Azure Firewall and DNS Management Quiz
97 Questions
0 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What is a Virtual Network (VNet) in Microsoft Azure?

  • A representation of on-premises network infrastructure in the cloud
  • A type of Azure firewall for securing network traffic
  • A physical server dedicated to hosting virtual machines
  • A logical isolation of the Azure cloud dedicated to your subscription (correct)
  • What can Virtual Networks (VNets) in Azure be used for?

  • Securing network traffic with IPSEC
  • Hosting physical servers in the cloud
  • Provisioning and managing virtual private networks (VPNs) (correct)
  • Managing Azure subscription billing
  • What is a key functionality of Virtual Networks (VNets) in Azure?

  • Hosting physical servers in the cloud
  • Creating hybrid or cross-premises solutions (correct)
  • Securing network traffic with Azure Firewall
  • Managing Azure subscription billing
  • How can VNets in Azure securely extend your data center?

    <p>By building traditional site-to-site (S2S) VPNs</p> Signup and view all the answers

    What is the purpose of creating a dedicated private cloud-only VNet in Azure?

    <p>Allowing services and VMs within the VNet to communicate directly and securely in the cloud</p> Signup and view all the answers

    What technology is used to provide a secure connection between corporate VPN gateway and Azure in hybrid cloud scenarios?

    <p>IPSEC</p> Signup and view all the answers

    What is the default limit of virtual networks per subscription per region in Azure?

    <p>50</p> Signup and view all the answers

    How are public IP addresses used in Azure?

    <p>For communication with the Internet and can be statically or dynamically assigned</p> Signup and view all the answers

    What is the purpose of network security groups (NSGs) in Azure?

    <p>Contain security rules that allow or deny inbound or outbound network traffic</p> Signup and view all the answers

    How are virtual networks segmented in Azure?

    <p>Into subnets to provide logical divisions within the network</p> Signup and view all the answers

    What is the role of service endpoints in Azure virtual networks?

    <p>Limit access to Azure resources in specific subnets</p> Signup and view all the answers

    How are PowerShell commands used in Azure virtual networks?

    <p>To create and manage virtual networks and subnets</p> Signup and view all the answers

    What is the purpose of NAT rules in Azure Firewall?

    <p>To translate firewall public IP and port to a private IP and port</p> Signup and view all the answers

    What is the main function of Azure DNS?

    <p>Enabling hosting DNS records for domains on Azure infrastructure</p> Signup and view all the answers

    What is required for non-HTTP/S traffic to flow through Azure Firewall?

    <p>Network Rules with protocol, source and destination addresses, and ports configured</p> Signup and view all the answers

    What must be done to delegate a domain to Azure DNS?

    <p>Assign name server names for the zone and Azure DNS automatically creates authoritative NS records</p> Signup and view all the answers

    What is a key feature of Azure Firewall's threat intelligence-based filtering?

    <p>Alerting and denying traffic from/to known malicious IP addresses and domains</p> Signup and view all the answers

    What is the recommended network topology for deploying Azure Firewall?

    <p>Hub-spoke network topology</p> Signup and view all the answers

    What is the default behavior of Azure Firewall regarding traffic?

    <p>Blocks all traffic</p> Signup and view all the answers

    What is the purpose of Application Rules in Azure Firewall?

    <p>Define FQDNs that can be accessed from a subnet</p> Signup and view all the answers

    What is the verification process for custom domain names in Azure DNS?

    <p>Verification is performed by adding a DNS record (MX or TXT)</p> Signup and view all the answers

    Virtual networks in Azure can only be used for creating hybrid cloud scenarios.

    <p>False</p> Signup and view all the answers

    Azure Virtual Networks can be linked with other VNets in Azure, or with on-premises IT infrastructure to create hybrid or cross-premises solutions.

    <p>True</p> Signup and view all the answers

    The main purpose of a Virtual Network (VNet) in Microsoft Azure is to provide a physical representation of the network in the cloud.

    <p>False</p> Signup and view all the answers

    Azure Firewall supports NAT rules to allow outbound traffic from the secured network.

