Secure networking

Question 1

By default, do all resources in a virtual network can communicate outbound with the internet?

Answer 1

Yes

Question 2

What are the 3 ways resources in Azure can communicate with each other?

Answer 2

1. Virtual Network/subnet
2. Virtual Network Service Endpoint
3. Virtual Network Peering

Question 3

What are the 3 ways resources in Azure can communicate with on-prem resources?

Answer 3

1. Point-to-site VPN
2. Site-to-site VPN
3. Azure ExpressRoute

Question 4

Describe the purpose ‘Virtual network service endpoint’

Answer 4

Extend your virtual network’s private address space and allow connections into a separate network.

Question 5

What are the 2 ways virtual traffic between subnets can be filtered?

Answer 5

1. Network security groups (NSGs)
2. Network virtual appliances (NVAs)

Question 6

Describe a ‘Network virtual appliance (NVA)’

Answer 6

A VM that performs a network function, such as a firewall or WAN optimization found in the Azure Marketplace or custom ISO.

Question 7

Describe a ‘Network/Application security group’

Answer 7

Filter traffic to and from resources by source and destination IP address, port, and protocol.

Question 8

What does a Network/Application security group contain?

Answer 8

A 5-tuple hash rule specifying how traffic should be filtered.

Question 9

Are Network/Application security groups stateless or stateful?

Answer 9

Stateful.

Question 10

Does a Network/Application security group affect new connections?

Answer 10

Existing connections may not be interrupted; Modifying network security group rules will only affect new connections.

Question 11

For inbound traffic, in what direction does Azure process rules in a network security group?

Answer 11

Azure processes the rules associated to a subnet first and then the rules in a network security group associated to the network interface.

Question 12

For outbound traffic, in what direction does Azure process rules in a network security group?

Answer 12

Azure processes the rules associated to a network interface first and then the rules in a network security group associated to the subnet.

Question 13

By default, can resources in a virtual subnet communicate with each other?

Answer 13

Yes.

Question 14

Describe the purpose of the ‘IP Flow Verify’ function

Answer 14

Determine whether a communication is allowed or denied and verify to surface the identity of the network security rule responsible for allowing or denying the traffic.

Question 15

Is it best practice to assign a NSG to the interface of a resource and another NSG to the subnet/network that resource belongs in?

Answer 15

No; Recommended to associate a NSG to a subnet, or a network interface, but not both.

Question 16

Describe the purpose of an ‘Application Security Group (ASG)’

Answer 16

Group identical/similar virtual machines and define security rules based on those groups.

Question 17

What should be considered when assigning network interfaces to an application security group with respect to each interfaces original network?

Answer 17

All network interfaces assigned to an ASG have to exist in the same virtual network that the first network interface assigned to the application security group is in.

Question 18

What must be considered if placing an ASG as the source and destination in a security rule?

Answer 18

The network interfaces in both application security groups must exist in the same virtual network.

Question 19

How many route tables can a subnet be associated with?

Answer 19

0 or 1.

Question 20

How many subnets can a route table be associated with?

Answer 20

0 or more.

Question 21

Describe ‘User-Defined Routes (UDRs)’

Answer 21

Static routes in Azure to override Azure’s default system routes that list the next hop IP in the route.

Question 22

What are the 3 options for defining the next hop in a user-defined route?

Answer 22

1. Virtual network appliance
2. The private IP address of a network interface attached to a virtual machine
3. The private IP address of an Azure internal load balancer

Question 23

What is the outcome of defining a user-defined route with 0.0.0.0/0 as the address prefix and a next hop type of virtual appliance?

Answer 23

This configuration allows the appliance to inspect the traffic and determine whether to forward or drop the traffic.

Question 24

What protocol must be used when defining a user-defined route to a virtual network gateway?

Answer 24

BGP not ExpressRoute.

Question 25

When defining a user-defined route, what should be specified to drop the traffic to a destination?

Answer 25

By selecting ‘none’ as the destination.

