Azure Firewall and DNS Management Quiz

Questions and Answers

PDF Questions PDF Answers

What is a Virtual Network (VNet) in Microsoft Azure?

A representation of on-premises network infrastructure in the cloud

A type of Azure firewall for securing network traffic

A physical server dedicated to hosting virtual machines

A logical isolation of the Azure cloud dedicated to your subscription (correct)

What can Virtual Networks (VNets) in Azure be used for?

Securing network traffic with IPSEC

Hosting physical servers in the cloud

Provisioning and managing virtual private networks (VPNs) (correct)

Managing Azure subscription billing

What is a key functionality of Virtual Networks (VNets) in Azure?

Hosting physical servers in the cloud

Creating hybrid or cross-premises solutions (correct)

Securing network traffic with Azure Firewall

Managing Azure subscription billing

How can VNets in Azure securely extend your data center?

By building traditional site-to-site (S2S) VPNs

What is the purpose of creating a dedicated private cloud-only VNet in Azure?

Allowing services and VMs within the VNet to communicate directly and securely in the cloud

What technology is used to provide a secure connection between corporate VPN gateway and Azure in hybrid cloud scenarios?

IPSEC

What is the default limit of virtual networks per subscription per region in Azure?

50

How are public IP addresses used in Azure?

For communication with the Internet and can be statically or dynamically assigned

What is the purpose of network security groups (NSGs) in Azure?

Contain security rules that allow or deny inbound or outbound network traffic

How are virtual networks segmented in Azure?

Into subnets to provide logical divisions within the network

What is the role of service endpoints in Azure virtual networks?

Limit access to Azure resources in specific subnets

How are PowerShell commands used in Azure virtual networks?

To create and manage virtual networks and subnets

What is the purpose of NAT rules in Azure Firewall?

To translate firewall public IP and port to a private IP and port

What is the main function of Azure DNS?

Enabling hosting DNS records for domains on Azure infrastructure

What is required for non-HTTP/S traffic to flow through Azure Firewall?

Network Rules with protocol, source and destination addresses, and ports configured

What must be done to delegate a domain to Azure DNS?

Assign name server names for the zone and Azure DNS automatically creates authoritative NS records

What is a key feature of Azure Firewall's threat intelligence-based filtering?

Alerting and denying traffic from/to known malicious IP addresses and domains

What is the recommended network topology for deploying Azure Firewall?

Hub-spoke network topology

What is the default behavior of Azure Firewall regarding traffic?

Blocks all traffic

What is the purpose of Application Rules in Azure Firewall?

Define FQDNs that can be accessed from a subnet

What is the verification process for custom domain names in Azure DNS?

Verification is performed by adding a DNS record (MX or TXT)

Virtual networks in Azure can only be used for creating hybrid cloud scenarios.

False

Azure Virtual Networks can be linked with other VNets in Azure, or with on-premises IT infrastructure to create hybrid or cross-premises solutions.

True

The main purpose of a Virtual Network (VNet) in Microsoft Azure is to provide a physical representation of the network in the cloud.

False

Azure Firewall supports NAT rules to allow outbound traffic from the secured network.

False

Virtual networks in Azure do not support traditional site-to-site (S2S) VPNs for securely extending data center capacity.

False

Azure DNS is not a key functionality of Virtual Networks (VNets) in Azure.

False

Azure Firewall allows inbound HTTP/S and Azure SQL traffic to specified FQDNs.

False

Azure Firewall can be associated with up to 100 public IP addresses.

True

NAT rules in Azure Firewall are processed before Application Rules.

False

Azure DNS provides different credentials, APIs, tools, and billing compared to other Azure services.

False

Custom domain names in Azure DNS must be verified by adding a DNS record (MX or TXT).

True

DNS zones in Azure must have a unique name within the resource group.

True

Azure DNS automatically creates authoritative NS records for delegated domains.

True

Azure Firewall by default allows all outbound traffic.