    <p>False</p> Signup and view all the answers

    Virtual networks in Azure do not support traditional site-to-site (S2S) VPNs for securely extending data center capacity.

    <p>False</p> Signup and view all the answers

    Azure DNS is not a key functionality of Virtual Networks (VNets) in Azure.

    <p>False</p> Signup and view all the answers

    Azure Firewall allows inbound HTTP/S and Azure SQL traffic to specified FQDNs.

    <p>False</p> Signup and view all the answers

    Azure Firewall can be associated with up to 100 public IP addresses.

    <p>True</p> Signup and view all the answers

    NAT rules in Azure Firewall are processed before Application Rules.

    <p>False</p> Signup and view all the answers

    Azure DNS provides different credentials, APIs, tools, and billing compared to other Azure services.

    <p>False</p> Signup and view all the answers

    Custom domain names in Azure DNS must be verified by adding a DNS record (MX or TXT).

    <p>True</p> Signup and view all the answers

    DNS zones in Azure must have a unique name within the resource group.

    <p>True</p> Signup and view all the answers

    Azure DNS automatically creates authoritative NS records for delegated domains.

    <p>True</p> Signup and view all the answers

    Azure Firewall by default allows all outbound traffic.

    <p>False</p> Signup and view all the answers

    True or false: Azure reserves five IP addresses within each subnet, including the network address, reserved IPs for default gateway and Azure DNS, and the network broadcast address

    <p>True</p> Signup and view all the answers

    True or false: By default, up to 50 virtual networks per subscription per region can be created, but this limit can be increased to 500 by contacting Azure support

    <p>True</p> Signup and view all the answers

    True or false: Public IP addresses are used for communication with the Internet and can be statically or dynamically assigned

    <p>True</p> Signup and view all the answers

    True or false: NSGs are evaluated independently, with an 'allow' rule needed at both subnet and NIC levels for traffic to flow

    <p>True</p> Signup and view all the answers

    True or false: Inbound security rules in NSGs deny all inbound traffic except from the virtual network and Azure load balancers, while outbound rules allow traffic to the Internet and the virtual network

    <p>True</p> Signup and view all the answers

    True or false: Azure Firewall offers features such as built-in high availability, support for availability zones, and application FQDN filtering rules

    <p>True</p> Signup and view all the answers

    Virtual networks in ______ can be used to provision and manage virtual private networks (VPNs) in ______. You can link VNets with other VNets in ______, or with on-premises IT infrastructure to create hybrid or cross-premises solutions.

    <p>Azure</p> Signup and view all the answers

    Azure Virtual Network (VNet) is a representation of your ______ in the cloud. VNet is a logical isolation of the Azure cloud dedicated to your subscription.

    <p>network</p> Signup and view all the answers

    Virtual networks can be created in many ways. Create a dedicated private ______-only VNet. When you create a VNet, your services and VMs within your VNet can communicate directly and securely with each other in the ______.

    <p>cloud</p> Signup and view all the answers

    You can build traditional site-to-site (S2S) ______s to securely scale your datacenter capacity. S2S ______s use IPSEC to provide a secure connection between your corporate ______ gateway and Azure.

    <p>VPN</p> Signup and view all the answers

    VNets give you the flexibility to support a range of ______ cloud scenarios.

    <p>hybrid</p> Signup and view all the answers

    VNets can be used to provision and manage virtual private networks (VPNs) in Azure. You can link VNets with other VNets in Azure, or with on-premises IT infrastructure to create hybrid or cross-premises solutions.

    <p>management</p> Signup and view all the answers

    By default, up to 50 virtual networks per subscription per region can be created, but this limit can be increased to ______ by contacting Azure support

    <p>500</p> Signup and view all the answers

    PowerShell commands can be used to create and manage virtual networks and ______, and private IP addresses are used within Azure virtual networks and on-premises networks

    <p>subnets</p> Signup and view all the answers

    NSGs are evaluated independently, with an 'allow' rule needed at both subnet and NIC levels for traffic to ______

    <p>flow</p> Signup and view all the answers

    Public IP addresses are used for communication with the Internet and can be statically or ______ assigned

