Security and Networking

Question 1

What is Azure Security Center?

Answer 1

A monitoring service that provides visibility across all of your services, both on Azure and on-premises, into your cybersecurity policies and controls, as well as how well you can predict, prevent, and respond to security threats

Question 2

How can you prevent malware from being installed on your VMs?

Answer 2

You can use Azure Security Center to either use machine learning to detect and block malware or adaptive application controls to define rules that ensure only allowed applications can run

Question 3

What are some of Security Center’s advanced cloud defense capabilities?

Answer 3

Just-in-time VM access, Adaptive application controls, Adaptive network hardening, File integrity monitoring

Question 4

What is Azure Sentinel?

Answer 4

A cloud-based security information and event management (SIEM) system which uses intelligent security analytics and threat analysis

Question 5

What is Azure Key Vault?

Answer 5

A centralized cloud service for storing an application’s secrets in a single location

Question 6

What is a host group?

Answer 6

A collection of dedicated physical servers provided by Azure Dedicated Host

Question 7

What’s the easiest way for Tailwind Traders to combine security data from all of its monitoring tools into a single report?

Answer 7

Collect security data in Azure Sentinel

Question 8

What is the best way for Tailwind Traders to safely store its TLS certificates so that they’re accessible to cloud VMs?

Answer 8

Store the certificates in Azure Key Vault

Question 9

How can you ensure that certain VM workloads are physically isolated from workloads being run by other customers?

Answer 9

Run the VMs on Azure Dedicated Host

Question 10

What is defense in depth?

Answer 10

A strategy of providing security on many layers to remove reliance on any single layer of protection

Question 11

Give an overview of each layer that defense in depth is concerned with?

Answer 11

• Physical Security layer is the first line of defenses to protect computing hardware
• Identity and Access layer controls access to infrastructure and change control
• Perimeter layer uses DDoS protection to filter large-scale attacks
• Network layer limits communication between resources through segmentation and access controls
• Compute layer secures access to virtual machines
• Application layer helps ensure that applications are secure and free of security vulnerabilities
• Data layer controls access to business and customer data that you need to protect

Question 12

What are the common principles to define a security posture?

Answer 12

• Confidentiality - use the principle of least privilege
• Integrity - Prevent unauthorized changes to information both when stored and in transit
• Availability - Ensure services are functioning and can be accessed only by authorized users

Question 13

What can you configure with Azure Firewall?

Answer 13

• Application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet
• Network rules that define source address, protocol, destination port, and destination address
• Network Address Translation (NAT) rules that define destination IP addresses and ports to translate inbound requests

Question 14

What kind of attacks can Azure DDoS Protection help prevent?

Answer 14

• Volumetric attacks that flood the network layer with seemingly legitimate traffic
• Protocol attacks that render a target inaccessible by exploiting a weakness in the networking (IP) and transport (TCP) layers of the protocol stack
• Resource-layer (application-layer) attacks that target web application packets to disrupt the transmission of data between hosts. A Web Application Firewall (WAF) is required to protect against L7 attacks.

Question 15

What are network security groups?

Answer 15

NSGs act like an internal firewall and enable you to filter network traffic to and from Azure resources within an Azure virtual network.

Question 16

What is Web Application Firewall?

Answer 16

WAF is a feature of Azure Application Gateway that provides your web applications with centralized, inbound protection against common exploits and vulnerabilities

Question 17

What command would you use to create a NSG rule via Azure CLI?

Answer 17

az network nsg rule create

Question 18

An attacker can bring down your website by sending a large volume of network traffic to your servers. Which Azure service can you protect you from this kind of attack?

Answer 18

Azure DDoS Protection

Question 19

What’s the best way to limit all outbound traffic from VMs to known hosts?

Answer 19

Create application rules in Azure Firewall

Question 20

How can you most easily implement a deny by default policy so that VMs can’t connect to each other?

Answer 20

Create a network security group rule that prevents access from another VM on the same network

Question 21

What is Azure Virtual Networking

Answer 21

Azure virtual networks enable Azure resources to communicate with each other, users on the internet, and on-premises client computers

Question 22

How can you enable incoming connections to a VM from the internet?

