Describe core infrastructure security services in Azure Flashcards
Azure DDoS Protection
The Azure DDoS Protection service is designed to help protect your applications and servers by analyzing network traffic and discarding anything that looks like a DDoS attack.
Azure DDoS Protection service protects at layer 3 (network layer) and layer 4 (transport layer). Key benefits provided include:
-Always-on traffic monitoring
-Adaptive real time tuning: Intelligent traffic profiling learns your application’s traffic over time, and selects and updates the profile that is the most suitable for your service.
-DDoS Protection telemetry, monitoring, and alerting: Azure DDoS Protection exposes rich telemetry via Azure Monitor.
Azure DDoS Protection supports two tier type (configured in the Azure portal)
- DDoS Network Protection service (available as a SKU), combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks.
-DDoS IP Protection is a pay-per-protected IP model
Why consider adding DDos Protection services if services running on Azure are inherently protected by the default infrastructure-level DDoS protection?
-The protection that safeguards the infrastructure has a higher threshold than most applications have the capacity to handle, and doesn’t provide telemetry or alerting.
Azure Firewall
Azure Firewall is a managed, cloud-based network security service that provides threat protection for your cloud workloads and resources running in Azure.
-Centrally exert control of network traffic for all your VNets across different subscriptions
Azure Firewall is offered in three SKUs: Standard, Premium, and Basic. Some of the key features that are included across all Azure Firewall SKUs:
-Built-in high availability and availability zones
-Network and application level filtering: Use IP address, port, and protocol to support fully qualified domain name filtering for outbound HTTP(s) traffic and network filtering controls.
-Outbound SNAT (source network address translation) and inbound DNAT (destination network address translation) to communicate with internet resources
-Multiple public IP addresses (Uses a static public IP address for your Vnet resources allowing outside firewalls to identify traffic originating from you Vnet,)
-Threat intelligence: Can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains.
-Integration with Azure Monitor
Web Application Firewall (WAF)
Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities.
A centralized WAF helps make security management simpler, improves the response time to a security threat, and allows patching a known vulnerability in one place, instead of securing each individual web application.
-Azure WAF protects web applications against application-layer DDoS attacks, such as HTTP Floods.
Network Segmentation with Azure Virtual Networks
Segmentation is about dividing something into smaller pieces.
-The ability to group related assets that are a part of (or support) workload operations.
-Isolation of resources.
-Governance policies set by the organization.
-Network segmentation can secure interactions between perimeters
Azure Virtual Network (VNet) is the fundamental building block for your organization’s private network in Azure.
-Azure virtual network enables organizations to segment their network
-Communication needs to be explicitly provisioned
Network Security Groups (NSGs)
Network security groups (NSGs) let you filter network traffic to and from Azure resources in an Azure virtual network; for example, a virtual machine.
-Can be associated to as many different subnets and network interfaces
-An NSG is made up of inbound and outbound security rule.
-NSG security rules are evaluated by priority using five information points: source, source port, destination, destination port, and protocol to either allow or deny the traffic.
-By default, Azure creates a series of rules, three inbound and three outbound rules (can’t remove them, but you can override them)
Each rule specifies one or more of the following properties: -Name -Source or Destination
-Priority: Lower numbers processed before higher numbers. When traffic matches a rule, processing stops.
-Protocol -Direction -Port range -Action: what will happen when this rule is triggered
Descriptions for the default inbound rules are as follows:
-AllowVNetInBound rule is processed first as it has the lowest priority value. This rule allows traffic from a source with the VirtualNetwork service tag to a destination with the VirtualNetwork service tag on any port, using any protocol.
-AllowAzureLoadBalancerInBound rule is processed second. This rule allows traffic from a source with the AzureLoadBalancer service tag to a destination with the AzureLoadBalancer service tag on any port to any IP address on any port, using any protocol.
-DenyAllInBound is the last rule in this NSG
What is the difference between Network Security Groups (NSGs) and Azure Firewall?
-Network security groups provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in each subscription.
-Azure Firewall is a fully stateful, centralized network firewall as-a-service, which provides network and application-level protection across different subscriptions and virtual networks.
Azure Bastion
The Azure Bastion is a fully platform-managed Platform-as-a-Service (PaaS) offering that enables you to connect to a virtual machine through your browser and the Azure portal. This service is provisioned within your virtual network.
-Deployment is per virtual network with support for vnet peering.
-Has two available SKUs, Basic and Standard.
Key benefits:
-Provides secure and seamless RDP and SSH connectivity to your virtual machines directly from the Azure portal
-Remote session over TLS and firewall traversal for RDP/SSH
-No Public IP required on the Azure VM
-No hassle managing NSGs
-Protection against port scanning
-Hardening in one place to protect against zero-day exploits
Azure Key Vault
Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys.
-Secrets management -Key management -Certificate management
-Azure Key Vault has two service tiers: Standard, which encrypts with a software key, and a Premium tier, which includes hardware security module (HSM)-protected keys.
Why use Key Vault?
-Centralize application secrets
-Securely store secrets and keys
-Monitor access and use: You can monitor activity by enabling logging for your vaults.
-Simplified administration of application secrets
Azure Key Vaults allow you to segregate application secrets. Applications may access only the vault that they’re allowed to access, and they can be limited to only perform specific operations.