    <p>dynamically</p> Signup and view all the answers

    NSGs can be assigned to subnets to create protected screened subnets, and NSG rules enable filtering of network traffic based on various ______

    <p>parameters</p> Signup and view all the answers

    Azure reserves five IP addresses within each subnet, including the network address, reserved IPs for default gateway and Azure DNS, and the network ______ address

    <p>broadcast</p> Signup and view all the answers

    Azure Firewall allows limiting outbound HTTP/S and Azure SQL traffic to specified FQDNs, with the capability to create centrally managed allow or deny network filtering rules based on source and destination IP addresses, ports, and ______

    <p>protocols</p> Signup and view all the answers

    Azure Firewall can be associated with multiple public IP addresses (up to 100) and is recommended to be deployed in a hub-spoke network topology to centralize services, overcome subscription limits, and separate workloads ______

    <p>efficiently</p> Signup and view all the answers

    NAT rules are used to translate firewall public IP and port to a private IP and port, and must be matched by a Network Rule to allow traffic to ______

    <p>pass</p> Signup and view all the answers

    Application Rules define FQDNs that can be accessed from a subnet, with settings for source addresses, protocol, port, and target FQDNs, including the use of wildcards and FQDN tags for Microsoft ______

    <p>services</p> Signup and view all the answers

    Custom domain names in Azure DNS must be verified before use, and verification is performed by adding a DNS record (MX or TXT), with only one directory allowed to use a domain ______

    <p>name</p> Signup and view all the answers

    DNS zones in Azure host DNS records for a domain, with the zone name needing to be unique within the resource group, and root/parent domain being registered at the registrar and pointed to Azure ______

    <p>NS</p> Signup and view all the answers

    To delegate a domain to Azure DNS, the name server names for the zone need to be known, and Azure DNS automatically creates authoritative NS records in the zone once the name servers are ______

    <p>assigned</p> Signup and view all the answers

    Azure DNS enables hosting DNS records for domains on Azure infrastructure, providing the same credentials, APIs, tools, and billing as other Azure ______

    <p>services</p> Signup and view all the answers

    Explain the purpose and functionality of Azure Virtual Networks (VNets) in Microsoft Azure.

    <p>Azure Virtual Networks (VNets) provide a logical isolation of the Azure cloud dedicated to a user's subscription, allowing for the provisioning and management of virtual private networks (VPNs) in Azure. VNets can be linked with other VNets or on-premises IT infrastructure to create hybrid or cross-premises solutions.</p> Signup and view all the answers

    What are the different implementation types for Azure Virtual Networks (VNets) and how do they differ?

    <p>Azure Virtual Networks (VNets) can be implemented as dedicated private cloud-only VNets, which allow services and VMs within the VNet to communicate directly and securely with each other, or as VNets that securely extend a user's data center capacity through traditional site-to-site (S2S) VPNs using IPSEC.</p> Signup and view all the answers

    How do Network Security Groups (NSGs) enhance the security of Azure virtual networks?

    <p>NSGs can be assigned to subnets to create protected screened subnets, and NSG rules enable filtering of network traffic based on various criteria such as source and destination IP addresses, ports, and protocols.</p> Signup and view all the answers

    What are the key benefits of using Azure Firewall in a virtual networking environment?

    <p>Azure Firewall allows for the restriction of outbound and inbound traffic based on specified FQDNs, providing centrally managed network filtering rules and supporting features such as built-in high availability and support for availability zones.</p> Signup and view all the answers

    Explain the process of creating hybrid cloud scenarios using Azure Virtual Networks (VNets) and their significance.

    <p>Azure VNets enable the creation of hybrid cloud scenarios by allowing linkage with other VNets in Azure or with on-premises IT infrastructure. This flexibility is significant as it supports a range of hybrid cloud scenarios, including securely scaling datacenter capacity and creating cross-premises solutions.</p> Signup and view all the answers

    What is the significance of DNS in the context of Azure Virtual Networks (VNets) and how does Azure DNS contribute to this?

