Azure Infrastructure Security
Seven controls along one request path
Picture a single request arriving from the public internet and travelling all the way to a password your application needs. That request crosses the network in layers, the network and transport layers (3 and 4) that move packets and the application layer (7) that carries the web content, and it may end at a virtual machine (VM), a server you rent in Azure. Azure places a distinct security control at each of those layers, and this page seats seven of them along that one request path so you can name which control belongs where and pick the right one for a given threat.
The order runs outward-in. Azure DDoS Protection[1] meets the raw traffic at the edge and scrubs volumetric floods. Azure Firewall[2] filters the perimeter for every network at once. A Web Application Firewall[3] reads the web request itself for exploits. Virtual networks and subnets[4] carve the environment into isolated segments. A network security group[5] (NSG) allows or denies traffic right at a subnet or a network interface (NIC). Azure Bastion[6] is how an administrator reaches a VM without ever exposing it. And Azure Key Vault[7] is the guarded store the secret finally rests in.
This is defense in depth expressed as products: each layer is independent insurance, so getting past one still leaves the next. It maps onto the Microsoft Zero Trust model, whose assume breach principle motivates the segmentation and least-privilege network access this page is built on, and whose infrastructure and networks pillars these controls serve. The sections that follow walk the path one stop at a time, then close on the boundaries the exam turns on.
The edge and the perimeter: DDoS, Firewall, and WAF
Your application's front door faces the public internet, and three different kinds of attack can arrive there: a flood that simply drowns your bandwidth, traffic from an address Microsoft already knows is malicious, and a crafted web request that tries to trick your code. Three Azure services, which Microsoft groups as the network security category, answer these in turn.
Azure DDoS Protection: absorbing floods at layers 3 and 4
A distributed denial-of-service (DDoS) attack tries to overwhelm your resources so genuine users cannot get through, and it comes in three shapes[1]: volumetric attacks that flood the network with bandwidth-consuming traffic, protocol attacks that exhaust server resources by abusing weaknesses in layer 3 and 4 protocols, and resource (application) layer attacks aimed at the web application itself. Azure DDoS Protection[8] monitors traffic around the clock and mitigates at layer 3 (network) and layer 4 (transport), which covers the volumetric and protocol shapes. It has two paid tiers: DDoS Network Protection guards an entire virtual network, and DDoS IP Protection is a pay-per-protected-IP model with the same core engine but without the value-added extras (rapid-response support, cost protection, and WAF discounts). Every Azure service already gets a free, default infrastructure-level DDoS protection, but its threshold is tuned high and it gives no telemetry or alerting, so a flood the platform shrugs off can still sink one application. Because DDoS Protection stops at layer 4, application-layer floods such as HTTP floods are handed to a WAF.
Azure Firewall: one stateful policy across every network
Azure Firewall[9] is a managed, cloud-based network security service that you typically deploy on a central hub virtual network so all your other VNets and on-premises networks route through it, giving one place to control traffic across subscriptions. It is stateful, meaning it tracks the state of active connections and judges traffic in context. Its rules work at both the network level (allow or deny by IP address, port, and protocol) and the application level (control access by fully qualified domain name, or FQDN, over HTTP/S), and its threat-intelligence filtering can alert on or deny traffic to and from IP addresses and domains that Microsoft's feed flags as malicious. It also performs source and destination network address translation (SNAT and DNAT). Azure Firewall is offered in Basic, Standard, and Premium tiers, where Premium adds a signature-based intrusion detection and prevention system (IDPS).
Web Application Firewall: guarding the web request at layer 7
Where Azure Firewall watches the network and can allow or block whole domains, a Web Application Firewall (WAF)[3] reads inside the web request itself, giving centralized protection for web applications against common exploits at layer 7. This is why Azure Firewall reaching into layer 7 does not make a WAF redundant: the firewall's application awareness means FQDN and protocol control, not the OWASP exploit inspection a WAF performs. A WAF applies the Open Web Application Security Project (OWASP) core rule set to block classics such as SQL injection, cross-site scripting (XSS), and the HTTP floods that DDoS Protection cannot see, and it lets you patch a newly found vulnerability in one place instead of on every app. Azure WAF is delivered through Azure Application Gateway[10] for a regional web app, Azure Front Door for a globally distributed one, and Azure CDN for content delivery. The exam boundary is crisp: DDoS Protection for network-layer floods, a WAF for application-layer web exploits, and the two together for defense in depth.
