Azure AZ-500 Notes

5 minute read

Notes relating to Azure security technologies and services, based around revision I did in preparation for the Azure AZ-500 exam.

Azure Notes

Networking and Security

  • Virtual Network (vnet) - fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks

  • Network Security Group - used to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources

  • Application Security Group - enable you to configure network security as a natural extension of an application’s structure, allowing you to group virtual machines and define network security policies based on those groups

  • Azure Application Gateway - web traffic load balancer that enables you to manage traffic to your web applications

  • Azure Traffic Manager - DNS-based traffic load balancer. This service allows you to distribute traffic to your public facing applications across the global Azure regions. Traffic Manager also provides your public endpoints with high availability and quick responsiveness.

  • Azure FrontDoor - fast, reliable and more secure cloud content delivery service with intelligent threat protection

  • Azure Network Watcher - monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network

  • Azure Firewall - managed, cloud-based network security service that helps protect your Azure Virtual Network resources

  • Azure WAF - provides centralized protection of your web applications from common exploits and vulnerabilities, owasp top 10 rulesets, etc.

  • Azure Sentinel - cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation and Response) for intelligent security analytics for your enterprise - alert, threat visibility, response, threat hunting

  • Azure Defender - provides security alerts and advanced threat protection for virtual machines, SQL databases, containers, web applications, your network, and more

  • Azure Security Center - unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud - whether they’re in Azure or not - as well as on premises

  • Azure Monitor - monitor Azure and on-premises services. Aggregate and analyze metrics, logs, and traces. Fire alerts and send notifications or call automated solutions

  • Azure Key Vault - helps safegaurd cryptographic keys and secrets that cloud apps and services use, simplifies key management process and enables you to control keys that access and encrypt data

  • Azure Policies - enforce organizational standards and to assess compliance, helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources

  • Azure Blueprints - enables cloud artitects and central informaiton tech groups to define a repeatable set of Azure resouces that implementes and adheres to an orgs standards, patterns, and requirements

VPN

  • VPN Gateway- specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet

  • Azure ExpressRoute - extend your on-premises networks into the Microsoft cloud over a private connection with the help of a connectivity provider

  • Azure Point-to-Site VPN - lets you create a secure connection to your virtual network from an individual client computer

  • Azure Site-to-Site VPN - used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel

Storage

  • Locally redundant storage (LRS) copies your data synchronously three times within a single physical location in the primary region. LRS is the least expensive replication option but is not recommended for applications requiring high availability.

  • Zone-redundant storage (ZRS) copies your data synchronously across three Azure availability zones in the primary region. For applications requiring high availability.

  • Geo-redundant storage (GRS) copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in a secondary region that is hundreds of miles away from the primary region.

  • Geo-zone-redundant storage (GZRS) copies your data synchronously across three Azure availability zones in the primary region using ZRS. It then copies your data asynchronously to a single physical location in the secondary region.

  • General-purpose v2 accounts - Basic storage account type for blobs, files, queues, and tables. Recommended for most scenarios using Azure Storage. It supports LRS, GRS, RA-GRS, ZRS, GZRS, RA-GZRS replication options.

  • General-purpose v1 accounts - Legacy account type for blobs, files, queues, and tables. Use general-purpose v2 accounts instead when possible. Supports LRS, GRS, RA-GRS replication options

  • BlockBlobStorage accounts - Storage accounts with premium performance characteristics for block blobs and append blobs. Recommended for scenarios with high transaction rates, or scenarios that use smaller objects or require consistently low storage latency. Supports LRS, ZRS replication options

  • FileStorage accounts - Files-only storage accounts with premium performance characteristics. Recommended for enterprise or high-performance scale applications. Supports LRS, ZRS replication options

  • BlobStorage accounts - Legacy Blob-only storage accounts. Use general-purpose v2 accounts instead when possible. Supports LRS, GRS, RA-GRS replication options

  • Shared Access Signatures (SAS) - provides secure delegated access to resources in your storage account. With a SAS, you have granular control over how a client can access your data

Hybrid Solutions

  • Azure AD Connect Sync - responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes

  • Azure Directory Federation Services - simplified, secured identity federation and Web single sign-on (SSO) capabilities. Federation with Azure AD or O365 enables users to authenticate using on-premises credentials and access all resources in cloud

  • Password Hash Synchronisation - sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD

  • Pass-Through Authentication - sign-in method that allows users to use the same password on-premises and in the cloud, but doesn’t require the additional infrastructure of a federated environment

  • Hybrid Monitoring - can provide robust monitoring and provide a central location in the Azure portal to view this activity