Implement Platform Protection Flashcards

1
Q

Network Adapters

A

VMs communicate with other VMs and other resources on the network by using virtual network adapters. Virtual network adapters configure VMs with private and, optionally, public IP address. A VM can have more than one network adapter for different network configurations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Zero-Trust

A

based on User, Device, and application identity Grant access at access-time only, and only the destination resource needs to provide the necessary access controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Azure Network Security Groups

A

Filters traffic to and from Azure resources in an Azure virtual network. Contains security rules that allow or deny inbound or outbound traffic. For each rule, you can specify source, destination, port and protocol. NSGs secure traffic passing through a network adapter, a VM, or a subnet. Custom NSG rules exist that can’t be deleted, but can be overridden if something has higher priority. By default you can create 100 NSGs per region, per subscription. You can raise to 400 by contacting Azure support.

-Inbound Traffic :
For inbound traffic, rules related to subnet process first, if any, and then network rules, if any.

-Outbound Traffic: Azure processes network rules if any, then subnet, if any.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Application Security Groups

A

Built on Network Security Groups.

ASGs enable you to configure network security as a natural extension of an application’s structure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

FQDN

Fully Qualified Domain Name

A

a domain associated with well known microsoft services, like outlook.com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Forced Tunneling

A

redirect all internet-bound traffic back to your on-premises location via a site-to-site VPN tunnel for inspection and auditing. Without forced tunneling, there’s no option to audit the traffic.

Forced tunneling is configured via User Defined Route UDR is a custom route in Azure that override’s Azure’ default system routes, or adds routes to a subnet’s route table.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

User Defined Route - UDR

A

A custom route in Azure that override’s Azure’ default system routes, or adds routes to a subnet’s route table.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Network Virtual Appliance NVA

A

Checks all inbound and outbound network traffic an only allows traffic that meets the security rules. If the NVA fails, it is a single point of failure and no traffic will pass. Deploying more than one NVA into an availability set is a way to avoid down time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Hub and Spoke Topology

A

Hub-virtual network in Azure that acts as a central point of connectivity to your on-premises network. Spokes-virtual networks that peer with the hub and can be used to isolate workloads. Traffic flows between on-prem datacenter and the hub through an ExpressRoute or VPN gateway connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

CIP

A

VM Assigned public IP address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Service Endpoints

A

Provides the identity of your virtual network to the Azure service. Azure service traffic from a virtual network uses public IP addresses as source IP addresses. With service endpoints, service traffic switches to use virtual network private addresses as the source IP addresses when accessing the Azure service from a virtual network. This switch allows you to access the services without the need for reserved, public IP addresses used in IP firewalls.
A common usage case for service endpoints is a virtual machine accessing storage. The storage account restricts access to the virtual machines private IP address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Azure Private Link

A

customer can request a connection to the service provider for consuming the service, the service provider can decide whether to allow. (onedrive/sharepoint?)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Azure Application GateWay

A

A web traffic load balancer that enables you to manage traffic to your web applications. Layer 7 load balancing - applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Azure Front Door

A

HTTP(s) load balancer. Define, manage, and monitor global routing for your web traffic. You can ensure that your client requests are routing to the fastest and most available application backend.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Privileged Access Device - PAW

A

Privileged Access Workstation, a dedicated system for sensitive tasks that is protected against attacks daily workstations are vulnerable to.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Azure Bastion

A

Provides secure RDP/SSH connectivity to VM’s in the VN where it is provisioned, protects VM’s from exposing RDP/SSH ports to outside world.

17
Q

Azure Update Management

A

Manage updates and patches for virtual machines. Log analytics must be installed on VP in order to enable them with Update Management.

18
Q

Windows Defender Application Control

A

Configurable code integrity

19
Q

Azure Container Instances

A

Azure Container Instances can start containers in Azure in seconds, without the need to provision and manage VMs. Azure Container Instances (ACI), is a PaaS service for scenario that can operate in isolated containers, including simple applications, task automation, and build jobs. For scenarios where you need full container orchestration, including service discovery across multiple containers, automatic scaling, and coordinated application upgrades, we recommend Azure Kubernetes Service (which will be covered later on in this lesson). Deploy containers from DockerHub or Azure Container Registry.

20
Q

Docker Hub

A

public, open source container registry that contains a catalogue of container images

21
Q

AKS Azure Kubernetes Services

A

Manages container-based applications and their associated networking and storage components. Focuses on the workloads and scalability.

Kubernetes cluster architecture - A Kubernetes cluster is divided into two components:

Control plane nodes - provide the core Kubernetes services and orchestration of application workloads.

Nodes run your application workloads.

22
Q

Control Plane Nodes

A

provide the core Kubernetes services and orchestration of application workloads.

23
Q

Node

A

an azure virtual machine running containerized applications

24
Q

Pools

A

groups of identical nodes

25
Q

Pod

A

Single instance of an application, a pod can contain multiple containers.

26
Q

Manifest

A

YAML file describing kubernetes deployment

27
Q

Cluster Master

A

When you create an AKS cluster, a cluster master is automatically created and configured. This cluster master is provided as a managed Azure resource abstracted from the user. There is no cost for the cluster master, only the nodes that are part of the AKS cluster.

The cluster master includes the following core Kubernetes components:

kube-apiserver - The API server
etcd - key value store within Kubernetes.
kube-scheduler - determines what nodes can run the workload and starts them.
kube-controller-manager - oversees smaller Controllers that perform actions such as replicating pods and handling node operations.

28
Q

Cluster IP

A

Kubernetes service that creates an internal IP address for use within the AKS cluster. Good for internal-only applications that support other workloads within the cluster.

29
Q

NodePort

A

Kubernetes service that creates a port mapping on the underlying node that allows the application to be accessed directly with the node IP address and port.

30
Q

LoadBalancer

A

Kubernetes service that creates an Azure load balancer resource, configures an external IP address, and connects the requested pods to the load balancer backend pool. To allow customers’ traffic to reach the application, load balancing rules are created on the desired ports.

31
Q

ExternalName

A

Kubernetes service that creates a specific DNS entry for easier application access.

32
Q

Volumes

A

A volume represents a way to store, retrieve, and persist data across pods and through the application lifecycle. Volumes can use Azure Disks or Azure Files.

33
Q

Volumes

A

A volume represents a way to store, retrieve, and persist data across pods and through the application lifecycle. Volumes can use Azure Disks or Azure Files.

34
Q

Persistent Volumes

A

Persistent volumes are created as part of the pod lifecycle and exist until the pod is deleted. Can be statically created by a cluster administrator, or dynamically created by the Kubernetes API server.

35
Q

Persistent Volume Claims

A

A PersistentVolumeClaim requests either Disk or File storage of a particular StorageClass, access mode, and size. The Kubernetes API server can dynamically provision the underlying storage resource in Azure if there is no existing resource to fulfill the claim based on the defined StorageClass. The pod definition includes the volume mount once the volume has been connected to the pod.

36
Q

Roles and ClusterRoles

A

Role bindings are used to assign roles for a given namespace. A ClusterRoleBinding works in the same way to bind roles to users, but can be applied to resources across the entire cluster, not a specific namespace.

37
Q

RoleBindings and ClusterRoleBindings

A

To bind roles across the entire cluster, or to cluster resources outside a given namespace, instead use ClusterRoleBindings.