Containing the blast radius: segmentation and NSGs
A firewall at the perimeter does nothing to stop an attacker who is already inside from moving sideways. Segmentation is the answer: divide the network into compartments so a breach in one cannot spread to the rest, which is the Zero Trust assume breach principle applied to network design.
Virtual networks, subnets, and peering
An Azure virtual network (VNet)[4] is the fundamental building block of your private network in Azure and the isolation boundary: by default no traffic flows across VNets or inbound from outside, so any communication must be explicitly provisioned. Within a VNet you create subnets, smaller segments that let you separate workloads with different needs, for example web servers in one subnet and database servers in another, each with its own controls. When two VNets genuinely must talk, VNet peering[11] connects them so their resources communicate as if on one network, over the private Azure backbone rather than the public internet, and global VNet peering does this across regions. Each boundary between segments is a place to inspect and filter traffic.
Network security groups filter within a VNet
The filter that sits closest to a resource is the network security group (NSG)[5]. It holds inbound and outbound security rules that allow or deny traffic to and from Azure resources, evaluated in priority order (lower numbers first, and once a rule matches, evaluation stops) using five pieces of information: source, source port, destination, destination port, and protocol. That is the five-tuple. You attach one NSG to a subnet or to a network interface (NIC); the same NSG can be reused on many subnets and NICs. Azure adds default rules you cannot delete (though you can override them with a higher-priority rule) whose net effect is to allow traffic within the VNet and from the Azure load balancer while denying all other inbound traffic from the internet. Application security groups (ASGs) let you write those rules against named groups of VMs, such as WebServers or DbServers, instead of tracking IP addresses by hand.
Firewall filters across, an NSG filters within
This is the single most confused pair on the page, and Microsoft draws the line by scope. A network security group provides distributed traffic filtering to limit traffic to resources within a VNet, at the subnet or NIC. Azure Firewall[5] is a centralized, fully stateful firewall-as-a-service that protects across different VNets and subscriptions and adds FQDN and threat-intelligence filtering an NSG has no concept of. They are complementary, not alternatives: the figure shows Azure Firewall in a central hub filtering across peered spoke VNets, while each spoke keeps its own NSGs guarding traffic within, at each subnet. Use both for defense in depth.
Reaching a VM without exposing it: Azure Bastion
To administer a VM you eventually need Remote Desktop Protocol (RDP) or Secure Shell (SSH) onto it, and the traditional way, opening those management ports to the internet, hands attackers exactly the target they scan for: a reachable machine with an open RDP or SSH port becomes the foothold for reaching everything else.
Azure Bastion[6] removes that exposure. It is a fully platform-managed service you provision inside your virtual network, and it brokers RDP and SSH sessions to your VMs straight from the Azure portal over Transport Layer Security (TLS) on port 443. Because the session rides in through Bastion, the VM needs no public IP address, no agent, and no special client, and its RDP or SSH ports never face the internet, which also takes the VM off the map for port scanners. Bastion is deployed per virtual network (and serves peered VNets too), not per VM or per subscription, so once it is in place every VM in that network is reachable this way. The figure traces the path: an administrator opens a session from a browser in the Azure portal, the request reaches Azure Bastion[12] over TLS 443, and Bastion connects onward to the target VM using a private IP.
Two misreadings to avoid. Bastion is not a VPN: it does not extend your on-premises network into Azure, it brokers a single portal-based session. And it is not a jump-box VM that you stand up and patch yourself; it is a managed platform-as-a-service (PaaS) that Azure keeps hardened and current, including against zero-day exploits.
A guarded home for secrets, keys, and certificates
Once code needs a database password or an API key, the worst place to keep it is in the code. Azure Key Vault[7] is the managed store that centralizes these secrets so applications fetch them at runtime instead, which shrinks the chance of a credential leaking into source control.
