Implement Platform Protection

Question 1

Network Adapters

Answer 1

VMs communicate with other VMs and other resources on the network by using virtual network adapters. Virtual network adapters configure VMs with private and, optionally, public IP address. A VM can have more than one network adapter for different network configurations.

Question 2

Zero-Trust

Answer 2

based on User, Device, and application identity Grant access at access-time only, and only the destination resource needs to provide the necessary access controls.

Question 3

Azure Network Security Groups

Answer 3

Filters traffic to and from Azure resources in an Azure virtual network. Contains security rules that allow or deny inbound or outbound traffic. For each rule, you can specify source, destination, port and protocol. NSGs secure traffic passing through a network adapter, a VM, or a subnet. Custom NSG rules exist that can’t be deleted, but can be overridden if something has higher priority. By default you can create 100 NSGs per region, per subscription. You can raise to 400 by contacting Azure support.

-Inbound Traffic :
For inbound traffic, rules related to subnet process first, if any, and then network rules, if any.

-Outbound Traffic: Azure processes network rules if any, then subnet, if any.

Question 4

Application Security Groups

Answer 4

Built on Network Security Groups.

ASGs enable you to configure network security as a natural extension of an application’s structure.

Question 5

FQDN

Fully Qualified Domain Name

Answer 5

a domain associated with well known microsoft services, like outlook.com

Question 6

Forced Tunneling

Answer 6

redirect all internet-bound traffic back to your on-premises location via a site-to-site VPN tunnel for inspection and auditing. Without forced tunneling, there’s no option to audit the traffic.

Forced tunneling is configured via User Defined Route UDR is a custom route in Azure that override’s Azure’ default system routes, or adds routes to a subnet’s route table.

Question 7

User Defined Route - UDR

Answer 7

A custom route in Azure that override’s Azure’ default system routes, or adds routes to a subnet’s route table.

Question 8

Network Virtual Appliance NVA

Answer 8

Checks all inbound and outbound network traffic an only allows traffic that meets the security rules. If the NVA fails, it is a single point of failure and no traffic will pass. Deploying more than one NVA into an availability set is a way to avoid down time.

Question 9

Hub and Spoke Topology

Answer 9

Hub-virtual network in Azure that acts as a central point of connectivity to your on-premises network. Spokes-virtual networks that peer with the hub and can be used to isolate workloads. Traffic flows between on-prem datacenter and the hub through an ExpressRoute or VPN gateway connection.

Question 10

CIP

Answer 10

VM Assigned public IP address

Question 11

Service Endpoints

Answer 11

Provides the identity of your virtual network to the Azure service. Azure service traffic from a virtual network uses public IP addresses as source IP addresses. With service endpoints, service traffic switches to use virtual network private addresses as the source IP addresses when accessing the Azure service from a virtual network. This switch allows you to access the services without the need for reserved, public IP addresses used in IP firewalls.
A common usage case for service endpoints is a virtual machine accessing storage. The storage account restricts access to the virtual machines private IP address.

Question 12

Azure Private Link

Answer 12

customer can request a connection to the service provider for consuming the service, the service provider can decide whether to allow. (onedrive/sharepoint?)

Question 13

Azure Application GateWay

Answer 13

A web traffic load balancer that enables you to manage traffic to your web applications. Layer 7 load balancing - applications.

Question 14

Azure Front Door

Answer 14

HTTP(s) load balancer. Define, manage, and monitor global routing for your web traffic. You can ensure that your client requests are routing to the fastest and most available application backend.

Question 15

Privileged Access Device - PAW

Answer 15

Privileged Access Workstation, a dedicated system for sensitive tasks that is protected against attacks daily workstations are vulnerable to.

Question 16

Azure Bastion

Answer 16

Provides secure RDP/SSH connectivity to VM’s in the VN where it is provisioned, protects VM’s from exposing RDP/SSH ports to outside world.

Question 17

Azure Update Management

Answer 17

Manage updates and patches for virtual machines. Log analytics must be installed on VP in order to enable them with Update Management.