    <p>DNS plays a crucial role in Azure VNets as it enables the hosting of DNS records for domains on Azure infrastructure. Azure DNS provides the same credentials, APIs, tools, and billing as other Azure services, contributing to the seamless integration of DNS functionality within the Azure VNet environment.</p> Signup and view all the answers

    Explain the main function of Azure Firewall in network management.

    <p>Azure Firewall allows for centrally managed allow or deny network filtering rules based on source and destination IP addresses, ports, and protocols, and supports limiting outbound HTTP/S and Azure SQL traffic to specified FQDNs.</p> Signup and view all the answers

    What is the purpose of threat intelligence-based filtering in Azure Firewall?

    <p>The purpose is to enable alerting and denying traffic from/to known malicious IP addresses and domains, sourced from the Microsoft Threat Intelligence feed.</p> Signup and view all the answers

    Describe the role of NAT rules in Azure Firewall.

    <p>NAT rules are used to translate firewall public IP and port to a private IP and port, and must be matched by a Network Rule to allow traffic to pass.</p> Signup and view all the answers

    What is the significance of deploying Azure Firewall in a hub-spoke network topology?

    <p>It allows for centralizing services, overcoming subscription limits, and separating workloads efficiently.</p> Signup and view all the answers

    Explain the purpose of Application Rules in Azure Firewall.

    <p>Application Rules define FQDNs that can be accessed from a subnet, with settings for source addresses, protocol, port, and target FQDNs, including the use of wildcards and FQDN tags for Microsoft services.</p> Signup and view all the answers

    What is the process for verifying custom domain names in Azure DNS?

    <p>Custom domain names in Azure DNS must be verified before use by adding a DNS record (MX or TXT), with only one directory allowed to use a domain name.</p> Signup and view all the answers

    What is the key functionality of DNS zones in Azure?

    <p>DNS zones in Azure host DNS records for a domain, with the zone name needing to be unique within the resource group, and the root/parent domain being registered at the registrar and pointed to Azure NS.</p> Signup and view all the answers

    Explain the purpose of delegating a domain to Azure DNS.

    <p>To delegate a domain to Azure DNS, the name server names for the zone need to be known, and Azure DNS automatically creates authoritative NS records in the zone once the name servers are assigned.</p> Signup and view all the answers

    Explain the purpose and functionality of service endpoints in Azure virtual networks.

    <p>Service endpoints limit access to Azure resources in specific subnets by providing direct connectivity to Azure services over an optimized route, preventing unauthorized access and securing traffic within the Azure backbone network.</p> Signup and view all the answers

    Describe the default behavior of Azure virtual networks in routing network traffic between subnets.

    <p>By default, Azure routes network traffic between all subnets in a virtual network, ensuring connectivity and communication between different segments of the network.</p> Signup and view all the answers

    What are the key features and capabilities of Azure network security groups (NSGs)?

    <p>Azure network security groups contain rules allowing or denying traffic to and from sources and destinations, and they enable the creation of protected screened subnets with filtering of network traffic based on various parameters.</p> Signup and view all the answers

    Explain the role and significance of public IP addresses in Azure virtual networks.

    <p>Public IP addresses are used for communication with the Internet and can be statically or dynamically assigned, enabling external connectivity and communication for Azure resources.</p> Signup and view all the answers

    Discuss the default limits and options for increasing the number of virtual networks per subscription per region in Azure.

    <p>By default, up to 50 virtual networks per subscription per region can be created, but this limit can be increased to 500 by contacting Azure support, providing scalability for network infrastructure.</p> Signup and view all the answers

    What are the evaluation criteria and requirements for network security group (NSG) rules to enable traffic flow within Azure virtual networks?

