Course 2 – Microsoft Azure Management Tools and Security Solutions
Module 4: General Security & Network Security in Microsoft Azure
MICROSOFT AZURE FUNDAMENTALS AZ-900 EXAM PREP SPECIALIZATION
Complete Coursera Study Guide
Last updated:
TABLE OF CONTENT
INTRODUCTION – General Security & Network Security in Microsoft Azure
In this module, you’ll learn how Azure can help protect the workloads you run both in the cloud and in your on-premises datacenter. You’ll also explore various Azure services designed to ensure that your network remains safe, secure, and trusted. Through this knowledge, you’ll gain the skills necessary to implement robust security measures that safeguard your infrastructure effectively.
Learning Objectives
- Strengthen your security posture and protect against threats by using Azure Security Center.
- Collect and act on security data from many different sources by using Azure Sentinel.
- Store and access sensitive information such as passwords and encryption keys securely in Azure Key Vault.
- Manage dedicated physical servers to host your Azure VMs for Windows and Linux by using Azure Dedicated Host.
- Identify the layers that make up a defense in depth strategy.
- Explain how Azure Firewall enables you to control what traffic is allowed on the network.
- Configure network security groups to filter network traffic to and from Azure resources within a Microsoft Azure virtual network.
- Explain how Azure DDoS Protection helps protect your Azure resources from DDoS attacks.
KNOWLEDGE CHECK 1
1. Many Azure services include built-in security features however Azure also has specific tools to assist with securing your environment. Which of the following would be the simplest way to monitor your resources and perform automatic security assessments to identify potential vulnerabilities?
- Azure Security Center (CORRECT)
- Azure Key Vault
- Azure Sentinel
Correct: Azure Security Center is a monitoring service that provides visibility of your security posture across all your services on Azure and on-premises.
2. Your company has migrated to Azure Cloud services. Management wants to implement security that will limit the applications that can run on certain virtual machines. Which of the following approaches provide such a solution?
- Administrators periodically review what applications are running on each VMs by creating and running PowerShell scripts.
- Implement an application control rule in Azure Security Center. (CORRECT)
- Connect the virtual machines to Azure Sentinel.
Correct: With Azure Security Center, you can define a list of allowed applications to ensure that only applications you allow can run. Azure Security Center can also detect and block malware from being installed on your VMs.
3. Your company has recently migrated to Azure cloud services. Azure has various reporting and monitoring tools built in. What is the simplest tool to use to create a single report that will show all security information to be collected from all the monitoring tools?
- Secure Score
- Azure Sentinel (CORRECT)
- Azure Key Vault
Correct: Azure Sentinel is Microsoft’s cloud based SIEM solution and can combine and report on security data from different sources.
4. Your company had recently migrated to Azure cloud services and management are concerned that sensitive information such as passwords, encryption keys, and certificates will not be as secure as they were when operating an on-premises environment. What solution can you implement to allay these concerns?
- Implement Azure Sentinel.
- Configure a secure VM and store the Passwords and certificates in a shared folder.
- Implement Azure Key Vault. (CORRECT)
Correct: Azure Key Vault is a centralized cloud service for storing your applications’ secrets in a single, central location. It provides secure access to sensitive information by providing access control and logging capabilities.
5. Your company is planning to migrate to Azure cloud services however because of their type of business they are obliged to follow regulatory compliance that requires them to be the only customer using the physical machine that will host their virtual machines in the cloud. How can your company migrate to the cloud while still remaining compliant?
- Configure the VM’s to run on Azure Dedicated Host (CORRECT)
- Configure the network so that the company’s VMs are isolated from other VM’s running on the same host in the datacenters.
- They cannot, these specific systems will need to remain and operate on-premises only.
Correct: By default, virtual machines (VMs) on Azure run on shared hardware that’s managed by Microsoft. Although the underlying hardware is shared, VM workloads are isolated from workloads being run by other Azure customers. However, some organizations must follow regulatory compliance that requires them to be the only customer using the physical machine that hosts their virtual machines. Azure Dedicated Host provides dedicated physical servers to host your Azure VMs for Windows and Linux.
KNOWLEDGE CHECK 2
1. Malicious attackers can try to overwhelm the resources of a network by sending large volumes of packets to a targeted host on the network. Which of the following Azure offerings would be most suitable in detecting this form of attack?
- Network security groups
- Azure Firewall
- Azure DDoS Protection (CORRECT)
Correct: DDoS Protection can help protect your Azure resources from DDoS attacks. A DDoS attack attempts to overwhelm and exhaust an application’s resources, making the application slow or unresponsive to legitimate users.
2. True or False
Azure Firewall provides Network Address Translation (NAT) rules that can define destination IP addresses and ports to translate inbound requests.
- True (CORRECT)
- False
Correct: Azure Firewall provides Network Address Translation (NAT) rules that can define destination IP addresses and ports to translate inbound requests.
3. What service tiers are available to DDoS Protection?
Select all options that apply.