False

True or false: Azure reserves five IP addresses within each subnet, including the network address, reserved IPs for default gateway and Azure DNS, and the network broadcast address

True

True or false: By default, up to 50 virtual networks per subscription per region can be created, but this limit can be increased to 500 by contacting Azure support

True

True or false: Public IP addresses are used for communication with the Internet and can be statically or dynamically assigned

True

True or false: NSGs are evaluated independently, with an 'allow' rule needed at both subnet and NIC levels for traffic to flow

True

True or false: Inbound security rules in NSGs deny all inbound traffic except from the virtual network and Azure load balancers, while outbound rules allow traffic to the Internet and the virtual network

True

True or false: Azure Firewall offers features such as built-in high availability, support for availability zones, and application FQDN filtering rules

True

Virtual networks in ______ can be used to provision and manage virtual private networks (VPNs) in ______. You can link VNets with other VNets in ______, or with on-premises IT infrastructure to create hybrid or cross-premises solutions.

Azure

Azure Virtual Network (VNet) is a representation of your ______ in the cloud. VNet is a logical isolation of the Azure cloud dedicated to your subscription.

network

Virtual networks can be created in many ways. Create a dedicated private ______-only VNet. When you create a VNet, your services and VMs within your VNet can communicate directly and securely with each other in the ______.

cloud

You can build traditional site-to-site (S2S) ______s to securely scale your datacenter capacity. S2S ______s use IPSEC to provide a secure connection between your corporate ______ gateway and Azure.

VPN

VNets give you the flexibility to support a range of ______ cloud scenarios.

hybrid

VNets can be used to provision and manage virtual private networks (VPNs) in Azure. You can link VNets with other VNets in Azure, or with on-premises IT infrastructure to create hybrid or cross-premises solutions.

management

By default, up to 50 virtual networks per subscription per region can be created, but this limit can be increased to ______ by contacting Azure support

500

PowerShell commands can be used to create and manage virtual networks and ______, and private IP addresses are used within Azure virtual networks and on-premises networks

subnets

NSGs are evaluated independently, with an 'allow' rule needed at both subnet and NIC levels for traffic to ______

flow

Public IP addresses are used for communication with the Internet and can be statically or ______ assigned

dynamically

NSGs can be assigned to subnets to create protected screened subnets, and NSG rules enable filtering of network traffic based on various ______

parameters

Azure reserves five IP addresses within each subnet, including the network address, reserved IPs for default gateway and Azure DNS, and the network ______ address

broadcast

Azure Firewall allows limiting outbound HTTP/S and Azure SQL traffic to specified FQDNs, with the capability to create centrally managed allow or deny network filtering rules based on source and destination IP addresses, ports, and ______

protocols

Azure Firewall can be associated with multiple public IP addresses (up to 100) and is recommended to be deployed in a hub-spoke network topology to centralize services, overcome subscription limits, and separate workloads ______

efficiently

NAT rules are used to translate firewall public IP and port to a private IP and port, and must be matched by a Network Rule to allow traffic to ______

pass

Application Rules define FQDNs that can be accessed from a subnet, with settings for source addresses, protocol, port, and target FQDNs, including the use of wildcards and FQDN tags for Microsoft ______

services

Custom domain names in Azure DNS must be verified before use, and verification is performed by adding a DNS record (MX or TXT), with only one directory allowed to use a domain ______

name

DNS zones in Azure host DNS records for a domain, with the zone name needing to be unique within the resource group, and root/parent domain being registered at the registrar and pointed to Azure ______

NS

To delegate a domain to Azure DNS, the name server names for the zone need to be known, and Azure DNS automatically creates authoritative NS records in the zone once the name servers are ______

assigned

Azure DNS enables hosting DNS records for domains on Azure infrastructure, providing the same credentials, APIs, tools, and billing as other Azure ______

services

Explain the purpose and functionality of Azure Virtual Networks (VNets) in Microsoft Azure.

Azure Virtual Networks (VNets) provide a logical isolation of the Azure cloud dedicated to a user's subscription, allowing for the provisioning and management of virtual private networks (VPNs) in Azure. VNets can be linked with other VNets or on-premises IT infrastructure to create hybrid or cross-premises solutions.