Key Vault handles three kinds of protected material, and the exam expects you to recognize all three: secrets (passwords, connection strings, API keys, and other arbitrary values), keys (the cryptographic keys used to encrypt data), and certificates (public and private TLS/SSL certificates it can provision and renew). Access is a two-step gate: authentication, which proves who the caller is, is always handled by Microsoft Entra ID[13], and authorization, which decides what they may do, is handled by Azure role-based access control (RBAC) or a Key Vault access policy. Key Vault logs every access for monitoring, and it is designed so that Microsoft cannot see or extract your data. It comes in two tiers: Standard protects keys in software, while Premium stores them in a hardware security module (HSM), tamper-resistant hardware the keys never leave, for stricter compliance needs.
The trap to sidestep is treating Key Vault as an identity store. It holds an application's secrets, keys, and certificates, not user accounts or sign-in credentials; those live in Microsoft Entra ID, which Key Vault itself leans on to authenticate its own callers. By granting each application access to only the specific secrets it needs, Key Vault serves the Zero Trust principle of least privilege access and limits the blast radius if a credential is ever exposed.
Exam-pattern recognition: the boundaries tested
SC-900 questions on this domain almost always turn on telling two similar controls apart. These are the lines that decide the answer.
The boundaries that get tested
- DDoS Protection versus WAF. A network-layer or transport-layer flood (volumetric or protocol, layers 3 and 4) points to Azure DDoS Protection; a web exploit or application-layer flood (SQL injection, cross-site scripting, HTTP flood, layer 7) points to a Web Application Firewall. If the stem mentions the OWASP top 10, the answer is WAF.
- Azure Firewall versus NSG. Central control across many VNets and subscriptions, with FQDN or threat-intelligence filtering, means Azure Firewall. A simple allow or deny on the five-tuple at one subnet or network interface means a network security group. A stem that says filtering across virtual networks is signalling Firewall; within a virtual network is signalling NSG.
- DDoS Network Protection versus IP Protection. Whole-VNet coverage is Network Protection; billing per protected public IP is IP Protection. The free default infrastructure-level protection is not a substitute, because it gives no telemetry, alerting, or tuned thresholds.
- Azure Bastion. Any stem about reaching a VM with RDP or SSH but without a public IP or an open management port is Bastion. It is not a VPN and not a self-managed jump box.
- Key Vault. Storing an application's secrets, keys, or certificates is Key Vault. Storing user identities or sign-in credentials is Microsoft Entra ID, not Key Vault.
Where this domain goes next
These controls protect the infrastructure; the rest of the domain watches over it. Microsoft Defender for Cloud and secure-score management assess and harden the posture of these resources, Microsoft Sentinel collects their signals for security information and event management (SIEM) and response, and Microsoft Defender XDR extends threat protection across endpoints, identities, email, and apps.
Four network controls: which layer, which scope, which threat
| Dimension | Azure DDoS Protection | Azure Firewall | Web Application Firewall (WAF) | Network security group (NSG) |
|---|---|---|---|---|
| Layer | 3 and 4 (network, transport) | 3 through 7 (network and application) | 7 (HTTP/S application) | 3 and 4 (five-tuple) |
| Scope and placement | Per VNet (Network Protection) or per public IP (IP Protection) | Centralized hub, across VNets and subscriptions | Per web app via App Gateway, Front Door, or CDN | Distributed, within a VNet at a subnet or network interface |
| Primary threat stopped | Volumetric and protocol floods | Malicious IPs and FQDNs, unwanted egress | OWASP exploits: SQL injection, XSS, HTTP floods | Unwanted traffic by allow or deny rule |
| Rule model | Auto-tuned mitigation, no rules to write | Network and application rules, FQDN and threat-intel filtering | OWASP core rule set plus custom rules | Priority-ordered allow or deny on the five-tuple |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- DDoS Protection guards layers 3 and 4; a WAF guards layer 7
Azure DDoS Protection mitigates network- and transport-layer floods (volumetric and protocol attacks at layers 3 and 4) but does not read HTTP content, so application-layer attacks such as HTTP floods, SQL injection, and cross-site scripting fall to a Web Application Firewall. Microsoft positions the two as complementary, so DDoS Protection plus a WAF is the defense-in-depth answer covering both the network and the application.