Question 18

Windows Defender Application Control

Answer 18

Configurable code integrity

Question 19

Azure Container Instances

Answer 19

Azure Container Instances can start containers in Azure in seconds, without the need to provision and manage VMs. Azure Container Instances (ACI), is a PaaS service for scenario that can operate in isolated containers, including simple applications, task automation, and build jobs. For scenarios where you need full container orchestration, including service discovery across multiple containers, automatic scaling, and coordinated application upgrades, we recommend Azure Kubernetes Service (which will be covered later on in this lesson). Deploy containers from DockerHub or Azure Container Registry.

Question 20

Docker Hub

Answer 20

public, open source container registry that contains a catalogue of container images

Question 21

AKS Azure Kubernetes Services

Answer 21

Manages container-based applications and their associated networking and storage components. Focuses on the workloads and scalability.

Kubernetes cluster architecture - A Kubernetes cluster is divided into two components:

Control plane nodes - provide the core Kubernetes services and orchestration of application workloads.

Nodes run your application workloads.

Question 22

Control Plane Nodes

Answer 22

provide the core Kubernetes services and orchestration of application workloads.

Question 23

Node

Answer 23

an azure virtual machine running containerized applications

Question 24

Pools

Answer 24

groups of identical nodes

Question 25

Pod

Answer 25

Single instance of an application, a pod can contain multiple containers.

Question 26

Manifest

Answer 26

YAML file describing kubernetes deployment

Question 27

Cluster Master

Answer 27

When you create an AKS cluster, a cluster master is automatically created and configured. This cluster master is provided as a managed Azure resource abstracted from the user. There is no cost for the cluster master, only the nodes that are part of the AKS cluster.

The cluster master includes the following core Kubernetes components:

kube-apiserver - The API server
etcd - key value store within Kubernetes.
kube-scheduler - determines what nodes can run the workload and starts them.
kube-controller-manager - oversees smaller Controllers that perform actions such as replicating pods and handling node operations.

Question 28

Cluster IP

Answer 28

Kubernetes service that creates an internal IP address for use within the AKS cluster. Good for internal-only applications that support other workloads within the cluster.

Question 29

NodePort

Answer 29

Kubernetes service that creates a port mapping on the underlying node that allows the application to be accessed directly with the node IP address and port.

Question 30

LoadBalancer

Answer 30

Kubernetes service that creates an Azure load balancer resource, configures an external IP address, and connects the requested pods to the load balancer backend pool. To allow customers’ traffic to reach the application, load balancing rules are created on the desired ports.

Question 31

ExternalName

Answer 31

Kubernetes service that creates a specific DNS entry for easier application access.

Question 32

Volumes

Answer 32

A volume represents a way to store, retrieve, and persist data across pods and through the application lifecycle. Volumes can use Azure Disks or Azure Files.

Question 33

Volumes

Answer 33

A volume represents a way to store, retrieve, and persist data across pods and through the application lifecycle. Volumes can use Azure Disks or Azure Files.

Question 34

Persistent Volumes

Answer 34

Persistent volumes are created as part of the pod lifecycle and exist until the pod is deleted. Can be statically created by a cluster administrator, or dynamically created by the Kubernetes API server.

Question 35

Persistent Volume Claims

Answer 35

A PersistentVolumeClaim requests either Disk or File storage of a particular StorageClass, access mode, and size. The Kubernetes API server can dynamically provision the underlying storage resource in Azure if there is no existing resource to fulfill the claim based on the defined StorageClass. The pod definition includes the volume mount once the volume has been connected to the pod.

Question 36

Roles and ClusterRoles

Answer 36

Role bindings are used to assign roles for a given namespace. A ClusterRoleBinding works in the same way to bind roles to users, but can be applied to resources across the entire cluster, not a specific namespace.

Question 37

RoleBindings and ClusterRoleBindings

Answer 37

To bind roles across the entire cluster, or to cluster resources outside a given namespace, instead use ClusterRoleBindings.