What are the different implementation types for Azure Virtual Networks (VNets) and how do they differ?

Azure Virtual Networks (VNets) can be implemented as dedicated private cloud-only VNets, which allow services and VMs within the VNet to communicate directly and securely with each other, or as VNets that securely extend a user's data center capacity through traditional site-to-site (S2S) VPNs using IPSEC.

How do Network Security Groups (NSGs) enhance the security of Azure virtual networks?

NSGs can be assigned to subnets to create protected screened subnets, and NSG rules enable filtering of network traffic based on various criteria such as source and destination IP addresses, ports, and protocols.

What are the key benefits of using Azure Firewall in a virtual networking environment?

Azure Firewall allows for the restriction of outbound and inbound traffic based on specified FQDNs, providing centrally managed network filtering rules and supporting features such as built-in high availability and support for availability zones.

Explain the process of creating hybrid cloud scenarios using Azure Virtual Networks (VNets) and their significance.

Azure VNets enable the creation of hybrid cloud scenarios by allowing linkage with other VNets in Azure or with on-premises IT infrastructure. This flexibility is significant as it supports a range of hybrid cloud scenarios, including securely scaling datacenter capacity and creating cross-premises solutions.

What is the significance of DNS in the context of Azure Virtual Networks (VNets) and how does Azure DNS contribute to this?

DNS plays a crucial role in Azure VNets as it enables the hosting of DNS records for domains on Azure infrastructure. Azure DNS provides the same credentials, APIs, tools, and billing as other Azure services, contributing to the seamless integration of DNS functionality within the Azure VNet environment.

Explain the main function of Azure Firewall in network management.

Azure Firewall allows for centrally managed allow or deny network filtering rules based on source and destination IP addresses, ports, and protocols, and supports limiting outbound HTTP/S and Azure SQL traffic to specified FQDNs.

What is the purpose of threat intelligence-based filtering in Azure Firewall?

The purpose is to enable alerting and denying traffic from/to known malicious IP addresses and domains, sourced from the Microsoft Threat Intelligence feed.

Describe the role of NAT rules in Azure Firewall.

NAT rules are used to translate firewall public IP and port to a private IP and port, and must be matched by a Network Rule to allow traffic to pass.

What is the significance of deploying Azure Firewall in a hub-spoke network topology?

It allows for centralizing services, overcoming subscription limits, and separating workloads efficiently.

Explain the purpose of Application Rules in Azure Firewall.

Application Rules define FQDNs that can be accessed from a subnet, with settings for source addresses, protocol, port, and target FQDNs, including the use of wildcards and FQDN tags for Microsoft services.

What is the process for verifying custom domain names in Azure DNS?

Custom domain names in Azure DNS must be verified before use by adding a DNS record (MX or TXT), with only one directory allowed to use a domain name.

What is the key functionality of DNS zones in Azure?

DNS zones in Azure host DNS records for a domain, with the zone name needing to be unique within the resource group, and the root/parent domain being registered at the registrar and pointed to Azure NS.

Explain the purpose of delegating a domain to Azure DNS.

To delegate a domain to Azure DNS, the name server names for the zone need to be known, and Azure DNS automatically creates authoritative NS records in the zone once the name servers are assigned.

Explain the purpose and functionality of service endpoints in Azure virtual networks.

Service endpoints limit access to Azure resources in specific subnets by providing direct connectivity to Azure services over an optimized route, preventing unauthorized access and securing traffic within the Azure backbone network.

Describe the default behavior of Azure virtual networks in routing network traffic between subnets.

By default, Azure routes network traffic between all subnets in a virtual network, ensuring connectivity and communication between different segments of the network.

What are the key features and capabilities of Azure network security groups (NSGs)?

Azure network security groups contain rules allowing or denying traffic to and from sources and destinations, and they enable the creation of protected screened subnets with filtering of network traffic based on various parameters.

Explain the role and significance of public IP addresses in Azure virtual networks.

Public IP addresses are used for communication with the Internet and can be statically or dynamically assigned, enabling external connectivity and communication for Azure resources.

Discuss the default limits and options for increasing the number of virtual networks per subscription per region in Azure.

