All Microsoft Azure Security AZ-500 certification exam dumps, study guide, training courses are Prepared by industry experts. PrepAway's ETE files povide the AZ-500 Microsoft Azure Security Technologies practice test questions and answers & exam dumps, study guide and training courses help you study and pass hassle-free!

Platform Protection: Network Security

10. Lecture: Azure Firewall

Again, what is it? It's that cloud-based network security appliance to protect Azure virtual network resources. It's a fully state-funded firewall service, and I need it because an NSG just might not be enough or might not meet compliance reasons. And I really want to add some more security here to my network. But what are some of the key features?

What does Azure Firewall give us? Well, one, it has Ha built in Ha. There's no need to configure load balances. This is often a difficult thing to do with some of the network virtual appliances. Ha is managed for you here. It does support availability zones, so a standard SLA for one in a single zone is 99 95%. But if we span availability zones, we can increase our SLA to 99 99%. Application FQDN filtering rules So you can limit outbound http or https traffic or Azure SQL traffic now as well to a specified list of FQDNs, including wildcards. And we have network traffic filtering rules as well, so you can still do central network traffic filtering by destination and port as you would with Msgs as well. FQDN tags work well as well, so things like Windows Updates have tags, and we can create an app rule and include the tag.

So, as an example, we allow all traffic to Windows Update from our VMs as an example. Service tags—we talked about those a little bit before. So again, service tags on Microsoft-managed groupings or services. So again, think of the services that have public FQDNs that we want to be able to access and that we need to be able to resolve.

We can use service tags for those. It has threat intelligence as well, so you can filter traffic based on Microsoft's threat intelligence feed. So Microsoft used a lot of machine learning as well, constantly looking for threats. And if certain people are trying to access your applications, but we know they're from a suspicious user, service, or infrastructure out there, it can basically take action here. And last but not least, we have Snap and Dnet support. So that's source network address translation and destination network address translation support as well. But let's look at the architecture examples a little bit differently. But if you think about your hub and spoke model, often you have a central venue in the middle and various spokes coming off that you might use for your different applications.

Some of those spokes might be shared with other applications; some might be dedicated. That's all there is for you. But what the Azure Firewall gives you is a central location that you can put in your central network and route traffic through it. So now it's looking at that threat intelligence. We can configure layer three through layer seven policies so that threat intelligence is looking all the time. Traffic could be denied by default; allow traffic through. Based on all those different filtering rules that we want, we can decide what we want to do.

There, and also any traffic coming from off-premises, can go through this firewall. Anything coming from the public cloud that's going to go into the on-premises data centre can go through this firewall and be filtered out as well. So that's it in a nutshell. Azure Firewall basically requires that you put it in your hub, route traffic through it, configure your policies, leverage Microsoft threat intelligence, and it's going to give you protection. The alternative to this is, Hey, I want to implement my own custom solution with Palo Alto Checkpoint. Cisco, one of the other firewall manufacturers out there, basically deployed Manager yourself. This is a cloud-based, fully managed firewall for you.

11. Demo: Configure Azure Firewall

Starting in the bottom right, I'm going to create a virtual machine called SRV Jump, which I'm going to RDP into via the Internet. Then I'm going to create another server, SRV Work, in a Workload subnet, and it's basically going to have its connectivity routed through the test Fwz. That's going to be our Azure Firewall when traffic goes out to the Internet. So the jump box is just so I can jump in and then connect to that other server. And then that server is the one we're going to use to route the traffic through the firewall. All of this is inside a single VNet, which is going to be called AZ FW VN, which is for Azure Firewall VNet. just for demonstration purposes here.