Question 26

What controls/mechanisms can be specified as the next hop in a user-defined route?

Answer 26

Virtual network peering or VirtualNetworkServiceEndpoint.

Question 27

Can a service tag be specified as the address prefix of a user-defined route?

Answer 27

Yes.

Question 28

By default, is traffic routed between two virtual networks?

Answer 28

No; Each virtual network is isolated.

Question 29

Describe ‘Virtual network peering’

Answer 29

Connects two Azure virtual networks allowing the resources in each network to communicate as if they are in the same network.

Question 30

How is traffic routed between VMs in a virtual network peering?

Answer 30

Routed through the Microsoft backbone infrastructure, through private IP addresses only.

Question 31

Describe the purpose of a ‘VPN gateway’

Answer 31

A specific type of virtual network gateway used to send traffic between an Azure virtual network and an on-prem over the public internet.

Question 32

Can a VPN gateway be used to connect two Azure virtual networks?

Answer 32

Yes.

Question 33

What is the best use case for virtual network peering?

Answer 33

Cross-region data replication and database failover as well as for strict data policies and want to avoiding traffic over the internet.

Question 34

What is the best use case for VPN Gateways?

Answer 34

Useful for necessary encryption and scenarios where latency is not important.

Question 35

Describe a ‘Gateway transit’

Answer 35

Allows you to share an ExpressRoute or VPN gateway with all peered virtual networks.

Question 36

What is the purpose of a gateway transit?

Answer 36

To create a transit virtual network that contains your VPN gateway, Network Virtual Appliance, and other shared services and connect virtual peerings.

Question 37

What is the max VPN gateways per virtual network?

Answer 37

1

Question 38

How many virtual peerings can a virtual network support?

Answer 38

Up to 500

Question 39

How should encryption be implemented with virtual network peering?

Answer 39

Software-level encryption is recommended as it is not natively provided.

Question 40

How should encryption be implemented with a VPN gateway?

Answer 40

Custom IPsec/IKE policy can be applied to new or existing connections.

Question 41

Describe the purpose of implementing a ‘Virtual WAN’

Answer 41

Connects on-prem to your resources in Azure over an IPsec/IKE (IKEv1 and IKEv2) VPN connection.

Question 42

What on-prem device should be considered when implementing a virtual WAN?

Answer 42

A VPN device located on-premises that has an externally facing public IP address assigned to it.

Question 43

What is the PowerShell cmdlet to create a virtual WAN in Azure Virtual Networks?

Answer 43

New-AzVirtualWan.

Question 44

What is the function of a hub in a virtual network?

Answer 44

A virtual network that can contain gateways for site-to-site, ExpressRoute, or point-to-site functionality.

Question 45

What is the PowerShell cmdlet to create a virtual WAN hub in Azure Virtual Networks?

Answer 45

New-AzVirtualHub.

Question 46

What is the PowerShell cmdlet to create a VPN gateway in Azure Virtual Networks?

Answer 46

New-AzVpnGateway.

Question 47

What is the purpose of creating a VPN site?

Answer 47

Sites contain your on-premises VPN device endpoints and define the connection.

Question 48

How many site are allowed per virtual hub in a virtual WAN?

Answer 48

Up to 1000 per hub.

Question 49

What is the PowerShell cmdlet to create a VPN site in Azure Virtual Networks?

Answer 49

New-AzVpnSite.

Question 50

What 3 parameters must be declared before connecting a VPN site to a hub?

Answer 50

1. virtualWan
2. vpnGateway
3. vpnSite

Question 51

What is the PowerShell cmdlet to connect a VPN site to a hub in Azure Virtual Networks?

Answer 51

New-AzVpnConnection

Question 52

What is required after connecting a VPN site to a hub?

Answer 52

Connect a virtual network to the virtual hub.

Question 53

Describe the connection of a ‘Site-to-site VPN’ in Azure virtual networks

Answer 53

IPsec/IKE (IKEv1 or IKEv2) VPN tunnel connecting an on-prem site to Azure or another on-prem site.