Trap Reaching for Azure DDoS Protection to stop an HTTP flood or SQL injection; those are layer 7 attacks a WAF handles, not DDoS Protection.
3 questions test this
- Azure DDoS Protection automatically mitigates attacks that target the network layer of your Azure virtual network resources. Which attack…
- Your organization needs to protect a web application from both network-layer and application-layer DDoS attacks. What should you use?
- To defend against resource layer (application layer) attacks, Azure DDoS Protection should be combined with which additional service?
- DDoS attacks come in volumetric, protocol, and application-layer forms
The three shapes are volumetric attacks that saturate bandwidth, protocol attacks that exhaust server resources by abusing layer 3 and 4 weaknesses, and resource (application) layer attacks aimed at the web application itself. Azure DDoS Protection covers the first two at layers 3 and 4; the application-layer form is left to a WAF.
- DDoS Network Protection covers a VNet; IP Protection is billed per IP
The two paid DDoS tiers share the same core mitigation engine but differ in scope and billing: DDoS Network Protection protects an entire virtual network, while DDoS IP Protection is a pay-per-protected-public-IP model. IP Protection omits the value-added extras Network Protection includes, namely DDoS rapid-response support, cost protection, and WAF discounts.
Trap Assuming DDoS IP Protection includes rapid-response support and cost protection; those value-added services come only with DDoS Network Protection.
6 questions test this
- What happens when Azure DDoS Network Protection is enabled on an Azure virtual network?
- Which capability is available with Azure DDoS Network Protection but is NOT included with Azure DDoS IP Protection?
- At what level is Azure DDoS Network Protection enabled?
- You manage an Azure virtual network that contains several public IP resources. You need to enable a DDoS Protection tier that is applied at…
- What must be in place before your operations team can engage the DDoS Rapid Response (DRR) team for help during an attack?
- During an active DDoS attack on resources protected by Azure DDoS Network Protection, which capability provides access to a team that can…
- Every Azure resource has free default DDoS protection, but it is thin
Azure gives all resources a default infrastructure-level DDoS protection at no cost, but its thresholds are tuned high and it provides no telemetry, alerting, or per-application tuning. A flood the platform treats as harmless can still overwhelm one application, which is why the paid tiers add monitoring, alerts, and adaptive tuning.
Trap Treating the free default infrastructure-level DDoS protection as equivalent to DDoS Network Protection; it lacks telemetry, alerting, and application-tuned thresholds.
- Azure Firewall is a managed, stateful, centralized network security service
Azure Firewall is a cloud-native, fully stateful firewall-as-a-service you typically place on a central hub VNet so every other VNet and on-premises network routes through one policy, giving centralized control across subscriptions. Being stateful, it tracks active connections and judges traffic in context, and it provides built-in high availability across availability zones.
8 questions test this
- In a defense-in-depth design, which characteristic distinguishes Azure Firewall from network security groups (NSGs)?
- Which characteristic best describes how Azure Firewall evaluates network traffic for resources in an Azure virtual network?
- Which statement best describes a characteristic of Azure Firewall?
- In a defense-in-depth strategy, what is the primary role of Azure Firewall within an Azure network architecture?
- Which Azure service acts as a centrally managed, stateful firewall-as-a-service that can filter traffic for an entire virtual network and…
- In a layered network design, what is the role of Azure Firewall when it is used together with Azure Bastion?
- Your organization deploys Azure Firewall in a central hub virtual network with spoke virtual networks peered to it. What is the primary…
- Which Azure service is a managed, cloud-based network security service that protects your Azure virtual network resources?
- Azure Firewall filters by FQDN and Microsoft threat intelligence
Beyond IP, port, and protocol network rules, Azure Firewall filters application traffic by fully qualified domain name (FQDN) over HTTP/S, and its threat-intelligence filtering alerts on or denies traffic to and from IP addresses and domains Microsoft's feed flags as malicious. It also performs source and destination network address translation (SNAT and DNAT).
7 questions test this
- Which traffic-filtering capability is provided by Azure Firewall but is not available in a network security group?
- Where does Azure Firewall threat intelligence-based filtering obtain the IP addresses, domains, and URLs used to identify malicious traffic?