By default, up to 50 virtual networks per subscription per region can be created, but this limit can be increased to 500 by contacting Azure support, providing scalability for network infrastructure.

What are the evaluation criteria and requirements for network security group (NSG) rules to enable traffic flow within Azure virtual networks?

NSGs are evaluated independently, requiring an 'allow' rule at both subnet and NIC levels for traffic to flow, ensuring secure and controlled network traffic within the virtual network.

Match the Azure networking component with its description:

Azure Virtual Network (VNet) = Representation of network in the cloud Azure Network Security Groups = Enables filtering of network traffic based on various criteria Azure Firewall = Allows limiting outbound HTTP/S and Azure SQL traffic to specified FQDNs Azure DNS = Hosts DNS records for a domain

Match the VNet implementation type with its description:

Dedicated private cloud-only VNet = Services and VMs within VNet can communicate directly and securely with each other Securely extend your data center with VNets = Build traditional site-to-site (S2S) VPNs to securely scale datacenter capacity Enable hybrid cloud scenarios with VNets = Flexibility to support a range of hybrid cloud scenarios Linking VNets with other VNets or on-premises IT infrastructure = Create hybrid or cross-premises solutions

Match the Azure Firewall capability with its description:

Limiting outbound HTTP/S and Azure SQL traffic to specified FQDNs = Capability to create centrally managed allow or deny network filtering rules based on source and destination IP addresses, ports Threat intelligence-based filtering = Feature of Azure Firewall Association with multiple public IP addresses = Recommended deployment in a hub-spoke network topology Processing NAT rules = Before Application Rules in Azure Firewall

Match the Azure DNS functionality with its description:

Hosts DNS records for a domain = Function of Azure DNS Automatic creation of authoritative NS records for delegated domains = Feature of Azure DNS Verification process for custom domain names = Adding a DNS record (MX or TXT) Root/parent domain registration and pointing to Azure = Requirement for DNS zones in Azure

Match the key feature of VNets with its description:

Logical isolation of the Azure cloud dedicated to your subscription = Feature of Azure Virtual Network (VNet) Provision and management of virtual private networks (VPNs) in Azure = Functionality of VNets Flexibility to support a range of hybrid cloud scenarios = Key benefit of VNets Linking with other VNets or on-premises IT infrastructure = Capability of VNets

Match the NSG capability with its description:

Assigning to subnets to create protected screened subnets = Function of Azure Network Security Groups Evaluation of 'allow' rule at both subnet and NIC levels for traffic flow = True statement about NSGs Enabling filtering of network traffic based on various criteria = Feature of NSGs Default limit of virtual networks per subscription per region in Azure = Requirement for increasing the limit by contacting Azure support

Match the following Azure network security features with their descriptions:

Virtual network segmentation = Dividing the network into logical divisions with each containing a range of IP addresses Service endpoints = Limiting access to Azure resources in specific subnets Network security groups = Containing rules allowing or denying traffic to and from sources and destinations Public IP addresses = Used for communication with the Internet and can be statically or dynamically assigned

Match the following Azure network security features with their functions:

NSGs and subnet assignment = Creating protected screened subnets NSG rules = Enabling filtering of network traffic based on various parameters Azure Firewall = Offering features such as built-in high availability, support for availability zones, and application FQDN filtering rules PowerShell commands = Used to create and manage virtual networks and subnets

Match the following Azure network security features with their default behaviors:

Azure virtual networks = Routing network traffic between all subnets by default NSGs = Evaluating independently, with an 'allow' rule needed at both subnet and NIC levels for traffic to flow Inbound security rules in NSGs = Denying all inbound traffic except from the virtual network and Azure load balancers Outbound security rules in NSGs = Allowing traffic to the Internet and the virtual network

Match the following Azure virtual network features with their descriptions:

Subnet IP address reservation = Reserving five IP addresses within each subnet, including network address, default gateway and Azure DNS reserved IPs, and network broadcast address Virtual network creation limit = By default, up to 50 virtual networks per subscription per region can be created Azure support limit increase = The limit of virtual networks per subscription per region can be increased to 500 by contacting Azure support VPN gateway connection = Providing a secure connection between corporate VPN gateway and Azure in hybrid cloud scenarios

