Design and Implement Network Security

Question 1

What are Service Tags?

Answer 1

Service tags are used to identify groups of public IP addresses for Azure resources

Question 2

What are Application Security Groups?

Answer 2

Application security groups are a way to tag a set of virtual machines or resources on a virtual network to be used in an NSG rule

Question 3

What is Microsoft Peering?

Answer 3

Microsoft peering is used to connect an on-premises network to Azure public resources

Question 4

What is a service endpoint?

Answer 4

A service endpoint is used to connect resources on a virtual network to public Azure resources over the Microsoft backbone.

Question 5

What is Azure Firewall?

Answer 5

Azure Firewall is a network virtual appliance that can inspect and block network traffic entering and leaving a virtual network.

Question 6

What is ExpressRoute?

Answer 6

ExpressRoute is used to enable high bandwidth and private connections between Azure and on-premises.

Question 7

What is Azure Front Door

Answer 7

Azure Front Door is used to load balance web app traffic globally.

Question 8

What is an Application Gateway

Answer 8

Application Gateway is used to load balance web app traffic regionally.

Question 9

What Layer do Application Rules access?

Answer 9

Application rules are for L7 access.

Question 10

You plan to deploy Azure Front Door Web Application Firewall (WAF).

You need to configure WAF to use a feature that is often updated. The solution must meet the following requirements:

Contains the latest security rules.
Detects the latest threats.
Minimizes false positives.

What should you use?

Answer 10

The Microsoft Threat Intelligence Collection is part of managed rules, which are often updated by Microsoft and are part of Azure Front Door Premium. No other options meet the requirements.

Question 11

Azure Bastion requirements

Answer 11

The Bastion host is deployed in the virtual network that contains the AzureBastionSubnet subnet that has a minimum /26 prefix.
The user connects to the Azure portal using any HTML5 browser.
The user selects the virtual machine to connect to.
With a single click, the RDP/SSH session opens in the browser.
No public IP is required on the Azure VM.

Question 12

Private IP ranges

Answer 12

Class A: 10.0. 0.0 to 10.255. 255.255.
Class B: 172.16. 0.0 to 172.31. 255.255.
Class C: 192.168. 0.0 to 192.168. 255.255

Question 13

NS-1: Establish network segmentation boundaries

Answer 13

Security Principle: Ensure that your virtual network deployment aligns to your enterprise segmentation strategy defined in the GS-2 security control. Any workload that could incur higher risk for the organization should be in isolated virtual networks.

Question 14

NS-2: Secure cloud services with network controls

Answer 14

Security Principle: Secure cloud services by establishing a private access point for the resources. You should also disable or restrict access from public network when possible.

Question 15

NS-3: Deploy firewall at the edge of enterprise network

Answer 15

Security Principle: Deploy a firewall to perform advanced filtering on network traffic to and from external networks. You can also use firewalls between internal segments to support a segmentation strategy. If required, use custom routes for your subnet to override the system route when you need to force the network traffic to go through a network appliance for security control purpose.

Question 16

NS-4: Deploy intrusion detection/intrusion prevention systems (IDS/IPS)

Answer 16

Security Principle: Use network intrusion detection and intrusion prevention systems (IDS/IPS) to inspect the network and payload traffic to or from your workload. Ensure that IDS/IPS is always tuned to provide high-quality alerts to your SIEM solution.

Question 17

NS-5: Deploy DDOS protection

Answer 17

Security Principle: Deploy distributed denial of service (DDoS) protection to protect your network and applications from attacks.

Question 18

NS-6: Deploy web application firewall

Answer 18

Security Principle: Deploy a web application firewall (WAF) and configure the appropriate rules to protect your web applications and APIs from application-specific attacks.

Question 19

NS-7: Simplify network security configuration

Answer 19

Security Principle: When managing a complex network environment, use tools to simplify, centralize and enhance the network security management.

Question 20

NS-8: Detect and disable insecure services and protocols

Answer 20

Security Principle: Detect and disable insecure services and protocols at the OS, application, or software package layer. Deploy compensating controls if disabling insecure services and protocols are not possible.

Question 21

NS-9: Connect on-premises or cloud network privately

Answer 21

Security Principle: Use private connections for secure communication between different networks, such as cloud service provider datacenters and on-premises infrastructure in a colocation environment.

Question 22

NS-10: Ensure Domain Name System (DNS) security

Answer 22

Security Principle: Ensure that Domain Name System (DNS) security configuration protects against known risks:

Use trusted authoritative and recursive DNS services across your cloud environment to ensure the client (such as operating systems and applications) receive the correct resolution result.
Separate the public and private DNS resolution so the DNS resolution process for the private network can be isolated from the public network.
Ensure your DNS security strategy also includes mitigations against common attacks, such as dangling DNS, DNS amplifications attacks, DNS poisoning and spoofing, and so on.

Question 23

Control

Answer 23

A control is a high-level description of a feature or activity that needs to be addressed and is not specific to a technology or implementation.

Question 24

Baseline

Answer 24

A baseline is the implementation of the control on the individual Azure services. Each organization dictates a benchmark recommendation and corresponding configurations are needed in Azure. Note: Today we have service baselines available only for Azure.

Question 25

Mitigate the threat

Answer 25

Provides manual remediation steps for this security alert.

Question 26

Prevent future attacks

Answer 26

Provides security recommendations to help reduce the attack surface, increase security posture, and thus prevent future attacks.

Question 27

Trigger automated response

Answer 27

Provides the option to trigger a logic app as a response to this security alert.