- Which operating modes can be configured for threat intelligence-based filtering in Azure Firewall?
- Your organization wants the network perimeter to automatically alert on and deny outbound traffic to IP addresses and domains that…
- Which Azure service acts as a centrally managed, stateful firewall-as-a-service that can filter traffic for an entire virtual network and…
- A company must restrict outbound HTTP and HTTPS traffic from its virtual network so that workloads can only reach an approved list of fully…
- What do Azure Firewall application rules filter traffic based on?
- Azure Firewall filters across networks; an NSG filters within one
Both control traffic to virtual-network resources, but by scope. A network security group does distributed filtering within a VNet, at a subnet or network interface, on the five-tuple. Azure Firewall is a centralized, stateful service that protects across VNets and subscriptions and adds FQDN and threat-intelligence filtering an NSG cannot do. They are complementary layers, not an either-or choice.
Trap Using a network security group where you need FQDN or threat-intelligence filtering; an NSG only allows or denies on the five-tuple, so that job belongs to Azure Firewall.
9 questions test this
- Which Azure network security option can be used at no additional cost to filter inbound and outbound traffic at the subnet and network…
- Which traffic-filtering capability is provided by Azure Firewall but is not available in a network security group?
- In a defense-in-depth architecture, at which layer does a network security group operate to help reduce the attack surface of virtual…
- What is the primary purpose of a network security group (NSG) in Azure?
- Your organization wants to centrally filter and log all outbound internet traffic from multiple Azure virtual networks while also…
- How do network security groups (NSGs) help implement network segmentation within an Azure virtual network?
- A company applies network security groups (NSGs) to individual subnets to control traffic between workloads inside a virtual network, while…
- At which layer of network protection are network security groups (NSGs) intended to filter traffic in Azure?
- In a hub-and-spoke architecture that follows a defense-in-depth strategy, how do Azure Firewall and network security groups (NSGs) provide…
- NSG rules allow or deny on the five-tuple in priority order
A network security group evaluates rules by priority (lower numbers first, and evaluation stops at the first match) using five values: source, source port, destination, destination port, and protocol. Each rule either allows or denies, and you can override the undeletable default rules by adding a higher-priority, lower-numbered rule.
6 questions test this
- In Azure, a network security group (NSG) can filter network traffic based on which characteristics?
- On what basis do network security groups (NSGs) allow or deny network traffic to Azure resources?
- What does a network security group (NSG) use to determine whether inbound or outbound traffic is allowed or denied?
- In an architecture that uses Azure Bastion for remote access, what is the primary purpose of a network security group (NSG)?
- Which statement accurately describes a network security group (NSG) in Azure?
- At which layers of the OSI model do network security groups (NSGs) primarily filter network traffic in Azure?
- Attach one NSG per subnet or NIC, but reuse it widely
You can associate at most one network security group with a given subnet and one with a given network interface (NIC), but the same NSG can be attached to many subnets and NICs at once. This lets a single rule set cover many resources that share the same security needs.
- A new NSG allows intra-VNet and outbound internet traffic by default
Every NSG ships with default rules (three inbound, three outbound) you cannot delete. Their net effect allows traffic within the virtual network and from the Azure load balancer, allows outbound to the VNet and the internet, and denies all other inbound traffic from the internet. You change this only by adding higher-priority rules.
Trap Assuming a new NSG blocks everything by default; its default rules already allow traffic within the VNet and outbound to the internet, denying only other inbound traffic.
6 questions test this
- By default, how can virtual machines deployed in the same subnet of an Azure virtual network communicate with each other?
- By default, how does a network security group (NSG) handle inbound traffic from the internet?
- By default, how does a newly created network security group (NSG) handle inbound traffic from the internet?
- You have a virtual network with resources deployed in multiple subnets. By default, what traffic is allowed between the subnets?
- You need to prevent virtual machines in a specific subnet from initiating outbound connections to the internet, while keeping the…
- Which default behavior is included in every Azure network security group (NSG)?
- VNets block cross-VNet and inbound traffic by default
An Azure virtual network is the isolation boundary of your private network in Azure: by default no traffic crosses between VNets or arrives inbound from outside, so any communication must be explicitly provisioned. This default-deny posture is what makes segmentation the practical basis of the Zero Trust assume breach principle.
