What is Azure Firewall?
A managed, cloud-based network security service that helps protect provisioned Resources in your AVN (Azure Virtual Networks)
What makes Azure Firewall stateful?
Analyzes the complete context of a network connection (not just an individual packet) i.e. it examines the full state of a network connection
Why does Azure Firewall use a static public IP Address for AVN Resources?
It enables outside firewalls to identify all traffic COMING FROM that AVN.
Azure Firewall as some notable features
- What’s the most general or common feature given it is hosted in Azure (i.e. what does Azure offer)?
- What two common Firewall features does it support?
- What Azure-specific feature does it support (it’s integrated with….)?
1 Like most all Azure Services … High availability, unrestricted cloud scalability
2 In addition to that, Firewall specific features include:
- Inbound/Outbound filtering rules
- Supports inbound Destination Network Address Translation (DNAT)
3 It’s integrated into Azure Monitor for logging and analytics
Hint: A FQDN, N, NAT
What three (3) types of Rules can be configured in Azure Firewall?
- Application rules that define FQDNs (fully qualified domain names) that can be accessed from a subnet
- Network rules that define source’s address/protocol/destination and its destination/port address
- NAT (Network Address Translation) rules that define destination IP addresses and ports to translate inbound requests
What two entities can Azure Firewall apply to?
Firewall applies connectivity Policies across both Subscriptions and Virtual Networks
What does Azure Firewall provide for (both Application AND Network Connectivity) Policies?
Provides a central location to create, enforce and log both Application AND Network connectivity Policies
What is a Web Application Firewall (WAF)?
WAFs provide centralized INBOUND protection for web applications against common exploits and vulnerabilities
What Azure Services provide a WAF? (name three)
- Azure Front Door (Cloud CDN with additional security features)
- Azure Content Delivery Networks
- Azure Application Gateway
What is a Distributed Denial of Service attack? Other than by its definition, what else about DDoS attacks are detrimental to Azure-based applications?
An attack that attempts to overwhelm and exhaust an application’s resources, making it slow and unresponsive. Anything publicly reachable (websites, web services, etc.)
W.r.t. Cloud and auto-scaling, a DDoS attack can blow up your costs by forcing auto-scaling on services
What is Azure DDoS Protection?
It’s a service that provides attack mitigation capacity to all Azure Regions
- Sits between your AVN and the Azure Backbone
- Uses scale and elasticity for mitigation
- It identifies and discards DDoS traffic at the network edge before it can affect your services, while allowing customer traffic in without interruption.
You can receive credit for auto-scaled out Resources during a DDoS attack (T/F)?
True
What is the Basic Tier for DDos Protection?
Basic
- Auto enabled for free
- Always-On monitoring
- Ensures the basic Azure infrastructure is not affected during a large-scale attack
- Azure’s global network is used to distribute/mitigate the attack across Azure Regions
What is the Standard Tier for DDoS Protection?
Standard
- Not free but otherwise provides the same features as Basic
- In addition, provides more mitigation capabilities specific to AVNs
- Machine Learning and dedicated traffic monitoring used for tuning protection policies, which are applied to public IP addresses associated to Resources deployed in your AVNs (things like Azure Load Balancer or Application Gateway)
Hint: V P R(A)
What three (3) kinds of attack can DDoS Protection help prevent?
- Volumetric attacks: flooding the network layer with substantial traffic
- Protocol attacks: exploiting weaknesses in layer 3 and 4 protocol stacks, rendering the target inaccessible
- Resource (Application) layer attacks: targets web packets to disrupt transmission of data between hosts.
How do you protect against L7 attacks?
L7 (Application Layer) attacks require a WAF to protect against. Once in place, DDoS Protection protects the WAF
-
Module 0 - Core Cloud Concepts30
-
Module 1a - Understanding Azure Architecture and Management - General Concepts16
-
Module 1b - Understanding Azure Architecture and Management - Geographies, Regions and Zones24
-
Module 1c - Understanding Azure Architecture and Management - Resource Groups14
-
Module 2aa - Exploring Azure Core Products - Compute, App Service10
-
Module 2ab - Exploring Azure Core Products - Compute, Functions & Logic Apps10
-
Module 2ac - Exploring Azure Core Products - Compute, Containers and K8s13
-
Module 2ad - Exploring Azure Core Products - Compute, Virtualization & Serverless Compute22
-
Module 2ba - Exploring Azure Core Products - Networking, AVNs22
-
Module 2bb - Exploring Azure Core Products - Networking, VPN Gateways General Knowledge22
-
Module 2bc - Exploring Azure Core Products - Networking, VPN Gateway Specs and Requirements12
-
Module 2bd - Exploring Azure Core Products - Networking, ExpressRoute18
-
Module 2c - Exploring Azure Core Products - Storage25
-
Module 2da - Exploring Azure Core Products - Database Solutions - Non-SQL Server16
-
Module 2db - Exploring Azure Core Products - Database Solutions - SQL Server15
-
Module 2dc - Exploring Azure Core Products - Data Analytics13
-
Module 3a - Describe Core Solution and Mgmt Tools - IoT16
-
Module 3b - Describe Core Solution and Mgmt Tools - AI18
-
Module 3c - Describe Core Solution and Mgmt Tools - Best Serverless Tech for your Business15
-
Module 3d - Describe Core Solution and Mgmt Tools - Best Tools to Build Better Solutions16
-
Module 3e - Describe Core Solution and Mgmt Tools - Best Tools for Managing and Configuring Azure19
-
Module 3f - Describe Core Solution and Mgmt Tools - Choosing the Best Monitoring Services18
-
Module 4aa - Security and Network Security - Protect Against Security Threats - Security Center and Secure Score20
-
Module 4ab - Security and Network Security - Protect Against Security Threats - Azure Sentinel, Key Vault and Dedicated Hosts20
-
Module 4ba - Security and Network Security - Defense in Depth, Security Posture15
-
Module 4bb - Security and Network Security - Azure Firewall, DDos16
-
Module 4bc - Security and Network Security - Network Security Groups12
-
Module 5a - Identity, Governance, Privacy and Compliance - Azure Identity Services20
-
Module 5ba - Identity, Governance, Privacy and Compliance - Build a Cloud Governance Strategy, RBAC17
-
Module 5bb - Identity, Governance, Privacy and Compliance - Build a Cloud Governance Strategy, Resource Locks, Tags11
-
Module 5bc - Identity, Governance, Privacy and Compliance - Build a Cloud Governance Strategy, Policies23
-
Module 5bd - Identity, Governance, Privacy and Compliance - Build a Cloud Governance Strategy, Blueprints8
-
Module 5be - Identity, Governance, Privacy and Compliance - Build a Cloud Governance Strategy, The Cloud Adoption Framework15
-
Module 5ca - Identity, Governance, Privacy and Compliance - Privacy, Compliance and Data Protection Standards21
-
Module 5cb - Identity, Governance, Privacy and Compliance - Privacy, Azure Government12
-
Module 6aa - Plan and Manage Azure Costs - Calculators and Cost Factors15
-
Module 6ab - Plan and Manage Azure Costs - Mechanisms for Managing Costs17
-
Module 6b - Azure SLAs and Service Lifecycle18