Match the following Azure DNS features with their purposes:

Delegating a domain to Azure DNS = Creating authoritative NS records in the zone once the name servers are known Custom domain name verification = Verified by adding a DNS record (MX or TXT) DNS zones = Hosting DNS records for a domain, with the zone name needing to be unique within the resource group DNS zone uniqueness = DNS zones in Azure must have a unique name within the resource group

Match the following Azure Firewall features with their functionalities:

NAT rules = Processed before Application Rules Application Rules = Defining FQDNs that can be accessed from a subnet Threat intelligence-based filtering = Offering features such as built-in high availability, support for availability zones, and application FQDN filtering rules Network topology recommendation = Deploying in a hub-spoke network topology to centralize services, overcome subscription limits, and separate workloads

Match the following features with their descriptions in Azure Firewall:

Threat intelligence-based filtering = Enables alert and deny traffic from/to known malicious IP addresses and domains NAT Rules = Used to translate firewall public IP and port to a private IP and port, and must be matched by a Network Rule to allow traffic to pass Application Rules = Define FQDNs that can be accessed from a subnet, with settings for source addresses, protocol, port, and target FQDNs Network Rules = Required for non-HTTP/S traffic to flow through the firewall and must be configured with protocol, source and destination addresses, and ports

Match the following statements with their descriptions in Azure DNS:

Custom domain verification = Performed by adding a DNS record (MX or TXT), with only one directory allowed to use a domain name DNS zones = Host DNS records for a domain, with the zone name needing to be unique within the resource group, and root/parent domain being registered at the registrar and pointed to Azure NS Delegating a domain to Azure DNS = The name server names for the zone need to be known, and Azure DNS automatically creates authoritative NS records in the zone once the name servers are assigned Azure DNS credentials and billing = Provides the same credentials, APIs, tools, and billing as other Azure services

Match the following Azure Firewall capabilities with their descriptions:

Stateful filtering = Capable of distinguishing legitimate packets for different connection types and can enforce and log rules across multiple subscriptions and virtual networks Threat intelligence-based filtering = Can be enabled to alert and deny traffic from/to known malicious IP addresses and domains, sourced from the Microsoft Threat Intelligence feed Association with multiple public IP addresses = Allows Azure Firewall to be associated with multiple public IP addresses (up to 100) Default blocking of all traffic = By default, Azure Firewall blocks all traffic and has three kinds of rules: Network Rules, Application Rules, and NAT Rules, which are processed in that order

Match the following Azure DNS functionalities with their descriptions:

Custom domain verification = Must be verified before use, and verification is performed by adding a DNS record (MX or TXT) DNS zones = Enable hosting DNS records for domains on Azure infrastructure, with the zone name needing to be unique within the resource group Delegating a domain to Azure DNS = Involves knowing the name server names for the zone, and Azure DNS automatically creates authoritative NS records in the zone once the name servers are assigned Credentials and billing = Provides the same credentials, APIs, tools, and billing as other Azure services