Trap Assuming resources in two different VNets can talk by default; cross-VNet traffic is denied until you explicitly provision it, for example with peering.
3 questions test this
- By default, how are resources deployed in two separate Azure virtual networks able to communicate with each other?
- What is a Microsoft Azure virtual network (VNet)?
- Within a defense-in-depth security strategy, which layer is primarily addressed when you use Azure virtual networks to segment and isolate…
- Subnets segment a VNet to contain a breach
Within a VNet, subnets divide the network into smaller segments with their own controls, for example separating web servers from database servers. Segmenting this way limits lateral movement, so a compromise in one subnet is harder to spread, which serves the Zero Trust assume breach principle directly.
6 questions test this
- Within a defense-in-depth strategy, what is the primary security benefit of dividing workloads into separate subnets within an Azure…
- How does network segmentation with Azure virtual networks support the Zero Trust principle of assume breach?
- Your organization hosts a multi-tier application with web, application, and database servers in one Azure virtual network. You want to…
- What is the primary benefit of using Azure virtual networks for network segmentation in a defense-in-depth strategy?
- Within an Azure virtual network, what is the primary purpose of dividing the network into subnets?
- What is a benefit of segmenting an Azure virtual network into multiple subnets?
- VNet peering connects two VNets over the private Azure backbone
Peering links two virtual networks so their resources communicate as if on one network, and the traffic travels over the private Azure backbone rather than the public internet. Global VNet peering extends this connection across Azure regions.
- Azure Bastion gives RDP and SSH without a public IP or open ports
Azure Bastion is a managed PaaS service provisioned inside a VNet that brokers Remote Desktop Protocol (RDP) and Secure Shell (SSH) sessions to your VMs from the Azure portal over TLS on port 443. The VM keeps only a private IP and never exposes an RDP or SSH port to the internet, which removes the open management port attackers scan for.
Trap Assuming the target VM still needs a public IP with Azure Bastion; the point is that the VM keeps only a private IP while Bastion brokers the session over TLS.
15 questions test this
- Your organization uses Azure Bastion to access Azure virtual machines. Which inbound ports can you keep closed to the internet on the…
- Select the answer that correctly completes the sentence. When you use Azure Bastion to connect to an Azure virtual machine, Bastion…
- How do users initiate an Azure Bastion session to a virtual machine over TLS without installing additional client software?
- What must you install on the target Azure virtual machines to enable browser-based connectivity through Azure Bastion?
- How does Azure Bastion improve the security of remote access to Azure virtual machines?
- In a layered network design, what is the role of Azure Firewall when it is used together with Azure Bastion?
- What is a primary security benefit of using Azure Bastion to access Azure virtual machines?
- How do administrators establish a remote session to an Azure virtual machine when using Azure Bastion?
- By keeping Azure virtual machines off the public internet, what type of threat does Azure Bastion primarily help protect those virtual…
- What does Azure Bastion use to provide RDP and SSH connectivity to an Azure virtual machine through a web browser?
- Which Azure service enables you to connect to Azure virtual machines by using RDP and SSH directly from the Azure portal without assigning…
- Your Azure virtual machines do not have public IP addresses. When a user connects to one of these virtual machines through Azure Bastion,…
- A user connects to an Azure virtual machine through Azure Bastion from the Azure portal. Which protocol and port does the user's browser…
- What is a benefit of using Azure Bastion to connect to Azure virtual machines?
- Your organization deploys Azure Bastion to provide administrative connectivity to its Azure virtual machines. As a result, which inbound…
- Bastion is a managed broker, not a VPN or a jump box you patch
Azure Bastion brokers a single portal-based RDP or SSH session; it does not extend an on-premises network into Azure the way a VPN does, and it is not a jump-box VM you deploy and patch yourself. Azure keeps the Bastion service hardened and current, including against zero-day exploits.
Trap Treating Azure Bastion as a VPN or a self-managed jump-box VM; it is a fully managed session broker that Azure patches and hardens for you.
2 questions test this
- Bastion is deployed per virtual network, not per VM
You provision one Azure Bastion per virtual network, and it also serves peered VNets, rather than one per VM or per subscription. Once it is deployed, every VM in that network and its peers becomes reachable through it.
