Architecture

Question 1

Common Attacks: Data Layer

Answer 1

Exposing an encryption key or using weak encryption can leave your data vulnerable

Question 2

Common Attacks: Application Layer

Answer 2

Malicious code injection and execution are the hallmarks of application-layer attacks

Question 3

Common Attacks: VM/compute layer

Answer 3

Malware is a common method of attacking an environment

Question 4

Common Attacks: Networking Layer

Answer 4

Attacks through open ports, (ssh rdp)

Question 5

Common Attacks: Perimeter Layer

Answer 5

Denial of Service

Question 6

Common Attacks: Policies and access layer

Answer 6

Exposed credentials

Question 7

Common Attacks: Physical layer

Answer 7

Unauthorised access to premises

Question 8

Waste can show up in several ways. Lets look at a few examples

Answer 8

• A virtual machine that is always 90% idle
• Paying for a license included in a virtual machine when a license is already owned
• Retaining infrequently accessed data on a storage medium optimized for frequent access
• Manually repeating the build of a non-production environment

Question 9

By leveraging Azure AD for SSO you’ll also have the ability to combine multiple data sources into an

Answer 9

intelligent security graph.

Question 10

By leveraging Azure AD for SSO you’ll also have the ability to combine multiple data sources into an intelligent security graph. This security graph enables

Answer 10

the ability to provide threat analysis and real-time identity protection to all accounts in Azure AD, including accounts that are synchronized from your on-premises AD

Question 11

Management groups are an additional hierarchical level recently introduced into the RBAC model. Management groups add the ability to

Answer 11

group subscriptions together and apply policy at an even higher level.

Question 12

The ability to flow roles through an arbitrarily defined subscription hierarchy also allows administrators to

Answer 12

grant temporary access to an entire environment for authenticated users

Question 13

This is an additional paid-for offering that provides oversight of role assignments, self-service, and just-in-time role activation and Azure AD & Azure resource access reviews.

Answer 13

Azure AD Privileged Identity Management (PIM)

Question 14

What is an identity?

Answer 14

A thing that can be authenticated - username, application or server

Question 15

What is a principal?

Answer 15

An identity acting with certain roles - eg sudo

Question 16

What is a service principal?

Answer 16

an identity that is used by a service or application. Like other identities it can be assigned roles.

Question 17

The creation of service principals can be a tedious process, and there are a lot of touch points that can make maintaining them difficult. What is the solution?

Answer 17

Managed identities for Azure resources

Question 18

True or false, an Azure based VM can be given a managed identity that allows grants it the rights to stop and start other machines

Answer 18

True

Question 19

There are two top-level types of encryption:

Answer 19

Symmetric and Asymmetric.

Question 20

In encryption what does AES stand for

Answer 20

Advanced Encryption Standard

Question 21

SSE automatically encrypts data in

Answer 21

• All Azure Storage services including Azure Managed Disks, Azure Blob storage, Azure Files, Azure Queue storage, and Azure Table storage
• Both performance tiers (Standard and Premium)
• Both deployment models (Resource Manager and classic)

Question 22

Can boot disks be encrypted?

Answer 22

Yes

Question 23

… helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

Answer 23

Transparent data encryption (TDE)

Question 24

encryption services all use keys to encrypt and decrypt data, so how do we ensure that the keys themselves are secure?

Answer 24

Azure Key Vault

Question 25

Azure Key Vault is a cloud service that works as a secure secrets store. Key Vault allows you to

Answer 25

create multiple secure containers, called vaults

Question 26

Azure Key Vault is a cloud service that works as a secure secrets store. Key Vault allows you to create multiple secure containers, called vaults. These vaults are backed by

Answer 26

hardware security modules (HSMs)

Question 27

What is a hardware security module (HSM)

Answer 27

is a physical computing device that safeguards and manages digital keys for strong authentication and provides Cryptoprocessing.

Question 28

____ _____ _____ will identify internet-facing resources that don’t have network security groups (NSG) associated with them, as well as resources that are not secured behind a firewall.

