Skill 4.2 Flashcards
Network Security Groups (NSG)
Allows you to control which network flows are permitted into and out of your virtual networks and virtual mahcines. It’s a standalone Azure resource, which acts as a networking filter. Each NSG contains a list of security rules that are used to allow or deny inbound traffic.
What are NSGs associated with
a subnet or with specific VMs network interface
How are NSGs enforced
By priority with values ranging from 100 to 4096
What is a NSG service tag
Platform-defined shortcuts that map to the IP ranges of various Azure Services
What are service tags used for in NSG rules
As a quick and reliable way of creating rules that control traffic to each service
What are the default NSG rules
Virtual Network – traffic originating and ending in a virtual network is allows both inbound and outbound
Internet – Outbound traffic is allows but inbound traffic is block
Load Balancer – Allows the Azure health balancer to probe the health of you VMs and role instances.
What are application security groups (ASG)
Offer an approach to network segmentation. They allow you to achieve the same goal of segmenting you application into seperate tiers and they strictly control the permitted network flows between tiers. You explicitly define which application tier each VM belongs to rather than implicitly defining which application tier each VM eblongs to
What do NSG rules define
the permitted traffic flows between application tiers
What are the steps to configure an ASG
Create an application security group resource for each server. This resource has no properties other than its name resource group and location
Associate the network interface from each BM with the appropriate ASG
Define you network security group rules using ASG names instead of explicit IP ranges
Does NSG define rules for
IAAS
PAAS
SAAS
IAAs
How many NSG can each nic or subnet be associated to
one
Define Effective Security Rules View
designed to provide insight to drill into each NSG rule and see the exact list of source adn desitnation IP prefices that have been applied regardless of how the NSG rule was defined
What is Azure Firewall
A managed service that provides out-of-the-box network security for Azure resources. It is highly available and scalable.
Provides an ability to limit the outbound IP addresses and ports that are allowed to communicate within the Azure Subnet. Provides outbound SNAT support, Inbound DNAT support, and Azure Monitor Logging
What is the standard deployment model for Azure Firewall
Hub and Spoke where the firewall is hosted on its own VNET and other resources are placed in peered VNets in the same region with one or more subnets
Where must Azure Firewall be hosted
IN a subnet named AzureFirewallSubnet with a minimum /26 address space for the Azure firewall to provision more VMs for scaling