4 questions test this
- Where is Azure Bastion deployed in order to provide secure connectivity to virtual machines?
- You deploy a single Azure Bastion host into a virtual network. To which virtual machines can this Bastion host provide RDP and SSH…
- Which statement best describes how Azure Bastion is deployed to provide secure connectivity to virtual machines?
- Your Azure environment uses multiple virtual networks. You deploy Azure Bastion into one virtual network. Which additional configuration…
- Key Vault manages secrets, keys, and certificates
Azure Key Vault centralizes three kinds of protected material: secrets (passwords, connection strings, API keys), cryptographic keys used to encrypt data, and public and private TLS/SSL certificates it can provision and renew. Applications fetch these at runtime so credentials never sit in application code.
7 questions test this
- Which Azure Key Vault capability allows an organization to provision, manage, and automatically renew TLS/SSL certificates from supported…
- Select the answer that correctly completes the sentence. Azure Key Vault can be used to securely manage [answer choice].
- In a defense-in-depth model, protecting the encryption keys that secure stored information is an example of safeguarding which layer?
- Which types of sensitive data can be securely stored and managed in Azure Key Vault?
- How does centralizing secrets, keys, and certificates in Azure Key Vault contribute to a defense-in-depth strategy?
- Which capability does Azure Key Vault provide as part of a defense-in-depth strategy in Azure?
- What is a benefit of centralizing application secrets in Azure Key Vault?
- Key Vault holds app secrets, not user identities
Key Vault stores an application's secrets, keys, and certificates, not user accounts or sign-in credentials. Those identities live in Microsoft Entra ID, which Key Vault itself relies on to authenticate its callers before authorizing them with Azure RBAC or a Key Vault access policy.
Trap Storing user sign-in credentials in Key Vault; user identities belong in Microsoft Entra ID, while Key Vault holds application secrets, keys, and certificates.
Key Vault's Standard tier protects keys with software, while the Premium tier stores them in a hardware security module (HSM), tamper-resistant hardware the keys never leave. Choose Premium when compliance requires HSM-backed key protection; both tiers offer the same secrets, keys, and certificate management otherwise.
Trap Assuming HSM-backed keys come with the Standard tier; hardware security module protection requires the Premium tier of Key Vault.
- Key Vault authenticates via Entra ID, authorizes via RBAC or access policy
Access to Key Vault is a two-step gate: authentication, which proves the caller's identity, is always handled by Microsoft Entra ID, and authorization, which decides what the caller may do, is handled by Azure role-based access control (RBAC) or a Key Vault access policy. Every access is logged so you can monitor use.
- Azure WAF runs on Application Gateway, Front Door, or CDN
A Web Application Firewall gives centralized layer-7 protection using the OWASP core rule set against exploits like SQL injection and cross-site scripting, and Azure delivers it through Application Gateway (regional), Azure Front Door (global), or Azure CDN. Patching a vulnerability once at the WAF then covers every application behind it.
Trap Expecting Azure Firewall to block SQL injection or cross-site scripting; those layer-7 web exploits are a WAF's job, delivered through Application Gateway, Front Door, or CDN.
11 questions test this
- In Azure Web Application Firewall (WAF) on Azure Front Door, what provides Azure-authored, preconfigured rules that are based on the OWASP…
- What is the primary benefit of integrating Azure Web Application Firewall (WAF) with Azure Front Door rather than deploying WAF only within…
- Your organization hosts a web application in a single Azure region and wants to protect it with a Web Application Firewall (WAF) that…
- At which layer does Web Application Firewall (WAF) on Azure Application Gateway inspect and filter traffic to protect web applications from…
- In an Azure Web Application Firewall (WAF) policy associated with Application Gateway, which component provides preconfigured,…
- Which type of attack does Azure Web Application Firewall on Application Gateway help protect against?
- Azure Web Application Firewall (WAF) on Application Gateway uses managed rule sets based on which security project?
- Which two Azure front-end delivery services can you associate with a Web Application Firewall (WAF) policy to protect web applications from…
- At which layer does Azure Web Application Firewall (WAF) on Azure Front Door inspect traffic to protect web applications?