Question 54

What is the best use case for a Site-to-site VPN?

Answer 54

For cross-premises and hybrid configurations.

Question 55

What physical on-prem requirement should be considered when implementing a Site-to-site VPN?

Answer 55

Requires a VPN device located on-premises that has a public IP address assigned to it.

Question 56

Describe the connection of a ‘Point-to-site VPN’

Answer 56

A secure connection established from the client PC to a virtual network.

Question 57

What is the best use case for a Point-to-site VPN?

Answer 57

useful for telecommuters who want to connect to Azure VNets from a remote location or small VPN deployments.

Question 58

Do Point-to-site VPNs require an on-prem public IP?

Answer 58

No.

Question 59

Can a Point-to-site VPN share the same gateway as a Site-to-site VPN?

Answer 59

Yes; As long as all the configurations for both connections are compatible.

Question 60

What two modes can a VPN gateway be configured in?

Answer 60

1. active-standby mode using one public IP
2. active-active mode using two public IPs

Question 61

What must be considered when creating multiple VPN connections from a virtual network gateway?

Answer 61

Must use a RouteBased VPN type because each virtual network can only have one VPN gateway.

Question 62

What is required to use site-to-site VPNs and ExpressRoute in the same configuration?

Answer 62

Two virtual network gateways for the same virtual network, one using the gateway type ‘Vpn’, and the other using the gateway type ExpressRoute.

Question 63

Describe ‘Azure ExpressRoute’

Answer 63

A direct, private, connection from on-premises WAN into the Microsoft cloud not routed over the internet.

Question 64

What layer 3 protocol does Azure ExpressRoute use to exchange routes between on-prem, and Azure?

Answer 64

BGP.

Question 65

How does ExpressRoute ensure redundancy?

Answer 65

Two connections to two Microsoft Enterprise edge routers (MSEEs) from the connectivity provider or your network edge.

Question 66

What regions can an ExpressRoute circuit connect to by default?

Answer 66

Connectivity to all regions within a geopolitical region.

Question 67

How can an ExpressRoute circuit connect to regions outside a geopolitical boundary?

Answer 67

With ExpressRoute Premium.

Question 68

Define ‘ExpressRoute Global Reach’ and its purpose

Answer 68

Link ExpressRoute circuits together to make a private network between your on-premises networks.

Question 69

Define ‘ExpressRoute Direct’ and its purpose

Answer 69

ExpressRoute directly to a hosted Datacenter.

Question 70

How can encryption be implemented over an ExpressRoute?

Answer 70

Deploy Azure Virtual WAN from your on-premises network to Azure over the private peering of an Azure ExpressRoute circuit

Question 71

What two steps should be taken to implement encryption over an ExpressRoute?

Answer 71

1. Establish ExpressRoute connectivity with an ExpressRoute circuit and private peering.
2. Configure VPN from express route circuit to on-prem WAN.

Question 72

How many routes/paths are associated with a configuration that implements encryption over an ExpressRoute circut?

Answer 72

2; One over the IPsec-protected path and one directly over ExpressRoute without IPsec protection

Question 73

What are weak points for the PaaS cloud service model that bad actors go after?

Answer 73

Admin access and application code

Question 74

What is best practice for connecting to hybrid PaaS and IaaS services?

Answer 74

By using a management interface.

Question 75

Describe ‘Azure Network Watcher’

Answer 75

Enables you to monitor and repair the network health of IaaS products.

Question 76

Describe ‘IP flow verify’ and its purpose

Answer 76

Network watcher tool; Detect traffic filtering issues at a virtual machine level.

Question 77

Describe ‘NSG diagnostics’ and its purpose

Answer 77

Network watcher tool; Detect traffic filtering issues at a virtual machine, virtual machine scale set, or application gateway level.

Question 78

Describe ‘Next hop diagnostics’ and its purpose

Answer 78

Network watcher tool; Detect routing issues and checks if traffic is routed correctly to the intended destination.