- Basic (CORRECT)
- Enhanced
- Standard (CORRECT)
Correct: The Basic service tier is automatically enabled for free as part of your Azure subscription. Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft’s online services use. The Basic service tier ensures that Azure infrastructure itself is not impacted during a large-scale DDoS attack. Azure’s global network is used to distribute and mitigate attack traffic across Azure regions.
Correct: The Standard service tier provides additional mitigation capabilities that are tuned specifically to Azure Virtual Network resources. The Standard tier also provides always-on traffic monitoring and real-time mitigation of common network-level attacks.
4. Having recently migrated to Azure cloud services you need to implement a solution that will allow the filtering of network traffic to and from Azure resources within an Azure Virtual Network. Which of the following services would be most suitable to solve this problem?
- DDoS protection
- Azure Firewall
- Network Security Groups (CORRECT)
Correct: A Network Security Group (NSG) enables you to filter network traffic to and from Azure resources within an Azure Virtual Network. You can think of network security groups like an internal firewall.
5. What is the simplest way for a company to implement a policy that will restrict VMs from being able to communicate with each other?
- Limit access by implementing DDoS protection.
- Use Network Security Groups to create a rule that prevents access from another VM on the same network. (CORRECT)
- Place each VM on a separate virtual network.
Correct: A network security group rule enables you to filter traffic to and from resources by source and destination IP address, port, and protocol.
TEST PREP
1. Your company is considering moving to Azure cloud services; however, management wants assurances. Features such as Security Reporting, similar to their existing on-premises SIEM solution need to be available. Which of the following features can be implemented that will provide a cloud-based SIEM solution?
- Configure a secure VM and store the Passwords and certificates in a shared folder.
- Implement Azure Key Vault.
- Implement Azure Sentinel. (CORRECT)
Correct: Azure Sentinel is Microsoft’s cloud-based SIEM solution and can combine and report on security data from different sources.
2. Tailwind Traders has recently migrated to Azure cloud services. Azure includes various built-in reporting and monitoring tools. What is the simplest tool to use to view groups of related security recommendations showing the percentage of security controls that the company currently satisfies?
- Azure Sentinel
- Secure Score (CORRECT)
- Azure Key Vault
Correct: Secure score is based on security controls, or groups of related security recommendations. Your score is based on the percentage of security controls that you satisfy. The more security controls you satisfy, the higher the score you receive.
3. Many Azure services include built-in security features however Azure also has specific tools to assist with securing your environment. Which of the following would be the simplest way to centrally manage your passwords and certificates in a single, central location?
- Azure Key Vault (CORRECT)
- Azure Security Center
- Azure Sentinel
Correct: Azure Key Vault is a centralized cloud service for storing your applications’ secrets in a single, central location. It provides secure access to sensitive information by providing access control and logging capabilities.
4. Having recently migrated to Azure cloud services, you need to implement a solution that will allow the monitoring of incoming and outgoing network traffic and, determine whether to allow or block specific traffic based on a defined set of security rules. Which of the following services would be most suitable to solve this problem?
- Network Security Groups
- Azure Firewall (CORRECT)
- DDoS protection
Correct: Azure firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.
5. Which of the following services allows for the configuration of application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet?
- DDoS Protection
- Network Security Groups
- Azure Firewall (CORRECT)
Correct: Azure Firewall allows the configuration of application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet.
6. Which of the following do you think are features that should be offered by a security service? Select all options that apply.
- Automatically apply required security settings (CORRECT)
- Creates user roles
- Just-in-time access control (CORRECT)
- Detect attacks (CORRECT)
Correct: You should be able to use a security service to apply security settings.
Correct: You should be able to use a security service to control access.
Correct: A security service should be able to detect attacks.
7. What do you think are the benefits of using Key Vault? Select all options that apply.
- Just-in-time access control
- Centralized application secrets (CORRECT)
- Access monitoring and access control (CORRECT)
- Integration with other Azure services (CORRECT)
Correct: This reduces the chances that secrets are accidentally leaked.
Correct: You can monitor and control access to your application secrets.
Correct: You can integrate Key Vault with other Azure services.
8. A dedicated host is a solution to regulatory compliance that requires some organizations to be the only customer using the physical machine that hosts their virtual machines.
- True (CORRECT)
- False
Correct: A dedicated host is mapped to a physical server in an Azure datacenter. Azure Dedicated Host provides dedicated physical servers to host an organizations Azure VMs for Windows and Linux.
CONCLUSION – General Security & Network Security in Microsoft Azure
In conclusion, this module equips you with the skills to effectively protect your workloads both in the cloud and on-premises using Azure. You’ll gain a solid understanding of Azure services that ensure your network is safe, secure, and trusted, enabling you to implement comprehensive security strategies within your organization.
Quiztudy Top Courses
Popular in Coursera
- Google Advanced Data Analytics
- Google Cybersecurity Professional Certificate
- Meta Marketing Analytics Professional Certificate
- Google Digital Marketing & E-commerce Professional Certificate
- Google UX Design Professional Certificate
- Meta Social Media Marketing Professional Certificate
- Google Project Management Professional Certificate
- Meta Front-End Developer Professional Certificate
Liking our content? Then, don’t forget to ad us to your BOOKMARKS so you can find us easily!
