Implement Platform Protection Flashcards
Network Adapters
VMs communicate with other VMs and other resources on the network by using virtual network adapters. Virtual network adapters configure VMs with private and, optionally, public IP address. A VM can have more than one network adapter for different network configurations.
Zero-Trust
based on User, Device, and application identity Grant access at access-time only, and only the destination resource needs to provide the necessary access controls.
Azure Network Security Groups
Filters traffic to and from Azure resources in an Azure virtual network. Contains security rules that allow or deny inbound or outbound traffic. For each rule, you can specify source, destination, port and protocol. NSGs secure traffic passing through a network adapter, a VM, or a subnet. Custom NSG rules exist that can’t be deleted, but can be overridden if something has higher priority. By default you can create 100 NSGs per region, per subscription. You can raise to 400 by contacting Azure support.
-Inbound Traffic :
For inbound traffic, rules related to subnet process first, if any, and then network rules, if any.
-Outbound Traffic: Azure processes network rules if any, then subnet, if any.
Application Security Groups
Built on Network Security Groups.
ASGs enable you to configure network security as a natural extension of an application’s structure.
FQDN
Fully Qualified Domain Name
a domain associated with well known microsoft services, like outlook.com
Forced Tunneling
redirect all internet-bound traffic back to your on-premises location via a site-to-site VPN tunnel for inspection and auditing. Without forced tunneling, there’s no option to audit the traffic.
Forced tunneling is configured via User Defined Route UDR is a custom route in Azure that override’s Azure’ default system routes, or adds routes to a subnet’s route table.
User Defined Route - UDR
A custom route in Azure that override’s Azure’ default system routes, or adds routes to a subnet’s route table.
Network Virtual Appliance NVA
Checks all inbound and outbound network traffic an only allows traffic that meets the security rules. If the NVA fails, it is a single point of failure and no traffic will pass. Deploying more than one NVA into an availability set is a way to avoid down time.
Hub and Spoke Topology
Hub-virtual network in Azure that acts as a central point of connectivity to your on-premises network. Spokes-virtual networks that peer with the hub and can be used to isolate workloads. Traffic flows between on-prem datacenter and the hub through an ExpressRoute or VPN gateway connection.
CIP
VM Assigned public IP address
Service Endpoints
Provides the identity of your virtual network to the Azure service. Azure service traffic from a virtual network uses public IP addresses as source IP addresses. With service endpoints, service traffic switches to use virtual network private addresses as the source IP addresses when accessing the Azure service from a virtual network. This switch allows you to access the services without the need for reserved, public IP addresses used in IP firewalls.
A common usage case for service endpoints is a virtual machine accessing storage. The storage account restricts access to the virtual machines private IP address.
Azure Private Link
customer can request a connection to the service provider for consuming the service, the service provider can decide whether to allow. (onedrive/sharepoint?)
Azure Application GateWay
A web traffic load balancer that enables you to manage traffic to your web applications. Layer 7 load balancing - applications.
Azure Front Door
HTTP(s) load balancer. Define, manage, and monitor global routing for your web traffic. You can ensure that your client requests are routing to the fastest and most available application backend.
Privileged Access Device - PAW
Privileged Access Workstation, a dedicated system for sensitive tasks that is protected against attacks daily workstations are vulnerable to.