Question 79

Describe ‘Effective security rules’ and its purpose

Answer 79

Network watcher tool; Shows you all security rules applied to the network interface, the subnet the network interface is in, and the aggregate of both.

Question 80

Describe ‘Connection troubleshoot’ and its purpose

Answer 80

Network watcher tool; Test a connection between a virtual resource and another IP or URL.

Question 81

What are the two traffic monitoring tools that Network watcher offers?

Answer 81

1. Flow logs
2. Traffic analytics

Question 82

Describe Network Watcher Flow logs

Answer 82

Log information about IP traffic flowing through a network security group.

Question 83

Where is log data captured by flow logs stored?

Answer 83

Azure storage.

Question 84

A company wants to establish network topologies that combine cross premises connectivity with inter virtual network connectivity. Which Azure feature allows them to do this

Answer 84

VNet peering.

Question 85

Describe a ‘Virtual Network (VNet) service endpoint’

Answer 85

Provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network.

Question 86

What is the purpose of a ‘Virtual Network (VNet) service endpoint’

Answer 86

Provides the identity of the vnet to the Azure service while virtual network rules secure the Azure services to vnets.

Question 87

How does a Virtual Network (VNet) service endpoint secure traffic?

Answer 87

Enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.

Question 88

Can vnet service endpoints function with vnets with a classic deployment?

Answer 88

No; Only with vnets deployed through the Azure Resource Manager deployment model.

Question 89

By default, do vnet service endpoints filter between on-prem and Azure services?

Answer 89

No; only for intra-subnet traffic.

Question 90

How does vnet service endpoints function with Azure SQL?

Answer 90

Service endpoint applies only to Azure service traffic within a virtual network’s region.

Question 91

What occurs after enabling a service endpoint?

Answer 91

IPs switch from public to private and any existing open TCP connections are closed.

Question 92

How can vnet service endpoints be deployed to filter traffic between a vnet and an Azure service?

Answer 92

VNet service endpoint policies.

Question 93

Do vnet service endpoints affect disk traffic from an Azure FM?

Answer 93

No.

Question 94

Describe a ‘private endpoint’

Answer 94

A special network interface for an Azure service that uses a private IP address from a vnet.

Question 95

What is the purpose of a private endpoint?

Answer 95

Secures traffic to a service.

Question 96

What services can implement a private endpoint?

Answer 96

Azure Storage
Azure Cosmos DB
Azure SQL Database

Question 97

How do private endpoints route/filter traffic?

Answer 97

Traffic is secured to a private-link resource and validates network connections, allowing only those that reach the specified private-link resource.

Question 98

When deploying a private endpoint, what should be considered in regards to its region/location?

Answer 98

The private endpoint must be deployed in the same region and subscription as the virtual network.

Question 99

Can the private link resource and the vnet/private endpoint be deployed in different regions?

Answer 99

Yes.

Question 100

Can multiple private endpoints be created deployed to the same private-link resource?

Answer 100

Yes.

Question 101

What are the two ways of allowing access to a private-link resource?

Answer 101

1. Automatically approve
2. Manually request

Question 102

Describe the Azure private link service

Answer 102

Allows an external user to have a private connection to an Azure service behind a standard load balancer through a private endpoint deployed in the external users vnet.

Question 103

When deploying a private link service, what must be considered when choosing region/location?

Answer 103

Private Link Service must be deployed in the same region as the virtual network and the Standard Load Balancer.

Question 104

How can multiple private link resources be created on the same standard load balancer?

Answer 104

By using different front-end IP configurations for each private link.

Question 105

What is the purpose of the virtual network integration feature in Azure app service?

Answer 105

Gives compute app services access to resources in your virtual network and make outbound calls from your app into your virtual network.

Question 106

What does virtual network integrations provide for an app service?

Answer 106

Network security groups (NSGs); route tables/UDRs; NAT gateways.

Question 107

How many virtual network integrations can a single app service have?