Answer 28

Azure security centre

Question 29

What is the Azure equivalent of a Virtual Private Cloud (VPC)

Answer 29

An Azure Virtual Network - a VNET

Question 30

Comparisons with AWS: Can an AWS subnet span multiple AZ’s

Answer 30

no

Question 31

Comparisons with AWS: Communications between all subnets in the AWS VPC
are through ____________ and are ________ by default

Answer 31

AWS Backbone

Allowed by default

Question 32

Comparisons with AWS: How many Internet Gateways are allowed per VPC in AWS

Answer 32

Only one

Question 33

How does Azure deal with public and private subnets

Answer 33

Azure VNet does not provide a default VNet and does not have private or public subnet as in AWS VPC. Resources connected to a VNet have access to the Internet, by default.

Question 34

In AWS The Security Group is a _____ object that is applied at the _______ level

Answer 34

stateful

EC2 Instance level

Question 35

In Azure NSGs are _______ and can be applied at the ______ or ______ level

Answer 35

stateful

subnet or NIC level.

Question 36

Are AWS’s NACLs stateful or stateless

Answer 36

stateless

Question 37

What does stateful mean in the context of Security Groups or Network Security Groups

Answer 37

This means if there is an inbound rule that allow traffic on a port (e.g. port 80), a matching rule on the outbound side is not required for the packets to flow on the same port.

Question 38

In Azure what is an Application Gateway

Answer 38

a Layer 7 load balancer that also includes a web application firewall (WAF)

Question 39

Application Gateway is a layer 7 load balancer, which means

Answer 39

it works only with web traffic (HTTP, HTTPS, WebSocket, and HTTP/2)

Question 40

For protection of non-HTTP-based services or for increased customization, ______ ________ ______ (____) can be used to secure your network resources

Answer 40

Network Virtual Appliances

Question 41

To isolate Azure services to only allow communication from virtual networks, use

Answer 41

VNet service endpoints

Question 42

With service endpoints, Azure service resources can be secured to your virtual network. Securing service resources to a virtual network provides improved security by

Answer 42

by fully removing public internet access to resources, and allowing traffic only from your virtual network.

Question 43

Which service allows for read-replicas.

Answer 43

Azure SQL Database geo-replication

Question 44

… is a DNS-based load balancer that enables you to distribute traffic within and across Azure regions.

Answer 44

Traffic Manager

Question 45

What is Traffic Manager

Answer 45

A DNS based load balancer

Question 46

Traffic Manager can route users based upon a set of characteristics:

Answer 46

Priority - You specify an ordered list of front-end instances. If the one with the highest priority is unavailable, Traffic Manager will route the user to the next available instance.
Weighted - You would set a weight against each front-end instance. Traffic Manager then distributes traffic according to those defined ratios.
Performance - Traffic Manager routes users to the closest front-end instance based on network latency.
Geographic - You could set up geographical regions for front-end deployments, routing your users based upon data sovereignty mandates or localization of content.

Question 47

… is a private, dedicated connection between your network and Azure

Answer 47

Azure ExpressRoute

Question 48

Standard storage SSD - This is SSD backed storage and has the low latency of SSD but lower levels of throughput. A ______ _____ _____ would be a good use case for this disk type.

Answer 48

A non-production web server

Question 49

Standard storage HDD - This is spindle disk storage and may fit well where

Answer 49

your application is not bound by inconsistent latency or lower levels of throughput.

Question 50

Polyglot persistence is

Answer 50

the usage of different data storage technologies to handle your storage requirements.

Question 51

__ ___ provides a single management point for infrastructure-level logs and monitoring for most of your Azure services

Answer 51

Azure monitor

Question 52

When automating the deployment of services and infrastructure, there are two different approaches you can take

Answer 52

Imperative and Declarative

Question 53

On Azure, declarative automation is done through the use of

Answer 53

Azure Resource Manager templates