malicious traffic before it reaches the application.
• By leveraging a WAF, organizations can strengthen their overall security posture and reduce the risk of successful attacks against their web applications.

Question 6

Network segmentation

Answer 6

• Network segmentation involves dividing an organization’s IT network into smaller segments or subnetworks to achieve various objectives.
• Segmentation allows the grouping of related assets and resources that support specific workload operations, improving operational efficiency and organization.
• It enables isolation of resources, maintaining separation and confidentiality between different business groups or departments.
• Network segmentation helps enforce governance policies set by the organization, ensuring compliance and control over network access and operations.
• Segmentation aligns with the Zero Trust model and the concept of assuming breach, emphasizing the need for strong containment measures.
• By placing workloads or parts of a workload into separate segments, organizations can control traffic and secure communication paths.
• If a segment is compromised, network segmentation helps contain the impact, preventing lateral movement and limiting the attacker’s access to the rest of the network.
• Network segmentation strengthens an organization’s security posture by securing interactions between perimeters and preventing attackers from gaining access to an entire workload.
• It supports a defence-in-depth strategy, where multiple layers of security are implemented to provide comprehensive protection against threats.

Question 7

Azure Virtual Network (VNet)

Answer 7

• Azure Virtual Network (VNet) is the foundation for creating a private network in Azure, providing similar functionality to a traditional network in an on-premises data centre.
• VNets offer benefits such as scalability, availability, and isolation due to Azure’s infrastructure.
• Organizations can create multiple VNets per region per subscription, allowing for network segmentation and organization of resources.
• Within each VNet, multiple smaller networks called subnets can be created to further segment resources based on specific requirements.
• By default, VNets provide network-level containment, meaning no traffic is allowed across VNets or inbound to the VNet without explicit provisioning.
• This default behavior gives organizations control over communication between Azure resources within a VNet, as well as connectivity to the internet and on-premises networks.
• Communication between resources in different VNets or with external networks can be configured through explicit provisioning, providing flexibility and control over network connectivity.
• Azure VNets support a variety of network features such as virtual network peering, network security groups, and virtual private network (VPN) gateways.
• VNets can be connected to on-premises networks using Azure ExpressRoute or VPN connections, enabling hybrid network architectures.
• Azure VNets play a crucial role in enabling secure and efficient networking within the Azure cloud environment, allowing organizations to build and manage their network infrastructure with flexibility and control.

Question 8

Network Security Groups (NSGs)

Answer 8

• Network Security Groups (NSGs) allow you to filter network traffic to and from Azure resources within a virtual network.
• NSGs consist of rules that define how traffic is filtered, allowing you to control inbound and outbound access to Azure resources.
• Each virtual network subnet and network interface in a virtual machine can be associated with only one NSG.
• However, the same NSG can be associated with multiple different subnets and network interfaces within the virtual network.
• NSGs provide granular control over network traffic, allowing you to define specific rules based on protocols, ports, source IP addresses, and destination IP addresses.
• In the diagram, subnet 1 has an NSG assigned to it, filtering inbound and outbound access to VM1, which requires a higher level of access.
• Subnet 2, on the other hand, does not have an NSG assigned, representing a public-facing machine (VM2) that doesn’t require additional network security filtering.
• By associating NSGs with subnets and network interfaces, you can enforce security policies, restrict access, and protect your Azure resources from unauthorized network traffic.
• NSGs are a fundamental component of network security in Azure, allowing you to define and enforce network-level security controls within your virtual networks.
• NSGs can be managed and configured using Azure Portal, Azure CLI, PowerShell, or Azure Resource Manager templates.

Question 9

Inbound and Outbound Security Rules in Network Security Groups (NSGs)