    <p>NSGs are evaluated independently, requiring an 'allow' rule at both subnet and NIC levels for traffic to flow, ensuring secure and controlled network traffic within the virtual network.</p> Signup and view all the answers

    Match the Azure networking component with its description:

    <p>Azure Virtual Network (VNet) = Representation of network in the cloud Azure Network Security Groups = Enables filtering of network traffic based on various criteria Azure Firewall = Allows limiting outbound HTTP/S and Azure SQL traffic to specified FQDNs Azure DNS = Hosts DNS records for a domain</p> Signup and view all the answers

    Match the VNet implementation type with its description:

    <p>Dedicated private cloud-only VNet = Services and VMs within VNet can communicate directly and securely with each other Securely extend your data center with VNets = Build traditional site-to-site (S2S) VPNs to securely scale datacenter capacity Enable hybrid cloud scenarios with VNets = Flexibility to support a range of hybrid cloud scenarios Linking VNets with other VNets or on-premises IT infrastructure = Create hybrid or cross-premises solutions</p> Signup and view all the answers

    Match the Azure Firewall capability with its description:

    <p>Limiting outbound HTTP/S and Azure SQL traffic to specified FQDNs = Capability to create centrally managed allow or deny network filtering rules based on source and destination IP addresses, ports Threat intelligence-based filtering = Feature of Azure Firewall Association with multiple public IP addresses = Recommended deployment in a hub-spoke network topology Processing NAT rules = Before Application Rules in Azure Firewall</p> Signup and view all the answers

    Match the Azure DNS functionality with its description:

    <p>Hosts DNS records for a domain = Function of Azure DNS Automatic creation of authoritative NS records for delegated domains = Feature of Azure DNS Verification process for custom domain names = Adding a DNS record (MX or TXT) Root/parent domain registration and pointing to Azure = Requirement for DNS zones in Azure</p> Signup and view all the answers

    Match the key feature of VNets with its description:

    <p>Logical isolation of the Azure cloud dedicated to your subscription = Feature of Azure Virtual Network (VNet) Provision and management of virtual private networks (VPNs) in Azure = Functionality of VNets Flexibility to support a range of hybrid cloud scenarios = Key benefit of VNets Linking with other VNets or on-premises IT infrastructure = Capability of VNets</p> Signup and view all the answers

    Match the NSG capability with its description:

    <p>Assigning to subnets to create protected screened subnets = Function of Azure Network Security Groups Evaluation of 'allow' rule at both subnet and NIC levels for traffic flow = True statement about NSGs Enabling filtering of network traffic based on various criteria = Feature of NSGs Default limit of virtual networks per subscription per region in Azure = Requirement for increasing the limit by contacting Azure support</p> Signup and view all the answers

    Match the following Azure network security features with their descriptions:

    <p>Virtual network segmentation = Dividing the network into logical divisions with each containing a range of IP addresses Service endpoints = Limiting access to Azure resources in specific subnets Network security groups = Containing rules allowing or denying traffic to and from sources and destinations Public IP addresses = Used for communication with the Internet and can be statically or dynamically assigned</p> Signup and view all the answers

    Match the following Azure network security features with their functions:

    <p>NSGs and subnet assignment = Creating protected screened subnets NSG rules = Enabling filtering of network traffic based on various parameters Azure Firewall = Offering features such as built-in high availability, support for availability zones, and application FQDN filtering rules PowerShell commands = Used to create and manage virtual networks and subnets</p> Signup and view all the answers

    Match the following Azure network security features with their default behaviors:

    <p>Azure virtual networks = Routing network traffic between all subnets by default NSGs = Evaluating independently, with an 'allow' rule needed at both subnet and NIC levels for traffic to flow Inbound security rules in NSGs = Denying all inbound traffic except from the virtual network and Azure load balancers Outbound security rules in NSGs = Allowing traffic to the Internet and the virtual network</p> Signup and view all the answers

    Match the following Azure virtual network features with their descriptions:

    <p>Subnet IP address reservation = Reserving five IP addresses within each subnet, including network address, default gateway and Azure DNS reserved IPs, and network broadcast address Virtual network creation limit = By default, up to 50 virtual networks per subscription per region can be created Azure support limit increase = The limit of virtual networks per subscription per region can be increased to 500 by contacting Azure support VPN gateway connection = Providing a secure connection between corporate VPN gateway and Azure in hybrid cloud scenarios</p> Signup and view all the answers

    Match the following Azure DNS features with their purposes:

    <p>Delegating a domain to Azure DNS = Creating authoritative NS records in the zone once the name servers are known Custom domain name verification = Verified by adding a DNS record (MX or TXT) DNS zones = Hosting DNS records for a domain, with the zone name needing to be unique within the resource group DNS zone uniqueness = DNS zones in Azure must have a unique name within the resource group</p> Signup and view all the answers

