2.13 Azure Security Services
Key Takeaways
- Microsoft Defender for Cloud provides security posture management and threat protection across Azure, on-premises, and multi-cloud environments.
- Azure Firewall is a managed, cloud-based network security service that protects Azure Virtual Network resources.
- Azure DDoS Protection safeguards Azure resources from Distributed Denial of Service attacks.
- Azure Key Vault securely stores and manages secrets, encryption keys, and certificates.
- Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution.
Azure Security Services
Quick Answer: Defender for Cloud = security posture + threat protection. Azure Firewall = network firewall. DDoS Protection = anti-DDoS. Key Vault = secrets/keys management. Microsoft Sentinel = SIEM/SOAR.
Microsoft Defender for Cloud
Microsoft Defender for Cloud is a comprehensive security solution that provides two major capabilities:
1. Cloud Security Posture Management (CSPM)
- Secure Score — A numerical score (0-100%) representing your security posture
- Security recommendations — Actionable guidance to improve your security
- Compliance assessments — Measure compliance against standards like PCI DSS, HIPAA, ISO 27001
- Multi-cloud support — Assess security across Azure, AWS, and Google Cloud
2. Cloud Workload Protection (CWP)
- Threat detection — Alerts when suspicious activity is detected
- Vulnerability assessment — Scan VMs, containers, and SQL databases for vulnerabilities
- Just-in-Time (JIT) VM access — Open VM ports only when needed, for specific users, for a limited time
- Adaptive application controls — Whitelist applications that can run on VMs
On the Exam: Defender for Cloud's Secure Score is often tested. It provides a single number that represents your overall security posture. Higher score = better security configuration.
Azure Firewall
Azure Firewall is a managed, stateful, cloud-based network firewall that protects Virtual Network resources.
Key features:
| Feature | Description |
|---|---|
| Stateful firewall | Tracks active connections and makes decisions based on connection state |
| Built-in HA | No additional load balancer needed, 99.95% SLA |
| Unrestricted scalability | Scales automatically with traffic |
| Application FQDN filtering | Filter outbound HTTP/S traffic by fully qualified domain names (e.g., *.microsoft.com) |
| Network traffic filtering | Rules based on source IP, destination IP, port, and protocol |
| Threat intelligence | Alert and block traffic from known malicious IPs and domains |
| DNAT support | Translate inbound internet traffic to private IP addresses |
Azure Firewall vs. Network Security Groups:
| Feature | NSG | Azure Firewall |
|---|---|---|
| Layer | 3/4 (network/transport) | 3/4/7 (network/transport/application) |
| Scope | Subnet or NIC level | VNet level |
| FQDN filtering | No | Yes |
| Threat intelligence | No | Yes |
| Cost | Free | Significant cost |
| Best for | Basic traffic filtering | Advanced network security |
Azure DDoS Protection
Azure DDoS Protection safeguards Azure resources from Distributed Denial of Service attacks.
| Tier | Features | Cost |
|---|---|---|
| DDoS Network Protection | Automatic tuning, real-time metrics, alerts, integration with Defender for Cloud | Monthly fee per VNet |
| DDoS IP Protection | Same core DDoS protection without DDoS rapid response team, cost protection, or WAF discount | Per-IP pricing |
What DDoS Protection does:
- Always-on monitoring — Traffic is monitored 24/7
- Automatic mitigation — Attack traffic is dropped before reaching your application
- Adaptive tuning — Learns your normal traffic patterns and adjusts protection accordingly
- Attack analytics — Detailed reports on attacks
Azure Key Vault
Azure Key Vault centrally manages secrets, encryption keys, and certificates:
| What It Stores | Examples |
|---|---|
| Secrets | Database connection strings, API keys, passwords |
| Keys | Encryption keys (RSA, EC) for data encryption/decryption |
| Certificates | SSL/TLS certificates for websites and services |
Benefits:
- Centralized secret management — One place for all secrets instead of scattered config files
- Access monitoring — Logs who accessed what and when
- Hardware Security Modules (HSM) — Keys can be protected by FIPS 140-2 Level 2 or Level 3 HSMs
- Integration — Works with Azure VMs, App Service, Functions, Storage, SQL, and more
On the Exam: Key Vault is the answer when a question mentions storing secrets securely, managing encryption keys, or centralizing certificate management.
Microsoft Sentinel
Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution.
Key capabilities:
- Collect — Aggregate security data from across your entire organization (Azure, on-premises, other clouds, Microsoft 365)
- Detect — Find threats using AI and Microsoft's threat intelligence
- Investigate — Explore threats with AI and hunt for suspicious activities at scale
- Respond — Automate responses to common threats with playbooks (Logic Apps)
On the Exam: Microsoft Sentinel = SIEM + SOAR. It collects data, detects threats, investigates incidents, and automates responses. It is cloud-native (no infrastructure to deploy).
Which Azure service provides a Secure Score representing your overall security posture?
Where should you store database connection strings, API keys, and encryption keys in Azure?
What type of solution is Microsoft Sentinel?
What is the key advantage of Azure Firewall over Network Security Groups?