You are the Azure Security Administrator at the Tamilat Corporation. Tamilat has recently moved to Azure. They currently host a wide range of apps in their in-house datacenter.
You have set up the virtual networks required to make these apps work seamlessly. Now you are tasked with implementing security measures that can filter network and application layer traffic coming in to and out of the virtual networks. You want to implement Azure Firewall.
Which of the following statements about Azure Firewall are TRUE? (Choose three.)
A) The two types of FQDN tags are Microsoft-managed FQDN tags and customer-managed FQDN tags.
B) Network rules are applied and matched before applying and matching the application rules.
C) The possible states of an Azure firewall are Healthy and Unhealthy.
D) Azure Firewall can log an alert and deny traffic to and from known malicious IP addresses and domains in near real-time.
E) Azure Firewall can be configured to span multiple availability zones for increased availability.
Explanation
The following statements are true:
Azure Firewall can be configured to span multiple availability zones for increased availability.
Network rules are applied and matched before applying and matching the application rules.
Azure Firewall can log an alert and deny traffic to and from known malicious IP addresses and domains in near real-time.
Azure Firewall deployed in multiple availability zones increases the uptime of the firewall service to 99.99%. Azure Firewall can also be associated with a specific zone for proximity reasons (Microsoft guarantees an uptime of 99.95% for such deployments). Microsoft does not levy additional cost for a firewall deployed in multiple availability zones. However, there are additional costs for inbound and outbound data transfers from and to these zones.
Azure Firewall uses three types of rules: NAT rules, network rules, and application rules. The rules are processed by the rule type. Network rules are applied first, then application rules, and lastly NAT rules. The rules are terminating, so if a match is found with network rules, application rules are not applied. If there is no match with network rules and if the packet protocol is HTTP/HTTPS, application rules are applied. If none of the network or application rules match, the packet is evaluated against the infrastructure rules. Without a match to any rules, the packet is not allowed.
Threat intelligence-based filtering can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft threat intelligence feed. The rules associated with threat intelligence-based filtering are processed before any of the NAT rules, network rules, or application rules. You can choose just to log an alert or to alert and deny traffic.
An FQDN tag is a group of fully qualified domain names (FQDNs) associated with well-known Microsoft services. FQDN tags can be used with application rules to allow the required outbound network traffic through the firewall. Customers cannot create custom FQDN tags. Microsoft manages the FQDNs that make up the FQDN tag and updates the tag when the FQDNs change.
A firewall state can be Healthy, Degraded, or Unhealthy. Azure Firewall can be monitored using firewall logs. Azure Firewall can generate diagnostic logs, activity logs, and metrics. These logs can be seen with Azure Monitor or can be sent to storage accounts and Event Hubs for analysis with tools such as Excel and Power BI. Metrics indicate the health of the firewall through the firewall health state.
Objective:
Describe security, privacy, compliance, and trust
Sub-Objective:
Describe Azure network security
References:
Microsoft Azure > Firewall > Deploy an Azure Firewall with Availability Zones using Azure PowerShell
Microsoft Azure > Firewall > Azure Firewall logs and metrics > Metrics
Microsoft Azure > Firewall > Azure Firewall rule processing logic
Microsoft Azure > Firewall > FQDN tags overview
Microsoft Azure > Firewall > Azure Firewall threat intelligence-based filtering
Post a Comment
Thanks for your comment