AZURE AZ 500 STUDY GUIDE-2 E-Book

AZURE AZ 500 STUDY GUIDE-2

Microsoft Certified Associate Azure Security Engineer: Exam-AZ 500

Table of Content

This eBook is based on AZURE AZ 500 STUDY GUIDE-2 that has been collected from different sources and people. For more information about this ebook. Kindly write to [email protected]. I will happy to help you.

Copyright 2023 by Mamta Devi

This eBook is a guide and serves as a next part of first guide. Previous Part AZURE AZ 500 STUDY GUIDE-1 has already been published. This book has been written on the advice of many experts and sources who have good command over Cloud Computing, networking and Security. They are listed at the end of this book.All images used in this book are taken from the LAB which is created by experts. All rights reserved, including the right to reproduce this book or portions thereof in any form whatsoever. For any query reach out to the author through email.

Implementing Enhanced Network Security

In this section, we will delve into the realm of advanced network security to safeguard your company's invaluable computer and information assets stored within the company network. Our primary objective is to make it exceptionally challenging for unauthorized individuals to gain access to company resources. This entails securing communications and implementing comprehensive network security within the Azure environment.

Ensuring the Security of Hybrid Network Connectivity

Securing hybrid networks involves comprehending the intricacies of network setups where multiple distinct network types coexist. To maintain the security of these interconnected networks, it's vital to consider factors such as access control, resource group management, and network configuration, among others.

Access Control

To fortify the security of your hybrid networks, we strongly recommend leveraging Azure Role-Based Access Control (Azure RBAC) to regulate access to your resources. Azure proposes the creation of three custom roles to streamline access control:

DevOps Role: This role empowers individuals to manage infrastructure, deploy application components, and oversee virtual machine (VM) operations within the environment.

General IT Administrator Role: This role grants permissions for the management and monitoring of all network resources.

Security IT Administrator Role: This role is exclusively responsible for securing network resources, including the management and configuration of network firewalls.

Resource Groups

The second pivotal aspect of securing hybrid networks involves organizing your resources into resource groups based on their specific security requirements. Categorizing resources into resource groups simplifies resource management, and you can subsequently assign Azure RBAC roles to each resource group to control access. Azure recommends the creation of the following resource groups for efficient resource grouping:

Virtual Network Resource Group: Create a separate resource group exclusively for the virtual network, excluding VMs, network security groups (NSGs), and gateway resources linked to on-premises network connections. Assign the IT administrator role to this group.

VMs and User-Defined Group: Establish a resource group for Azure firewall instances and user-defined routes within your gateway subnet. This group is entrusted to the security IT administrator role.

Application Tiers with Load Balancers and VMs Groups: Configure distinct resource groups for each application tier that encompasses load balancers and VMs. The DevOps role should be assigned to this group for efficient administration.

Configuring Network Security

In this section, we will delve into the essential steps to properly filter internet traffic and enhance network security within your Azure environment. These measures will help you establish robust security controls and efficiently manage your network resources.

Implement Destination Network Address Translation (DNAT) Rule

To filter incoming internet traffic effectively, you should add a DNAT rule to your Azure firewall. This rule enables the use of a single public IP address for your firewall instance, acting as the central point for internet-bound traffic. Enabling forced tunneling is crucial when creating a routing table. This configuration redirects all internet-bound traffic back to your on-premises location using a site-to-site VPN tunnel or ExpressRoute. This setup allows you to inspect and audit internet traffic before it leaves your network. Figure 3.1 illustrates the difference, highlighting that the frontend subnet does not employ forced tunneling and must route through the internet to reach the on-premises network, while the backend and mid-tier subnets do not have this limitation.

Routing On-Premises User Requests through Azure Firewall

To ensure thorough inspection and filtering of traffic, all on-premises user requests should be routed through the Azure firewall. This guarantees that traffic is examined and filtered before reaching its destination. Additionally, Network Security Groups (NSGs) can be employed to control the flow of traffic between different application layers effectively.