- Your organization wants to protect a globally distributed web application at the network edge, closest to the source of incoming traffic.…
- Azure Web Application Firewall (WAF) on Application Gateway uses managed rule sets based on the OWASP Core Rule Set. Which type of attacks…
- A network security group is stateful, so an allowed connection gets automatic return traffic
A network security group allows or denies both inbound and outbound traffic at no extra cost and with no dedicated appliance. Because it is stateful, when it permits a connection the return traffic for that connection is allowed automatically, so you never add a matching reverse rule. When it is associated with a subnet, its rules apply to every resource connected to that subnet.
Trap Assuming an inbound allow rule needs a matching outbound rule for the reply traffic.
13 questions test this
- What is the effect of associating a network security group (NSG) with a virtual network subnet?
- Which Azure network security option can be used at no additional cost to filter inbound and outbound traffic at the subnet and network…
- Why is a network security group (NSG) described as stateful?
- In a defense-in-depth architecture, at which layer does a network security group operate to help reduce the attack surface of virtual…
- Your organization wants to allow or deny basic inbound and outbound traffic to several virtual machines in an Azure virtual network at no…
- Your organization hosts a multi-tier application with web, application, and database servers in one Azure virtual network. You want to…
- In an architecture that uses Azure Bastion for remote access, what is the primary purpose of a network security group (NSG)?
- Which statement accurately describes a network security group (NSG) in Azure?
- When a network security group (NSG) is associated with a virtual network subnet, to which resources in the subnet are the security rules…
- Which types of network traffic can a network security group (NSG) filter for Azure resources?
- Which statement best describes the purpose of a network security group (NSG) in Azure?
- You need to prevent virtual machines in a specific subnet from initiating outbound connections to the internet, while keeping the…
- What effect does associating a network security group (NSG) with a virtual network subnet have on the resources in that subnet?
- WAF Detection mode only logs a matching request; Prevention mode blocks it
In Detection mode an Azure WAF records matching requests in the WAF logs but lets them through, which is useful for tuning rules before enforcement. In Prevention mode it actively blocks a matching request, returns a 403 response, and logs the event.
Trap Leaving a tuned policy in Detection mode when the goal is to actively stop malicious requests.
4 questions test this
- Your organization deploys an Azure Application Gateway with a Web Application Firewall (WAF) policy configured in Detection mode. What does…
- You deploy Azure Web Application Firewall (WAF) on Azure Application Gateway and want the WAF to actively block requests that match the…
- In a Web Application Firewall (WAF) policy, what does Prevention mode do when an incoming request matches a configured rule?
- What happens when Azure Application Gateway WAF is running in Prevention mode and a request matches a managed rule?
- DDoS Protection reports attacks through Azure Monitor telemetry, alerts, and post-attack reports
Azure DDoS Protection surfaces rich telemetry through Azure Monitor, including near real-time metrics of packets dropped, forwarded, or tagged during mitigation. It can alert your operations team at the start and stop of an attack, provides attack analytics reports in about five-minute increments during the event, and delivers a forensic mitigation summary report after the attack ends.
5 questions test this
- Which Azure DDoS Protection capability provides detailed reports in five-minute increments during an attack and a complete summary after…
- Which Azure service is used to access real-time DDoS attack metrics and configure diagnostic logging for Azure DDoS Protection?
- Which Azure DDoS Protection capability proactively notifies your operations team at the start and stop of an attack by using built-in…
- What is the primary purpose of the attack telemetry and mitigation reports that Azure DDoS Protection makes available after an attack ends?
- Which information does Azure DDoS Protection make available through its attack telemetry metrics during an active attack?
Also tested in
References
- SC-900: Describe Azure DDoS Protection
- SC-900: Describe Azure Firewall
- SC-900: Describe Web Application Firewall
- SC-900: Describe network segmentation in Azure
- SC-900: Describe Azure Network Security Groups
- SC-900: Describe Azure Bastion
- SC-900: Describe Azure Key Vault
- Azure DDoS Protection overview
- What is Azure Firewall?
- What is Azure Web Application Firewall?
- What is Azure Virtual Network?
- What is Azure Bastion?
- About Azure Key Vault