But you'll see me build all this out in the portal as we go along. So let's flip over to the Azure Portal and begin. So now we're on the Azure Portal. The first thing I'm going to do is create a new resource group for this. So I'll create a brand new one, click Add, and we will call this Test Firewall Resource Group. So test fwrg, and that's just going in my Visual Studio Enterprise subscription there. And I'm going to put that in the central US. Right now, review and create that and create that. should just take a second. And now we're going to go ahead and create the virtual network. So I'm going to create a resource again. I'm going to type in "Virtual Network" here, click "Virtual Network," click "Create," and let's start filling in our information. So we'll call this Azfwvnforvnet, and I'm going to start with a 100 00:16 here. So that's fine. It's just telling me that I've got another VNET that overlaps with that's.

Okay, we're not going to be connecting those units together by any means, so just something to be aware of if you've got other networks in your environment. I'm going to put it in that resource group that we just created, test FWRG, Central US. Again. And then I'm going to go ahead and create my subnet. So we'll call this an Azure firewall subnet. And in the address range here, I'm going to use 100. I can see that's. going to start at 100, and will take us up to ten at 01255 because it's a 24.

And that's going to be inside of our VNetspace, which is the 16 that we created for the entire dress space for that Venus. Moving further down, you can see we've got DDoS protection. We're not going to worry about that at this point. DDoS is for a separate lecture. Going to go ahead, then ignore service endpoints and firewalls at this point and go ahead and click Create. Okay, now that that's completed, I'm going to go ahead and go over to our Resource Group and go ahead and look at that VNet. And I'm going to go ahead and create the second subnet as well, which will be our workload subnet. So here's the virtual network.

And if we go down to subnets on the lefthand side, I'm going to add another subnet, which we'll call the "workload subnet," and we will put that in at 10:24 and click OK on that. We're not going to configure any NSGs or anything like that at this point. And then we're going to create one more subnet, which we'll call our jump box subnet. So jump SN, and that will be 100, 300:24. Again, not doing anything right now around the network security group, route tables, etc. At this point, just hit OK. And so I've got my three subnets there. So you can see, we got 100. So our Azure Firewalls are in that subnet, as are our workload subnets there and our jump box subnets there as well. So now we need to create a couple of virtual machines for us. So let's go ahead and create a Windows 2016 Data Center server, and let's begin filling in the details for our virtual machine.

So we've got our subscription; we're going to put it in the same resource group to keep everything together here. And because this is our jump server, let's call it Srvjump for the moment, and that's good, and we will put that in the central US as well with everything else and availability options; nothing is required here. We're going to use the default, which is for a 16-gig CPU. Just remember to delete this when you're done, and let's go ahead and just put in a temporary user account and password. Just make sure to remember this because you're going to need to be able to RDP into the machine. If those match, we're good to go. Now we do need to allow an inbound port rule. So we'll click here because we're going to want to RDP into this machine. So we'll select the inbound port (3389 is what we need), and that will allow RDP traffic in from the public internet.

So again, we're going to jump into that machine, you know, through RDP, through its public IP address. So let's go ahead and click Next for disks. We'll just accept the defaults here. So premium SSD, we don't need to add anything additional there. We'll go to networking, and you will see here that it's going to put it in that jump subnet for us. So that's where we want it to go. And our public IP is going to be created there as well. We've already selected to allow those inbound ports for RDP. Click next for management. I think we should add this in here. Everything looks good there. All the defaults are fine. It might be worth you just enabling auto shutdown. I'll do this again with every machine I provision, just so I know that if I do accidentally leave it up, it's automatically going to shut down to save me cost. And with that, we'll review, create, and create, and that will begin provisioning that machine.

So in addition to that, while that one's provisioning, we're also going to provision our workload machine. So let's do the same thing again. Let's create a resource. Windows server, 2016 data center, same settings again, and we'll put it in the same resource group. So again, we can delete all of this at the end, but just delete in that resource group. And let's call this one SRV work. It's our workload machine. At Central, Again, in the data center, there is a valid username. We will just use the same. And the only difference here is that we don't need any public inbound ports. That was just for our jumpbox machine. We'll click Next again on discs here, just to verify that we've got the single disc there. That all looks good. And if we look at our network here, it will be a little bit different. So we do want to put this into the workload subnet as opposed to the jumpbox subnet. And we don't need a public IP on this one. And therefore, we don't need those public inbound ports, as we also mentioned as well.So with that, we'll review and create this one also. And then we will click Create as soon as this next screen pops up.