Study Notes

Azure Firewall and DNS Management in Azure

• Azure Firewall allows limiting outbound HTTP/S and Azure SQL traffic to specified FQDNs, with the capability to create centrally managed allow or deny network filtering rules based on source and destination IP addresses, ports, and protocols.
• It is fully stateful, capable of distinguishing legitimate packets for different connection types, and can enforce and log rules across multiple subscriptions and virtual networks.
• Threat intelligence-based filtering can be enabled to alert and deny traffic from/to known malicious IP addresses and domains, sourced from the Microsoft Threat Intelligence feed.
• Azure Firewall can be associated with multiple public IP addresses (up to 100) and is recommended to be deployed in a hub-spoke network topology to centralize services, overcome subscription limits, and separate workloads efficiently.
• Azure Firewall by default blocks all traffic and has three kinds of rules: Network Rules, Application Rules, and NAT Rules, which are processed in that order.
• NAT rules are used to translate firewall public IP and port to a private IP and port, and must be matched by a Network Rule to allow traffic to pass.
• Network Rules are required for non-HTTP/S traffic to flow through the firewall and must be configured with protocol, source and destination addresses, and ports.
• Application Rules define FQDNs that can be accessed from a subnet, with settings for source addresses, protocol, port, and target FQDNs, including the use of wildcards and FQDN tags for Microsoft services.
• Azure DNS enables hosting DNS records for domains on Azure infrastructure, providing the same credentials, APIs, tools, and billing as other Azure services.
• Custom domain names in Azure DNS must be verified before use, and verification is performed by adding a DNS record (MX or TXT), with only one directory allowed to use a domain name.
• DNS zones in Azure host DNS records for a domain, with the zone name needing to be unique within the resource group, and root/parent domain being registered at the registrar and pointed to Azure NS.
• To delegate a domain to Azure DNS, the name server names for the zone need to be known, and Azure DNS automatically creates authoritative NS records in the zone once the name servers are assigned.

Azure Virtual Network and Security Features

• Azure allows secure connection of cloud-based applications to on-premises systems such as mainframes and Unix systems
• Virtual networks can be segmented into subnets to provide logical divisions within the network, with each subnet containing a range of IP addresses
• Azure routes network traffic between all subnets in a virtual network by default, but this can be overridden through a network virtual appliance
• Service endpoints can limit access to Azure resources in specific subnets, and network security groups contain rules allowing or denying traffic to and from sources and destinations
• Azure reserves five IP addresses within each subnet, including the network address, reserved IPs for default gateway and Azure DNS, and the network broadcast address
• By default, up to 50 virtual networks per subscription per region can be created, but this limit can be increased to 500 by contacting Azure support
• PowerShell commands can be used to create and manage virtual networks and subnets, and private IP addresses are used within Azure virtual networks and on-premises networks
• Public IP addresses are used for communication with the Internet and can be statically or dynamically assigned
• Network security groups contain security rules that allow or deny inbound or outbound network traffic, and can be associated with subnets or network interfaces
• NSGs can be assigned to subnets to create protected screened subnets, and NSG rules enable filtering of network traffic based on various parameters
• Inbound security rules in NSGs deny all inbound traffic except from the virtual network and Azure load balancers, while outbound rules allow traffic to the Internet and the virtual network
• NSGs are evaluated independently, with an "allow" rule needed at both subnet and NIC levels for traffic to flow, and Azure Firewall offers features such as built-in high availability, support for availability zones, and application FQDN filtering rules

Azure Firewall and DNS Management in Azure

• Azure Firewall allows limiting outbound HTTP/S and Azure SQL traffic to specified FQDNs, with the capability to create centrally managed allow or deny network filtering rules based on source and destination IP addresses, ports, and protocols.
• It is fully stateful, capable of distinguishing legitimate packets for different connection types, and can enforce and log rules across multiple subscriptions and virtual networks.
• Threat intelligence-based filtering can be enabled to alert and deny traffic from/to known malicious IP addresses and domains, sourced from the Microsoft Threat Intelligence feed.
• Azure Firewall can be associated with multiple public IP addresses (up to 100) and is recommended to be deployed in a hub-spoke network topology to centralize services, overcome subscription limits, and separate workloads efficiently.
• Azure Firewall by default blocks all traffic and has three kinds of rules: Network Rules, Application Rules, and NAT Rules, which are processed in that order.
• NAT rules are used to translate firewall public IP and port to a private IP and port, and must be matched by a Network Rule to allow traffic to pass.
• Network Rules are required for non-HTTP/S traffic to flow through the firewall and must be configured with protocol, source and destination addresses, and ports.
• Application Rules define FQDNs that can be accessed from a subnet, with settings for source addresses, protocol, port, and target FQDNs, including the use of wildcards and FQDN tags for Microsoft services.
• Azure DNS enables hosting DNS records for domains on Azure infrastructure, providing the same credentials, APIs, tools, and billing as other Azure services.
• Custom domain names in Azure DNS must be verified before use, and verification is performed by adding a DNS record (MX or TXT), with only one directory allowed to use a domain name.
• DNS zones in Azure host DNS records for a domain, with the zone name needing to be unique within the resource group, and root/parent domain being registered at the registrar and pointed to Azure NS.
• To delegate a domain to Azure DNS, the name server names for the zone need to be known, and Azure DNS automatically creates authoritative NS records in the zone once the name servers are assigned.