Answer 107

2

Question 108

What are the 3 ways to route traffic when implementing a virtual network integration with an app service?

Answer 108

1. Application routing
2. Configuration routing
3. Network routing

Question 109

A company wants to route traffic for their custom containers through virtual network integration. What must they ensure is configured in addition to the routing setting?

Answer 109

Any firewall or Network Security Group configured on traffic from the subnet allow traffic to port 443 and 445.

Question 110

Describe client-side encryption

Answer 110

Data encrypted by an application that’s running outside of Azure or data pre-encrypted when received by Azure.

Question 111

Who handles encryption/decryption with client-side encryption?

Answer 111

Only the client has access to the encryption keys and can decrypt this data.

Question 112

What are the 3 types of server-side encryption models?

Answer 112

1. Service-managed keys
2. Customer-managed keys
3. Service-managed keys in customer-controlled hardware

Question 113

Describe ‘Service-managed keys in customer-controlled hardware’ server-side encryption

Answer 113

Host Your Own Key (HYOK); Enables you to manage keys in your proprietary repository, outside of Microsoft control.

Question 114

What are the two options in Azure for disk encryption?

Answer 114

1. Disk Encryption for Linux VMs, using Device Mapper (DM)-Crypt
2. Disk Encryption for Windows VMs, which uses Windows BitLocker

Question 115

What service automatically encrypts and decrypts data stored in Blob storage or Azure files?

Answer 115

Azure Storage Service Encryption (SSE).

Question 116

What algorithm does Azure Storage Service Encryption (SSE) use to encrypt data?

Answer 116

AES-256 bit.

Question 117

What is the function of Transparent Data Encryption (TDE)?

Answer 117

Used to encrypt SQL Server, Azure SQL Database, and Azure Synapse Analytics data files in real time, using a Database Encryption Key (DEK).

Question 118

How does Transparent Data Encryption (TDE) encrypt/decrypt database data?

Answer 118

Using AES and 3DES to encrypt at the page level before they are written to disk, and decrypt before they are read into memory.

Question 119

Describe the ‘Always Encrypted feature’

Answer 119

Feature of Azure SQL that encrypts data within client applications prior to storing it in Azure SQL Database.

Question 120

Can the ‘Always Encrypted feature’ be used with client-side encryption?

Answer 120

Yes; Enable delegation of on-premises database administration to third parties.

Question 121

Describe ‘Cell-level or column-level encryption (CLE)’

Answer 121

Encrypt specific columns or even specific cells of data with different encryption keys in Azure SQL Database.

Question 122

How does Cell-level or column-level encryption (CLE) encrypt/decrypt data at rest?

Answer 122

Symmetric encryption to a column of data by using Transact-SQL.

Question 123

How is encryption at rest implemented with Azure Cosmos DB?

Answer 123

Enabled by default and can’t be turned off.

Question 124

What are the 3 types of keys that are used in encrypting and decrypting data at rest?

Answer 124

1. Master Encryption Key (MEK)
2. Data Encryption Key (DEK)
3. Block Encryption Key (BEK)

Question 125

Describe the purpose/function of the Master Encryption Key (MEK)?

Answer 125

Used to encrypt the DEK.

Question 126

Describe the purpose/function of the Block Encryption Key (BEK)?

Answer 126

Derived from the DEK and the data block.

Question 127

How is data encrypted in transit between Azure data centers?

Answer 127

Data-link layer encryption method using the IEEE 802.1AE MAC Security Standards (MACsec) integrated into the network hardware.

Question 128

How can encrypted access be implemented with Azure storage besides HTTPS?

Answer 128

SMB 3.0 or Shared Access Signatures (SAS)

Question 129

Describe ‘Azure Firewall’

Answer 129

Cloud-native stateful network firewall.

Question 130

What the 3 SKU tiers available for Azure Firewall?

Answer 130

Standard, Premium, and Basic.