And then fast forward while these virtual machines provide here for us. All right. And as you can see, I've fast-forwarded here, and we're looking at virtual machines. I've got those two machines configured correctly, SRVWork and Srvjump, which I'm going to jump into if I go to that one. And I go to the overview, just like you probably saw when you covered virtual machines before. I can go to this public IP address and RDP to that.simple way of doing it, though. I click Connect, download the RDP file, and that will get me straight in. So clicking that and then clicking "open" And that should open up our RDP prompt. If I click "Connect," I'll be able to log in here. So I'm using an Azure user, the username I configured when I built the machine. And then I'm typing in the password that I used there as well. And because we're going to connect a few times, I can choose "don't ask me again for the certificate" and click yes.

And that should RDP in, since we're logged into that machine. Let's close down the server dashboard that pops up, and we can load up Internet Explorer here. You can see it's got the hardened configuration, so you will get prompted when you go to different websites. But if we go to Google.com here and we click OK, that's the prompt because of the enhanced security configuration. But as you can see, we can get to Google. We're in a machine that's got Internet access, but we've connected to this machine through the public Internet. So with that, I'm going to come out of here for the moment and just close that down for a second. And the next thing we need to do is go ahead and build our firewall. So here we are in Create a Resource, and we'll type in Firewall. should bring up the Azure firewall for us. There it is. Let's click "Create" as per usual, and let's choose our subscription. Let's put everything in that same resource group. Let's give it a name.

Let's call this a test. one location. We'll put that in the Central US with everything else we've got; don't worry about availability for this demo. And then we're going to use our existing network. So choose that firewall virtual network that we created. And then, for public IP addresses, we will create a new one. We'll choose the standard skew there, and we will give that a name of "Firewall P IP" and then click OK.

And that's our public IP there. And let's click "review" and "create." and that will now provision our firewall. Okay. And after about 5 minutes or so, that is now complete. So what we need to do now is add our route to redirect the traffic from the workload server through the firewall. So let's go ahead and create a resource and click Route Tables. And we'll click Create for the route table. And let's give this one a name. We'll just call it the Firewall Route for now. We'll put that in the same resource group that we've been using, Central US. And go ahead and click "Create." And let's head over to our resource group and into the Firewall RG. And we should see a route table.

Yep, there it is: the firewall route has now been created. Let's select the subnet that we want to associate it with. So let's click "associate." Choose our virtual network, the Firewall VNet there, and we will choose our workload subnet that we're going to associate this route with, and then click okay, so that's the route table associated with that subnet. Now we need to configure the route. Let's go over the routes. Let's click "add." Just call this firewall "Eg and our dress prefix. So we're going to say everything for the default route we want to send through to that firewall appliance.

What we're going to do here is choose a virtual appliance. And this would be the same if you were using, say, a Palo Alto or something else instead of an Azure file. This is the same place you would do it to redirect the traffic through. And then the next hop address will be our virtual appliance. So what we need to put in here is the private IP address for the firewall. So let's go ahead and grab that. Open a new tab here. Let's go to our resource group. Let's go. Grab that firewall. IP. So we should see the firewall in here, testFirewall One, and we can see it's IP 1001 in that Azure Firewall subnet. So let's go ahead and use that IP100 one, dot four, and click OK. It's as simple as that. That's our route that's redirecting the traffic now from that workload server or, in fact, any server in that particular subnet, but we've just got the one right now.