Answer 9

• An NSG consists of inbound and outbound security rules that control network traffic to and from Azure resources within a virtual network.
• NSG security rules are evaluated by priority using source, source port, destination, destination port, and protocol information points to allow or deny traffic.
• Azure creates a series of default rules (three inbound and three outbound) to provide a baseline level of security, and these rules cannot be removed but can be overridden.
• Each NSG rule specifies properties such as name, priority, source/destination, protocol, direction, port range, and action.
• Priority determines the order in which rules are processed, with lower numbers being processed first. Matching traffic stops processing further rules.
• Source or destination can be an individual IP address, IP address range, service tag (group of IP address prefixes from an Azure service), or application security group.
• Protocol specifies the network protocol to check, such as TCP, UDP, ICMP, or Any.
• Direction determines if the rule applies to inbound or outbound traffic.
• Port range can be specified as individual or a range of ports, allowing more efficient rule creation.
• Action determines what happens when the rule is triggered, such as allowing or denying traffic.
• The example provided shows the default inbound rules of an NSG, including the AllowVNetInBound, AllowAzureLoadBalancerInBound, and DenyAllInBound rules.
• The rules are processed in order of priority, with the lowest priority value being processed first.
• In the example, the AllowVNetInBound rule allows traffic from any Virtual Network, the AllowAzureLoadBalancerInBound rule allows traffic from Azure Load Balancer, and the DenyAllInBound rule denies all traffic from any source IP address.
• By understanding and configuring these inbound and outbound rules, you can control and secure the network traffic to and from your Azure resources.

Question 10

Difference between Network Security Groups (NSGs) and Azure Firewall

Answer 10

NSGs:
- Network Security Groups (NSGs) provide distributed network layer traffic filtering within virtual networks in each subscription.

• NSGs limit and control traffic to resources within a virtual network based on inbound and outbound security rules.
• NSGs operate at the subnet and network interface level, allowing you to define rules for specific resources.

Azure Firewall:
- Azure Firewall is a centralized, fully stateful network firewall as-a-service.

• Azure Firewall provides network and application-level protection across different subscriptions and virtual networks.
• Azure Firewall complements the functionality of NSGs and enhances network security with additional features.
• Azure Firewall offers centralized control and management of network traffic for multiple resources and virtual networks.
• It supports more advanced filtering capabilities, including application-level filtering and threat intelligence integration.
• Azure Firewall is designed to provide better defence-in-depth security by working alongside NSGs to protect virtual network resources.
• While NSGs provide distributed traffic filtering within virtual networks, Azure Firewall offers centralized, scalable, and customizable firewall capabilities.
• Both NSGs and Azure Firewall play important roles in securing Azure virtual network resources, and they can be used together to provide comprehensive network security.

Question 11

Azure Bastion

Answer 11

• Azure Bastion is a service that allows you to securely connect to virtual machines (VMs) using a browser and the Azure portal.
• It is a fully managed Platform-as-a-Service (PaaS) offering that is provisioned inside your virtual network.
• Azure Bastion provides secure and seamless RDP and SSH connectivity to VMs directly from the Azure portal.
• It uses Transport Layer Security (TLS) for secure communication.
• With Azure Bastion, VMs do not require a public IP address, agent, or special client software.
• It eliminates the need to expose RDP or SSH ports on VMs to the outside world, enhancing security.
• Azure Bastion is deployed per virtual network and supports virtual network peering.
• Once provisioned, it provides the RDP/SSH connectivity experience for all VMs within the same virtual network and peered virtual networks.
• It simplifies remote access management by providing a centralized, secure gateway for connecting to VMs.
• Azure Bastion enhances security and reduces attack surface by eliminating the need for public IP addresses on VMs.
• It offers a seamless and user-friendly experience, allowing you to access VMs directly from the Azure portal without additional configuration or software installation.

Question 12

Features of Azure Bastion

Answer 12

• Azure Bastion provides RDP and SSH access directly in the Azure portal, offering a convenient one-click experience.
• It enables remote sessions over TLS, ensuring secure communication, and allows traversal of corporate firewalls for RDP and SSH connections.
• No public IP address is required on the Azure VM for accessing it through Azure Bastion, enhancing security by eliminating the need for exposing VMs to the internet.
• Azure Bastion eliminates the need for managing Network Security Groups (NSGs) as it is a fully managed PaaS service that provides secure connectivity.
• It protects VMs against port scanning by malicious users outside the virtual network, as VMs are not exposed to the internet.
• Azure Bastion centralizes the hardening process at the network perimeter, providing protection against zero-day exploits without the need to individually harden each VM.
• By using Azure Bastion, you can establish secure RDP and SSH connectivity to your virtual machines in Azure, enhancing security and simplifying remote access management.

