This is the eleventh blog in the Microsoft Azure Fundamentals Certification Series(AZ-900) of Topic 3: Azure Cloud Security.
If you have not gone through the previous topic 2.5 Azure Management Tools read it at https://k21academy.com/az90020
For the full list of blogs in Azure Fundamentals series, go to https://k21academy.com/az90011
This blog will cover the topic 3.1 Azure Secure Network Connectivity which includes Firewall, DDOS, and NSG.
As with any other cloud service, the protection of the cloud is Microsoft’s responsibility, protection in the cloud is your responsibility. Proper knowledge of the following tools and where to use them can immensely reduce security risks to your cloud deployments.
- The Azure Firewall is a managed service that provides cloud-based network security for the protection of your Azure virtual network resources.
- It’s a completely stateful firewall service that has high availability and near unlimited cloud scalability.
- It enables you to centrally create, enforce, and log application and network policies across subscriptions and virtual networks.
- It provides full-service integration with Azure Monitor for logging and analytics.
- The firewall can also be configured with threat intelligence-based filtering to block well known malicious traffic automatically using Microsoft updated sources.
Azure DDoS Protection
- DDoS attacks are targeted at any service endpoint that is publicly reachable from the internet and try to exhaust an application’s resources, resulting in access being unavailable to legitimate users.
- DDoS protection is an always-on and real-time service and can easily defend against common network-level attacks.
- It provides the same protection that Microsoft utilizes for its services over both IPv4 and IPv6 public addresses.
- Real-time telemetry is available via Azure Monitor views during an attack for taking action and logged as well as for analysis at a later stage.
Azure Network Security Groups
- Azure Network Security groups(NSG’s) can be used to filter network traffic from and to Azure resources in the Azure Virtual network.
- NSG contain security rules that enable you to allow or deny outbound traffic from, or inbound traffic to, various types of Azure resources.
- For existing connections, a flow record is created, Azure resources are denied or allowed to communicate based on the connection state of the flow record.
- A flow record allows a Network Security Group to become stateful.
The following Question is a sample of what you can now answer from the Microsoft Azure Fundamentals Certification Exam[AZ-900] after going through this blog.
Q1. You plan to deploy several Azure virtual machines. you need to control the ports that devices on the Internet can use to access the virtual machines. what should you use?
- A network security group (NSG)
- An Azure Active Directory (Azure AD) role
- An Azure Active Directory group
- An Azure key vault
Correct Answer: A
Explanation: Restricting Internet access to your VMs in Azure can be achieved by making use of Azure Network Security Groups.
Q2. You have an Azure environment that contains 10 virtual networks and 100 virtual machines.
You need to limit the amount of inbound traffic to all the Azure virtual networks. What should you create?
- one network security group (NSG)
- 10 virtual network gateways
- 10 Azure ExpressRoute circuits
- one Azure firewall
Correct Answer: D
Explanation: Azure firewall can cover all the virtual networks and allows us to create policies for inbound (and outbound) traffic.
- [AZ-900] Microsoft Azure Certification Fundamental Exam: Everything You Must Know
- Learn how to create a Free Microsoft Azure Trial Account
- [AZ-900] Microsoft Azure Fundamentals: Topic 1.1 Overview & Benefits
- [AZ-900] Microsoft Azure Fundamentals: Topic 1.2 CapEx vs OpEx Model
- Topic 1.3 [Video]Cloud Service Model: SaaS | PaaS | IaaS
- Topic 1.4 Cloud Deployment Models: Public, Private & Hybrid
- Topic 2.1 Azure Architecture: Region, Availability Zone & Geography
- Topic 2.2 Azure Resource Groups, ARM & ARM Template
- Topic 2.3 Azure Core Services: Compute, Network, Storage & Database
- Topic 2.4 Microsoft Azure Solutions: IoT, Big Data Analysis, ML & Serverless
- Topic 2.5 Azure Management Tools: Powershell, Cloud Shell & Advisor
- How to Register For [AZ-900] Microsoft Azure Fundamentals Certification Exam
Begin your journey towards Azure, Getting [AZ-900] Microsoft Azure Fundamentals certified, and earning a lot more in 2020 by joining our FREE Masterclass.