Now we need to go ahead and configure an application's rules. I'm actually going to switch back over to the other tab because we've already got the firewall open here, and let's go ahead and go to the Rules section for the firewall, select the Application Rule Collection, and we're going to go ahead and add an Application Rule Collection. In this case, let's give it the name "app." Let's call this collection "Coll One priority 200 action Allow." So we're going to allow traffic to this particular FQDN that we put in here. And so under target FQDNs, we're going to say "Allow Google" and say "from the source address." So everything in the 100 to 00:24 with HTTP and HTTPS, we will allow to go to Google.comso you can see it there; the source address is this one because this is coming from our subnet that contains the workload server and the protocol. This is the web traffic of 84,339 going to Google.com.

We are essentially allowing that traffic by creating this particular rule here. So we'll go ahead and click Add, and that's a simple Allow rule for us there. At the same time, while that's being created, let's go ahead and click Network Rule Collection. And we're going to allow a couple of specific DNS servers that we want to use on our machine as well. So let's add a network rule collection, and we'll call this net zero one, priority 200. Again, this is going to be an Allow rule again. And under Rules, let's go ahead and say "Allow." The DNS protocol will be on UDP. For DNS. Let's select UDP, and then we will do the source address. So everything from the 100 to 00:24 subnet again. And we're going to put in a couple of DNS servers here. So 209-2440, three, and also, we'll put a comma in there: 209, 24404, and port will be 53, which is the port for DNS. And so we're saying everything from that subnet we're allowing to use these two public DNS servers there over port 53.

And we'll go ahead and click Add at this point, and that will update the firewall there, which will take a moment while that's happening. Then let's go ahead and jump over to our work machine. So I'm going to switch tabs again here, and we're going to go ahead and go to our virtual machines, select SRV Work, scroll down to Networking, and we will choose the Nic for this machine. So here's the network interface at the top: SRV Work 619. That's the network interface that's attached to that virtual machine. We'll select that, and now you can see in the settings that we can alter the DNS servers for that machine. So by default, it would inherit the DNS servers from the VNet itself. But we can click "Custom," and we can come in here and type those in. So 209, 24403, two DNS servers: 209, 24404.

And so those are the two DNS servers. and click save. There. And as with any DNS update, we had to restart the virtual machine in this case for it to inherit those new settings. So it should be doing that automatically. Now some of the updates have gone, but we can go over to virtual machines. Let's just have a look at the current state of that machine. It is running right now. So we'll give that a moment to update. And fast-forward here. Okay, it's updated there, but we didn't see a restart. So we're going to go ahead and just restart the machine to be sure. So we're going to restart the SOV work machine, and when that's completed, we will test everything out here. Okay. And at this point, the machine has restarted successfully. So let's go over to our jump box, and then ultimately we need to go over to the other server from the jump box, saying we jumped in here. So I'm typing in "MSTSC" for short here to bring up our RDP client.

So there we go. If you are not aware, that's a Microsoft Server Terminal Services connection from before. And we need to go ahead and get that IP from the SRV work machine. So we'll click this one, and we should see its private IP here. Ten, two, and four. So we'll go back in here, ten, two, four. And we'll put our credentials in "Azure user," so let's click this. Let's jump in there again. We've hopped into the jump server through the Internet, and now we're jumping into the other machine, which is in the same VNet, but we connect into it through the local network cards on those machines, and we're not going through the Internet to this machine. So at this point, let's test things out and see what's working. Not working. So let's click to accept this. Pull up a command prompt first of all. And the first thing I want to do is just check our DNS servers. So if we do Ipconfig, all we can see are our DNS servers, which are 209-2440 three. If we do an NS lookup for, say, www.google.com, it should resolve for us so we can see that DNS is working successfully. I'm just going to close this window in the background here for us.