Question 13

Just-in-time (JIT) access

Answer 13

• JIT access locks down inbound traffic to VMs, reducing the risk of attacks while providing on-demand access when needed.
• When enabling JIT access, you can choose which ports on the VM to block inbound traffic to.
• Microsoft Defender for Cloud ensures that “deny all inbound traffic” rules are applied to the selected ports in the network security group (NSG) and Azure Firewall rules.
• Existing rules for the selected ports take priority over the new “deny all inbound traffic” rules, if any.
• When a user requests access to a VM, Defender for Cloud verifies their Azure RBAC permissions. If approved, the NSGs and Azure Firewall are configured to allow inbound traffic to the selected ports from the specified IP address or range for a specified time.
• After the specified time, Defender for Cloud restores the NSGs to their previous states, and existing connections remain uninterrupted.
• JIT access requires enabling Microsoft Defender for servers on the subscription for effective implementation and management.

Question 14

Encryption on Azure

Answer 14

• Azure Storage Service Encryption automatically encrypts data at rest before persisting it to various Azure storage services such as disks, Blob Storage, Files, or Queue Storage.
• Azure Disk Encryption enables encryption of Windows and Linux IaaS virtual machine disks using industry-standard encryption technologies like BitLocker (Windows) and dm-crypt (Linux).
• Transparent data encryption (TDE) protects Azure SQL Database and Azure Data Warehouse by performing real-time encryption and decryption of the database, backups, and transaction log files at rest without application modifications.
• These encryption methods help safeguard data from unauthorized access and protect against the threat of malicious activity.
• Encryption provides an additional layer of security to ensure the confidentiality and integrity of data stored in Azure services.
• Different encryption methods are available depending on the specific service or usage requirements, allowing you to choose the appropriate encryption solution for your data protection needs on Azure.

Question 15

Azure Key Vault

Answer 15

• Azure Key Vault is a centralized cloud service designed for securely storing and managing application secrets.
• It provides a single, central location to store and control access to various types of secrets such as tokens, passwords, certificates, API keys, and more.
• Key Vault offers secure access and permissions control, ensuring that only authorized users or applications can access the stored secrets.
• It provides access logging capabilities, allowing you to track who accessed the secrets and when.
• Key Vault serves as a key management solution, simplifying the creation and control of encryption keys used for data encryption.
• It supports certificate management, enabling you to provision, manage, and deploy SSL/TLS certificates for Azure and internally connected resources.
• Key Vault offers the option to store secrets and keys in hardware security modules (HSMs) for enhanced protection, meeting strict security standards such as FIPS 140-2 Level 2 validation.
• Azure Key Vault helps organizations improve security, maintain compliance, and ensure the confidentiality of their sensitive information.

Question 16

The security admin has created an Azure Network Security Group (NSG) to filter network traffic to a virtual machine. The admin wants to allow inbound traffic using the Remote Desktop Protocol (RDP), but the default NSG rules are currently blocking all inbound traffic that is not from another virtual network or an Azure load balancer. What does the security admin have to do to allow inbound traffic using RDP?

A. Delete the default rule.

B. Create a new network security rule that allows RDP traffic and that has a higher priority than the default rule.

C. There’s nothing the admin can do, RDP traffic isn’t supported with NSGs.

Answer 16

B. Create a new network security rule that allows RDP traffic and that has a higher priority than the default rule.

You can create a new rule to allow RDP that has a higher priority than the default rule

Question 17

The security admin wants to protect Azure resources from DDoS attacks and needs logging, alerting, and telemetry capabilities. which Azure service can provide these capabilities?

A. Default DDoS infrastructure protection.

B. DDoS Network Protection.

C. Azure Bastion.

Answer 17

B. DDoS Network Protection.

DDoS Network Protection provides the default DDoS infrastructure-level protection plus advanced capabilities, including logging, alerting, and telemetry.

Question 18

An organization has several virtual machines in Azure. The security admin wants to deploy Azure Bastion to get secure access to those VMs. What should the admin keep in mind?

A. Azure Bastion is deployed per virtual network, with support for virtual network peering.

B. Azure Bastion is deployed per subscription.

C. Azure Bastion is deployed per virtual machine.

Answer 18

A. Azure Bastion is deployed per virtual network, with support for virtual network peering.

Azure Bastion deployment is per virtual network with support for virtual network peering, not per subscription/account or virtual machine.

Question 19

An organization has much of its application data in Azure. The security admin wants a way to create and control the keys used to encrypt the organization’s application data. Which service would the admin use?

A. Transparent data encryption.

B. Secrets management.

C. Azure Key Vault.

Answer 19

C. Azure Key Vault.

Azure Key Vault is a centralized cloud service that that can be used for secrets management, key management, and certificate management.