Question 131

Describe Azure Firewall standard

Answer 131

Provides layer 3 to layer 7 (L3-L7) filtering and threat intelligence feeds directly from Microsoft Cyber Security.

Question 132

Describe Azure Firewall premium

Answer 132

Includes signature based IDS and IPS.

Question 133

Describe Azure Firewall basic

Answer 133

Threat Intel alert mode only; Fixed scale unit to run the service on two VMs.

Question 134

Which Azure Firewall SKU is best for small to medium businesses?

Answer 134

Basic; Recommended for environments with an estimated throughput of 250 Mbps.

Question 135

Describe the purpose of ‘Azure Firewall Manager’

Answer 135

Centrally deploy, configure, and apply polices to multiple Azure Firewall instances.

Question 136

Which two network architecture types can Firewall Manager provide security management for?

Answer 136

1. Secured virtual hub
2. Hub virtual network

Question 137

Describe a ‘Secured virtual hub’

Answer 137

A Microsoft-managed hub that has associated security and routing policies.

Question 138

Describe a ‘Hub virtual network’

Answer 138

Standard Azure virtual network that you create and manage yourself associated with security and routing policies.

Question 139

Which network architecture type can integrate with a 3rd party security as a service (SECaaS) provider?

Answer 139

Secured virtual hub.

Question 140

Are Web Application Firewalls (WAFs) able to be managed by Azure Firewall Manager?

Answer 140

Yes.

Question 141

Describe an ‘Azure Application Gateway’

Answer 141

A web traffic (OSI layer 7) load balancer.

Question 142

Describe a ‘listener’

Answer 142

A logical entity that checks for incoming connection requests to an application gateway’s frontend IP.

Question 143

How does a listener determine if it should accept an incoming request?

Answer 143

If the protocol, port, hostname, and IP address associated with the request match the same elements associated with the listener configuration.

Question 144

What are the two ways to create a routing rule to the backend pool for an application gateway?

Answer 144

1. Basic - forwards normally to a pool
2. Path based; route requests from specific URL paths to specific backend pools

Question 145

When implementing an application gateway, how can HTTP traffic be rerouted to HTTPS?

Answer 145

Choose listener as the redirection target; Redirects traffic from the source listener that checks for HTTP requests to the destination listener that checks for HTTPS.

Question 146

Define ‘Connection draining’

Answer 146

Helps you gracefully remove backend pool members during planned service updates.

Question 147

How does connection draining function?

Answer 147

Ensures that all deregistering instances in a backend pool don’t receive any new requests/connections while maintaining the existing connections until the configured timeout value.

Question 148

How is a WAF implemented on an Application Gateway?

Answer 148

Create a WAF policy and associate it with an application Gateway.

Question 149

What are the two modes of configuring an Application Gateway WAF?

Answer 149

1. Detection mode
2. Prevention mode

Question 150

What is the purpose/function of a ‘WAF engine’?

Answer 150

Inspects traffic and determines whether a request includes a signature that represents a potential attack.

Question 151

Describe ‘Anomaly Scoring mode’

Answer 151

Traffic that matches any rule isn’t immediately blocked when the firewall is in Prevention mode, it will depend on the anomaly score threshold.

Question 152

What actions does an Azure WAF support?

Answer 152

1. Allow
2. Block
3. Log
4. Anomaly score

Question 153

Describe ‘Azure Front Door’

Answer 153

A cloud Content Delivery Network (CDN) using Microsoft’s global edge network to distribute content to one of hundreds of global and local points of presence (PoPs).

Question 154

Describe ‘Azure DDoS Protection’

Answer 154

Protects at layer 3 and layer 4 network layers to mitigate DDoS.

Question 155

What are the two tiers/SKUs of Azure DDoS Protection?

Answer 155

1. DDoS Network Protection
2. DDoS IP Protection

Question 156

How is Azure DDoS Protection priced?

Answer 156

Only one license that can span across multipole subscriptions for DDoS Network Protection and DDoS IP Protection is pay-per-protected IP.