    Match the following Azure Firewall features with their functionalities:

    <p>NAT rules = Processed before Application Rules Application Rules = Defining FQDNs that can be accessed from a subnet Threat intelligence-based filtering = Offering features such as built-in high availability, support for availability zones, and application FQDN filtering rules Network topology recommendation = Deploying in a hub-spoke network topology to centralize services, overcome subscription limits, and separate workloads</p> Signup and view all the answers

    Match the following features with their descriptions in Azure Firewall:

    <p>Threat intelligence-based filtering = Enables alert and deny traffic from/to known malicious IP addresses and domains NAT Rules = Used to translate firewall public IP and port to a private IP and port, and must be matched by a Network Rule to allow traffic to pass Application Rules = Define FQDNs that can be accessed from a subnet, with settings for source addresses, protocol, port, and target FQDNs Network Rules = Required for non-HTTP/S traffic to flow through the firewall and must be configured with protocol, source and destination addresses, and ports</p> Signup and view all the answers

    Match the following statements with their descriptions in Azure DNS:

    <p>Custom domain verification = Performed by adding a DNS record (MX or TXT), with only one directory allowed to use a domain name DNS zones = Host DNS records for a domain, with the zone name needing to be unique within the resource group, and root/parent domain being registered at the registrar and pointed to Azure NS Delegating a domain to Azure DNS = The name server names for the zone need to be known, and Azure DNS automatically creates authoritative NS records in the zone once the name servers are assigned Azure DNS credentials and billing = Provides the same credentials, APIs, tools, and billing as other Azure services</p> Signup and view all the answers

    Match the following Azure Firewall capabilities with their descriptions:

    <p>Stateful filtering = Capable of distinguishing legitimate packets for different connection types and can enforce and log rules across multiple subscriptions and virtual networks Threat intelligence-based filtering = Can be enabled to alert and deny traffic from/to known malicious IP addresses and domains, sourced from the Microsoft Threat Intelligence feed Association with multiple public IP addresses = Allows Azure Firewall to be associated with multiple public IP addresses (up to 100) Default blocking of all traffic = By default, Azure Firewall blocks all traffic and has three kinds of rules: Network Rules, Application Rules, and NAT Rules, which are processed in that order</p> Signup and view all the answers

    Match the following Azure DNS functionalities with their descriptions:

    <p>Custom domain verification = Must be verified before use, and verification is performed by adding a DNS record (MX or TXT) DNS zones = Enable hosting DNS records for domains on Azure infrastructure, with the zone name needing to be unique within the resource group Delegating a domain to Azure DNS = Involves knowing the name server names for the zone, and Azure DNS automatically creates authoritative NS records in the zone once the name servers are assigned Credentials and billing = Provides the same credentials, APIs, tools, and billing as other Azure services</p> Signup and view all the answers

    Study Notes

    Azure Firewall and DNS Management in Azure

    • Azure Firewall allows limiting outbound HTTP/S and Azure SQL traffic to specified FQDNs, with the capability to create centrally managed allow or deny network filtering rules based on source and destination IP addresses, ports, and protocols.
    • It is fully stateful, capable of distinguishing legitimate packets for different connection types, and can enforce and log rules across multiple subscriptions and virtual networks.
    • Threat intelligence-based filtering can be enabled to alert and deny traffic from/to known malicious IP addresses and domains, sourced from the Microsoft Threat Intelligence feed.
    • Azure Firewall can be associated with multiple public IP addresses (up to 100) and is recommended to be deployed in a hub-spoke network topology to centralize services, overcome subscription limits, and separate workloads efficiently.
    • Azure Firewall by default blocks all traffic and has three kinds of rules: Network Rules, Application Rules, and NAT Rules, which are processed in that order.
    • NAT rules are used to translate firewall public IP and port to a private IP and port, and must be matched by a Network Rule to allow traffic to pass.
    • Network Rules are required for non-HTTP/S traffic to flow through the firewall and must be configured with protocol, source and destination addresses, and ports.
    • Application Rules define FQDNs that can be accessed from a subnet, with settings for source addresses, protocol, port, and target FQDNs, including the use of wildcards and FQDN tags for Microsoft services.
    • Azure DNS enables hosting DNS records for domains on Azure infrastructure, providing the same credentials, APIs, tools, and billing as other Azure services.
    • Custom domain names in Azure DNS must be verified before use, and verification is performed by adding a DNS record (MX or TXT), with only one directory allowed to use a domain name.
    • DNS zones in Azure host DNS records for a domain, with the zone name needing to be unique within the resource group, and root/parent domain being registered at the registrar and pointed to Azure NS.
    • To delegate a domain to Azure DNS, the name server names for the zone need to be known, and Azure DNS automatically creates authoritative NS records in the zone once the name servers are assigned.