And now I'm going to pull up the browser again. We're on the workload machine now, and it's pulled us up. Click "Okay" on that. It will ask me later. It's just the usual Internet Explorer prompt. And let's go ahead and type in Google.com, which should be allowed outbound because we allowed it through the firewall there. Let's click "close" on that. That looks good. And now let's try Microsoft.com, where we did not put an allow rule in. And you can see there that that's denied, and that's because the firewall is blocking us access to Microsoft.com. If we come out of this and go back here and go back to our rule sets, Go to our application rule collection. Edit this one in here, scroll down, and you can see our target FQDNs. And if we put www.microsoft.com in here, let's save that rule set, take a moment to update the firewall, and that rule set has updated successfully. So let's head over to the jump box, and ultimately we'll jump into the workstation server here as well. And let's go ahead and refresh and try Microsoft.com again here. So we'll click the refresh button, click OK, click close, and we can see that it is now working. The firewall is letting that traffic through. So as simple as that, we've now got a firewall set up, we've routed traffic through it, and we can configure our rules as needed, but we now have a more secure network infrastructure. And with that, this concludes the demonstration.

12. Lecture: Distributed Denial of Service (DDoS)

Well, for one, understand that the goal of a DoS attack is to prevent access to services or systems. Botnets are essentially collections of these internet-connected systems that an individual controls out there and uses without the owner's knowledge of. These could be systems that people have hacked; these could be people's computers; these could even be things like IoT devices that are out there today, interconnected and working in tandem to attack various networks.

And a distributed denial of service is essentially a collection of attack types aimed at disrupting the availability of a target. DDoS involves many systems sending traffic to targets as part of a botnet. So again, it's lots of systems attacking versus a single machine trying to deny a service. So how does this really work? Well, Azure DDoS protection combined with your application design best practices provides your defence against DDoS against taxi. But with all these attacks coming at you, how do you defend against them? And this is where DDoS protection really comes in. And there are a couple of service tiers. There's Basic, which is actually automatically enabled as part of the Azure platform. And then there's Standard, which provides a whole host of additional mitigation capabilities that are tuned specifically to your Azure network resources. Now, the DDoS protection standard can mitigate against the following three types of attacks: We've got volumetric attacks. So these are the attacks whose goal is to flood the network with a substantial amount of seemingly legitimate traffic.

So these could be UDP floods; these could be multigabyte attacks by absorbing and scrubbing DDoS textures, which will absorb and scrub them with Azure's global network scale automatically. So, lots of things that, you know, you've got to worry about a volumetric attack, and your infrastructure may not have to scale, but DDoS protection standards will kind of prevent that. Then there are protocol attacks as well. So these attackers render a target inaccessible, and they do this by exploiting weaknesses in the layer three and layer four parts of the protocol stacks. This includes what they call "sin flood attacks," "reflection attacks," and other protocol attacks. And the DDoS protection standard mitigates these attacks by differentiating between malicious and legitimate traffic by interacting with the client and then blocking malicious traffic itself. So, it's a pretty interesting way that DDoS protection works. Just know these both exist. And then, last but not least, we've got resource layer attacks as well. So these attacks really target web application packets.

They're trying to disrupt the transmission of data between your hosts. So things like SQL injection and cross-site scripting, which you've probably heard me talk about when we talk about App Gateway and some of the features it offers, are things where the DDoS protection standard can really help you as well. And there are a lot of features in the DDoS standard that you need to be aware of at a high level, including the three types of attacks. But you do need to understand, to some degree, what the standard features are above the basic ones, and when you would sort of need standard features, a couple of things to just hit on. Native platform integrations are very easy to integrate. Obviously, Microsoft wants to put out the sales pitch this year, but essentially, you configure this through the Azure Portal. The Azure DDoS protection standard already understands your resources and your resource configuration because Microsoft already manages those through Azure.

So it's very easy to integrate and gives you that turnkey protection. There's always traffic monitoring. So your application traffic patterns will be monitored 24 hours a day, seven days a week, looking for indicators of DDoS attacks. And the mitigation is performed when different protection policies are exceeded. There's something called adaptive tune-in as well. So there's like an intelligent traffic profile that learns from your application traffic over time so you can sort of see when things spike out of the norm. There's multilayered protection, so it's full stack protection when used with a web application file. Another good reason to use the WAP feature of App Gateway is its huge mitigation scale, just because of the scale that Microsoft has. And then you get other things like attack metrics alerting, cost guarantee, and the DDoS Rapid Response Team that you have access to as well to really sort of help you in the event something like this happens. Now, look at this diagram a little bit—it will sort of help you understand it.