Answer 22

Define a public IP address or a public load balancer

Question 23

What two ways can you enable Azure resources to communicate securely with each other?

Answer 23

Virtual networks and service endpoints

Question 24

What three mechanisms are available to link together resources between your on-premises environment and your Azure subscription?

Answer 24

Point-to-site Virtual Private Networks, Site-to-site Virtual Private Networks, Azure ExpressRoute

Question 25

How does point-to-site VPN differ from site-to-site VPN?

Answer 25

In point-to-site, a client computer initiates an encrypted VPN connection to Azure, connecting it to the Azure virtual network. In site-to-site, the client’s on-premises VPN device or gateway is connected to the Azure VPN gateway in a virtual network, allowing the devices in Azure to appear as if they’re on the local network.

Question 26

What is Azure ExpressRoute?

Answer 26

Provides a dedicated, private connection between the client and Azure that does not travel over the internet. It offers greater bandwidth and higher levels of security.

Question 27

What can you use to override how network traffic is routed between Azure and the on-premises network?

Answer 27

Route tables and Border Gateway Protocol (BGP)

Question 28

What is Border Gateway Protocol?

Answer 28

BGP defines the best route for network traffic to reach the destination

Question 29

What is a Network virtual appliance?

Answer 29

A specialized VM that carries out a particular network function, such as running a firewall or performing WAN optimization

Question 30

What are two ways to filter traffic between subnets?

Answer 30

Network security groups and network virtual appliances

Question 31

What is peering?

Answer 31

Links virtual networks together, even in separate regions, allowing you to create a global interconnected network through Azure

Question 32

True or False: To connect Azure resources using Azure Virtual Network, the resources must be within the same resource group and subscription?

Answer 32

True

Question 33

True or False: To connect resources over a VPN gateway, the resources must be within the same region?

Answer 33

False

Question 34

What are the 3 architectures to consider when planning a VPN gateway?

Answer 34

• Point to site over the internet
• Site to site over the internet
• Site to site over a dedicated network, such as Azure ExpressRoute

Question 35

What are some factors to consider when planning a VPN gateway?

Answer 35

• Throughput
• Internet or private backbone
• Availability of a public, static IP address
• VPN device compatibility
• Multiple client connections vs. a site-to-site link
• VPN gateway type
• Azure VPN Gateway SKU

Question 36

What are Gateway SKUs?

Answer 36

Identifies the type of workloads, throughputs, features, and SLAs that the VPN Gateway can support. You specify the Gateway SKU to use when you create a virtual network gateway.

Question 37

What does the AZ suffix represent on a Gateway SKU?

Answer 37

This is a zone-redundant virtual network gateway, meaning that your gateway instances are deployed to separate Azure Availability Zones to protect network connectivity to Azure from zone-level failures.

Question 38

What does the “Basic” Gateway SKU not support that the other SKUs do?

Answer 38

The Basic SKU does not support point to site IKEv2/OpenVPN connections and does not support BGP

Question 39

When designing VPN gateways, what are some rules that you must consider?

Answer 39

• A subnet in one location does not contain the same address space as in another location (Subnets cannot overlap)
• IP addresses must be unique
• VPN gateways need a gateway subnet called “GatewaySubnet”

Question 40

How does a Route Based VPN gateway differ from a Policy Based one?

Answer 40

Route based are typically built on router platforms. They use wildcard traffic selectors and let routing tables direct traffic to IPsec tunnels. Policy based are typically built on firewall devices and use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec tunnels.

Question 41

In ExpressRoute, how does Azure private peering differ from Microsoft peering?

Answer 41

Azure private peering connect to Azure compute services such as VMs and cloud services, while Microsoft peering connects to cloud-based SaaS offerings, such as Microsoft 365.

Question 42

Which protocol provides dynamic routing for Azure ExpressRoute?

Answer 42

Border Gateway Protocol (BGP)