Azure Virtual Network and Security Features

• Azure allows secure connection of cloud-based applications to on-premises systems such as mainframes and Unix systems
• Virtual networks can be segmented into subnets to provide logical divisions within the network, with each subnet containing a range of IP addresses
• Azure routes network traffic between all subnets in a virtual network by default, but this can be overridden through a network virtual appliance
• Service endpoints can limit access to Azure resources in specific subnets, and network security groups contain rules allowing or denying traffic to and from sources and destinations
• Azure reserves five IP addresses within each subnet, including the network address, reserved IPs for default gateway and Azure DNS, and the network broadcast address
• By default, up to 50 virtual networks per subscription per region can be created, but this limit can be increased to 500 by contacting Azure support
• PowerShell commands can be used to create and manage virtual networks and subnets, and private IP addresses are used within Azure virtual networks and on-premises networks
• Public IP addresses are used for communication with the Internet and can be statically or dynamically assigned
• Network security groups contain security rules that allow or deny inbound or outbound network traffic, and can be associated with subnets or network interfaces
• NSGs can be assigned to subnets to create protected screened subnets, and NSG rules enable filtering of network traffic based on various parameters
• Inbound security rules in NSGs deny all inbound traffic except from the virtual network and Azure load balancers, while outbound rules allow traffic to the Internet and the virtual network
• NSGs are evaluated independently, with an "allow" rule needed at both subnet and NIC levels for traffic to flow, and Azure Firewall offers features such as built-in high availability, support for availability zones, and application FQDN filtering rules

Azure Firewall and DNS Management in Azure

• Azure Firewall allows limiting outbound HTTP/S and Azure SQL traffic to specified FQDNs, with the capability to create centrally managed allow or deny network filtering rules based on source and destination IP addresses, ports, and protocols.
• It is fully stateful, capable of distinguishing legitimate packets for different connection types, and can enforce and log rules across multiple subscriptions and virtual networks.
• Threat intelligence-based filtering can be enabled to alert and deny traffic from/to known malicious IP addresses and domains, sourced from the Microsoft Threat Intelligence feed.
• Azure Firewall can be associated with multiple public IP addresses (up to 100) and is recommended to be deployed in a hub-spoke network topology to centralize services, overcome subscription limits, and separate workloads efficiently.
• Azure Firewall by default blocks all traffic and has three kinds of rules: Network Rules, Application Rules, and NAT Rules, which are processed in that order.
• NAT rules are used to translate firewall public IP and port to a private IP and port, and must be matched by a Network Rule to allow traffic to pass.
• Network Rules are required for non-HTTP/S traffic to flow through the firewall and must be configured with protocol, source and destination addresses, and ports.
• Application Rules define FQDNs that can be accessed from a subnet, with settings for source addresses, protocol, port, and target FQDNs, including the use of wildcards and FQDN tags for Microsoft services.
• Azure DNS enables hosting DNS records for domains on Azure infrastructure, providing the same credentials, APIs, tools, and billing as other Azure services.
• Custom domain names in Azure DNS must be verified before use, and verification is performed by adding a DNS record (MX or TXT), with only one directory allowed to use a domain name.
• DNS zones in Azure host DNS records for a domain, with the zone name needing to be unique within the resource group, and root/parent domain being registered at the registrar and pointed to Azure NS.
• To delegate a domain to Azure DNS, the name server names for the zone need to be known, and Azure DNS automatically creates authoritative NS records in the zone once the name servers are assigned.

Description

Test your knowledge of Azure Firewall and DNS management in Azure with this quiz. Explore topics such as network filtering rules, threat intelligence-based filtering, NAT rules, application rules, Azure DNS hosting, domain verification, and domain delegation.