So, DDoS protection monitors actual traffic utilisation and constantly compares it against the thresholds that are defined in your DDoS policy. So when the traffic is exceeded, as you can see in public IP One and public IP Two, those graphs sort of spike up there. When it exceeds the DDoS threshold, mitigation is automatically initiated, and when traffic returns below the threshold, the mitigation is removed. Now, during mitigation, traffic sent to the protected resource is redirected by the DDoS protection service. Several checks are performed. These could be ensuring packets conform to internet specifications and are not malformed; interacting with the client to determine if the traffic is potentially a spoof packet rate limit packet; things like those. And again, once things come back to normal, that's when the mitigation is ultimately removed. But again, all of this is designed to stop that DDoS attack from completely bringing down your entire service. And this is the process by which it works. So with that, this concludes my lecture on it. And I encourage you to dive in a little bit deeper because I think it's a really, really interesting feature, and Microsoft has a lot of networking documentation around the loss protection for you to dive into.

13. Demo: Configure DDoS

And here in the Azure Portal, the first thing I'm going to do is click Create a resource, type DDoS for DDoS Protection Plan, and then, like all services, click Create and let's give it a name. So we'll just call this, you know, AZ DDoS Protection Plan for short, put that in our subscription, and then go ahead and choose a resource group. to pop that into my case. I'm going to create a new one, DDoS RG. Click OK, and we'll put that in the central US.

And click "create." and that creates our DDoS protection plan for us. And then the next thing we need to do once it's created is go and associate it with the network or enable it when we create a new virtual network. And I'll show you both of those. If we start by going to Virtual Networks and clicking Add for a new virtual network, one of the things you'll see here at the bottom is this option for DDoS Protection Basic or Standard. And when you select Standard, you can basically choose your DDoS Protection Plan right from the menu as you're creating the network. The other way to do it is if you go to one of the networks we've already created.

In fact, I'll go to the Azfw VNone that was from the Firewall demo we did previously, one of the other demonstrations. And going here, I can click DDoS Protection, choose my DDoS Protection plan, and click Save. And as we can see, that's completed. And now the Standard Plan is in effect. Now I can go here. You see, it says "DDoS standard protection plan." Metrics can be found by selecting protected public IP addresses in the DDoS Metrics blades. We can actually click this on the left-hand side. If we scroll down, we can click Metrics. And this is where we can basically look at different values of what is going on. So we can click on the resource, specifically click here, and choose the resource types that we want to basically look at. If I choose our resource group, I'm actually going to click this "Test FirewallResource Group" here and click that. And then I can choose, say, my FirewallPublic IP address or I've got that jumpbox IP from the previous machine I created.

I could click "Apply" on this one. And then this is where I can now filter on my metrics for my namespace. And if I choose my metrics here, this way you can see inbound DDoS, etc. For all of these, see here. So whether your site is under DDoS attack or not is a good one to look at. So you can see under DDoS that there is currently nothing there. So the threshold is basically one or zero. Actually, one means you're under attack, and zero means you're not under attack. So that's an area where you can sort of drill down on the metrics. If you want to see what's protected again, just click through the overview, and then you can see the virtual network that is ultimately under protection right now. We've just got that AZ Firewall VN Virtual Network that we created again in that previous demonstration when we were configuring Azure Firewall. And there's basically protection with the standard protection plan that we have in effect. And that's it. That's how you configure it. And then in the metrics section, that's how you look at what's going on and how it's protecting you.

Microsoft Azure Security AZ-500 practice test questions and answers, training course, study guide are uploaded in ETE Files format by real users. Study and Pass AZ-500 Microsoft Azure Security Technologies certification exam dumps & practice test questions and answers are to help students.