    Azure Virtual Network and Security Features

    • Azure allows secure connection of cloud-based applications to on-premises systems such as mainframes and Unix systems
    • Virtual networks can be segmented into subnets to provide logical divisions within the network, with each subnet containing a range of IP addresses
    • Azure routes network traffic between all subnets in a virtual network by default, but this can be overridden through a network virtual appliance
    • Service endpoints can limit access to Azure resources in specific subnets, and network security groups contain rules allowing or denying traffic to and from sources and destinations
    • Azure reserves five IP addresses within each subnet, including the network address, reserved IPs for default gateway and Azure DNS, and the network broadcast address
    • By default, up to 50 virtual networks per subscription per region can be created, but this limit can be increased to 500 by contacting Azure support
    • PowerShell commands can be used to create and manage virtual networks and subnets, and private IP addresses are used within Azure virtual networks and on-premises networks
    • Public IP addresses are used for communication with the Internet and can be statically or dynamically assigned
    • Network security groups contain security rules that allow or deny inbound or outbound network traffic, and can be associated with subnets or network interfaces
    • NSGs can be assigned to subnets to create protected screened subnets, and NSG rules enable filtering of network traffic based on various parameters
    • Inbound security rules in NSGs deny all inbound traffic except from the virtual network and Azure load balancers, while outbound rules allow traffic to the Internet and the virtual network
    • NSGs are evaluated independently, with an "allow" rule needed at both subnet and NIC levels for traffic to flow, and Azure Firewall offers features such as built-in high availability, support for availability zones, and application FQDN filtering rules

    Azure Firewall and DNS Management in Azure

    • Azure Firewall allows limiting outbound HTTP/S and Azure SQL traffic to specified FQDNs, with the capability to create centrally managed allow or deny network filtering rules based on source and destination IP addresses, ports, and protocols.
    • It is fully stateful, capable of distinguishing legitimate packets for different connection types, and can enforce and log rules across multiple subscriptions and virtual networks.
    • Threat intelligence-based filtering can be enabled to alert and deny traffic from/to known malicious IP addresses and domains, sourced from the Microsoft Threat Intelligence feed.
    • Azure Firewall can be associated with multiple public IP addresses (up to 100) and is recommended to be deployed in a hub-spoke network topology to centralize services, overcome subscription limits, and separate workloads efficiently.
    • Azure Firewall by default blocks all traffic and has three kinds of rules: Network Rules, Application Rules, and NAT Rules, which are processed in that order.
    • NAT rules are used to translate firewall public IP and port to a private IP and port, and must be matched by a Network Rule to allow traffic to pass.
    • Network Rules are required for non-HTTP/S traffic to flow through the firewall and must be configured with protocol, source and destination addresses, and ports.
    • Application Rules define FQDNs that can be accessed from a subnet, with settings for source addresses, protocol, port, and target FQDNs, including the use of wildcards and FQDN tags for Microsoft services.
    • Azure DNS enables hosting DNS records for domains on Azure infrastructure, providing the same credentials, APIs, tools, and billing as other Azure services.
    • Custom domain names in Azure DNS must be verified before use, and verification is performed by adding a DNS record (MX or TXT), with only one directory allowed to use a domain name.
    • DNS zones in Azure host DNS records for a domain, with the zone name needing to be unique within the resource group, and root/parent domain being registered at the registrar and pointed to Azure NS.
    • To delegate a domain to Azure DNS, the name server names for the zone need to be known, and Azure DNS automatically creates authoritative NS records in the zone once the name servers are assigned.

