Describe basic security capabilities in Azure Flashcards
What is Azure Bastion?
Bastion provides secure RDP and SSH connectivity to all VMs in the virtual network, and peered virtual networks, in which it’s provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.
Azure Bastion deployment is per virtual network with support for virtual network peering, not per subscription/account or virtual machine. Once you provision the Azure Bastion service in your virtual network, the RDP/SSH experience is available to all your VMs in the same VNet, as well as peered VNets.
More info: https://docs.microsoft.com/en-gb/learn/modules/describe-basic-security-capabilities-azure/7-describe-azure-bastion-just-in-time-access
What are the requirements of creating an Azure Bastion?
It needs its own subnet on a VNet called AzureBastionSubnet with at least a size of /26 (64 addresses).
What are the key features of Azure Bastion?
RDP and SSH directly in the Azure portal
Remote session over TLS and firewall traversal for RDP/SSH
No public IP required on the Azure VM
No hassle of managing Network Security Groups (NSGs)
Protection against port scanning
Protect against zero-day exploits. Hardening in one place only.
What is Azure DDoS protection?
A DDoS makes resources unresponsive. Azure DDoS protection analyses network traffic and discards anything that looks like a DDoS attack. Azure DDoS protection tiers come in basic and standard. Basic is free and only watches, where as standard has monitoring alerts and automated mitigation response.
Note this feature operates in the perimeter layer in the defense in depth model.
What is Azure Firewall?
Azure Firewall protects your Azure Virtual Network (VNet) resources from attackers at Layer 4 transport layer.
Azure Firewall is stateful so tracks inbound and outbound connections. Features include:
- built in high availability and availability zones
- outbound SNAT and inbound DNAT
- Threat intelligence (black list of IP addresses)
- Network and application level filtering
- Multiple public IP addresses
- Integrated with Azure monitor.
Usually one
What is a Web Application Firewall (WAF)?
WAF provides centralized protection of your web application from common exploits and vulnerabilities operating at Layer 7.
What is network segmentation and Azure VNet?
Network segmentation allows logical grouping of related resources, can also isolate resources or for applying governance policies.
Azure Virtual Network (VNet) provides network level containment of resources with no traffic allowed to cross VNets. Communications need to be explicitly provisioned.
What is an Azure Network Security Group (NSG)?
An NSG is Level 4 firewall that can allow or deny traffic to and from Azure resources that exist in your Azure Virtual Network.
Allows finer control to multiple subnets or network interfaces within a VNet.
Which ports are activated by default when creating a VM?
Windows image - RDP port 3389
Unix image - SSH port 22
What are ways for Azure to encrypt data?
1) Azure Storage Service Encryption helps to protect data at rest by automatically encrypting before persisting it to Azure-managed disks, Azure Blob Storage, Azure Files, or Azure Queue Storage, and decrypts the data before retrieval.
2) Azure Disk Encryption helps you encrypt Windows and Linux IaaS virtual machine disks. Azure Disk Encryption uses the industry-standard BitLocker feature of Windows and the dm-crypt feature of Linux to provide volume encryption for the OS and data disks.
3) Transparent data encryption (TDE) helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.
What is Azure Key Vault?
Azure Key Vault is a centralized cloud service for storing your application secrets. Key Vault helps you control your applications’ secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities. It’s useful for different kinds of scenarios:
- Secrets management. You can use Key Vault to store securely and tightly control access to tokens, passwords, certificates, Application Programming Interface (API) keys, and other secrets.
- Key management. You can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys used to encrypt your data.
- Certificate management. Key Vault lets you provision, manage, and deploy your public and private Secure Sockets Layer/ Transport Layer Security (SSL/ TLS) certificates for Azure, and internally connected, resources more easily.
- Store secrets backed by hardware security modules (HSMs). The secrets and keys can be protected either by software or by FIPS 140-2 Level 2 validated HSMs.