    Azure Virtual Network and Security Features

    • Azure allows secure connection of cloud-based applications to on-premises systems such as mainframes and Unix systems
    • Virtual networks can be segmented into subnets to provide logical divisions within the network, with each subnet containing a range of IP addresses
    • Azure routes network traffic between all subnets in a virtual network by default, but this can be overridden through a network virtual appliance
    • Service endpoints can limit access to Azure resources in specific subnets, and network security groups contain rules allowing or denying traffic to and from sources and destinations
    • Azure reserves five IP addresses within each subnet, including the network address, reserved IPs for default gateway and Azure DNS, and the network broadcast address
    • By default, up to 50 virtual networks per subscription per region can be created, but this limit can be increased to 500 by contacting Azure support
    • PowerShell commands can be used to create and manage virtual networks and subnets, and private IP addresses are used within Azure virtual networks and on-premises networks
    • Public IP addresses are used for communication with the Internet and can be statically or dynamically assigned
    • Network security groups contain security rules that allow or deny inbound or outbound network traffic, and can be associated with subnets or network interfaces
    • NSGs can be assigned to subnets to create protected screened subnets, and NSG rules enable filtering of network traffic based on various parameters
    • Inbound security rules in NSGs deny all inbound traffic except from the virtual network and Azure load balancers, while outbound rules allow traffic to the Internet and the virtual network
    • NSGs are evaluated independently, with an "allow" rule needed at both subnet and NIC levels for traffic to flow, and Azure Firewall offers features such as built-in high availability, support for availability zones, and application FQDN filtering rules

    Azure Firewall and DNS Management in Azure

    • Azure Firewall allows limiting outbound HTTP/S and Azure SQL traffic to specified FQDNs, with the capability to create centrally managed allow or deny network filtering rules based on source and destination IP addresses, ports, and protocols.
    • It is fully stateful, capable of distinguishing legitimate packets for different connection types, and can enforce and log rules across multiple subscriptions and virtual networks.
    • Threat intelligence-based filtering can be enabled to alert and deny traffic from/to known malicious IP addresses and domains, sourced from the Microsoft Threat Intelligence feed.
    • Azure Firewall can be associated with multiple public IP addresses (up to 100) and is recommended to be deployed in a hub-spoke network topology to centralize services, overcome subscription limits, and separate workloads efficiently.
    • Azure Firewall by default blocks all traffic and has three kinds of rules: Network Rules, Application Rules, and NAT Rules, which are processed in that order.
    • NAT rules are used to translate firewall public IP and port to a private IP and port, and must be matched by a Network Rule to allow traffic to pass.
    • Network Rules are required for non-HTTP/S traffic to flow through the firewall and must be configured with protocol, source and destination addresses, and ports.
    • Application Rules define FQDNs that can be accessed from a subnet, with settings for source addresses, protocol, port, and target FQDNs, including the use of wildcards and FQDN tags for Microsoft services.
    • Azure DNS enables hosting DNS records for domains on Azure infrastructure, providing the same credentials, APIs, tools, and billing as other Azure services.
    • Custom domain names in Azure DNS must be verified before use, and verification is performed by adding a DNS record (MX or TXT), with only one directory allowed to use a domain name.
    • DNS zones in Azure host DNS records for a domain, with the zone name needing to be unique within the resource group, and root/parent domain being registered at the registrar and pointed to Azure NS.
    • To delegate a domain to Azure DNS, the name server names for the zone need to be known, and Azure DNS automatically creates authoritative NS records in the zone once the name servers are assigned.

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Related Documents

    Description

    Test your knowledge of Azure Firewall and DNS management in Azure with this quiz. Explore topics such as network filtering rules, threat intelligence-based filtering, NAT rules, application rules, Azure DNS hosting, domain verification, and domain delegation.

    More Like This

    Use Quizgecko on...
    Browser
    Browser