5.1 Choose the Right Infrastructure Security Control

Match the Control to the Security Job

Most SC-900 questions about Azure infrastructure security are product-selection questions. The stem describes a risk, a traffic path, or an administrative habit, then asks which Microsoft security service addresses it. Your first move is always the same: identify what is at risk and at which network layer. Is the concern public availability under a flood, malicious HTTP request content, allowed network paths, virtual-machine management access, or sensitive secret material?

Naming the layer collapses most of the wrong answers immediately, because several of these services sound like network security but operate at very different points in the stack.

A reliable way to reason is to ask where enforcement must happen. Azure DDoS Protection absorbs and mitigates volumetric denial-of-service traffic against publicly reachable resources at network layers 3 and 4. Azure Firewall centrally enforces and logs connectivity policy across an environment. Web Application Firewall (WAF) inspects layer 7 HTTP and HTTPS requests for common web exploits. Network security groups (NSGs) apply simple allow/deny rules close to subnets and network interfaces. Azure Bastion secures the administrative path to VMs. Azure Key Vault protects secret material.

A Selection Table You Can Memorize

These controls are complementary, not interchangeable. A production web application commonly layers all six: DDoS Protection for network availability, WAF for application-layer inspection, Azure Firewall for hub egress policy, NSGs for subnet filtering, Bastion for private VM administration, and Key Vault for the app's certificates and database connection strings. SC-900 will not ask you to design a landing zone, but it expects you to know these pieces stack into defense in depth.

The Firewall vs NSG vs WAF Trap

This is the chapter's highest-yield distinction. All three filter traffic, so the exam loves to offer two of them as plausible options. Anchor on these phrases:

• "Centralized," "stateful," "across virtual networks," "managed firewall," "hub" → Azure Firewall.
• "Allow/deny rules," "a subnet," "a network interface," "five-tuple," "inbound/outbound to this VM" → NSG.
• "SQL injection," "XSS," "OWASP," "HTTP/HTTPS," "Application Gateway," "Front Door" → WAF.

Read the Layer, Not the Brand Name

Watch wording that points at a layer. Floods, volumetric, denial of service, layer 3/4 point to DDoS Protection. Managed rules, OWASP, web exploit, request inspection point to WAF. Route control, outbound filtering, centralized policy, traffic inspection across VNets point to Azure Firewall. Inbound/outbound allow or deny near subnets points to NSGs.

There is also an administration and data-protection angle. Azure Bastion is not an identity-governance product, but it removes direct public RDP/SSH exposure from virtual machines — a concrete reduction of attack surface. Key Vault is not a firewall, but it supports least privilege by moving passwords, tokens, keys, and certificates out of code and into a controlled service guarded by Microsoft Entra ID authentication plus Azure RBAC authorization.

For the exam, resist picking the most advanced-sounding product. Pick the control whose purpose matches the request:

• Identify the protected asset first.
• Decide whether the question is about availability, inspection, segmentation, administration, or secrets.
• Choose the Azure service designed for that one job.
• Remember real architectures combine several of these controls.

If the stem says protect a VM from open management ports, WAF is wrong — the problem is not web request inspection (Bastion plus NSGs fit). If the stem says protect an app from SQL injection, DDoS Protection is wrong — the problem is at the web application layer (WAF fits).

Where Each Control Sits in Defense in Depth

It helps to picture defense in depth as concentric rings around a workload, because SC-900 explicitly tests this layered model. Microsoft's defense-in-depth layers run roughly: physical security, identity and access, perimeter, network, compute, application, and data. The six services in this chapter map cleanly onto those rings, which is why no single one is ever "the" answer to a well-designed environment.

A second mental shortcut is to separate prevention from detection. Most controls here are preventive: NSGs and Azure Firewall block disallowed traffic, WAF blocks malicious requests, Bastion removes a public attack surface, and Key Vault restricts who can read a secret. DDoS Protection is preventive too, but it also generates rich telemetry — attack metrics, alerts, and mitigation flow logs — that feed Microsoft Sentinel or another SIEM for detection and post-incident investigation. When an exam stem mentions monitoring, alerting, or streaming logs during an attack, that telemetry angle is the clue.

Finally, beware distractor answers from other chapters. A network-security question may list Microsoft Entra ID, Microsoft Purview, Microsoft Defender for Cloud, or Microsoft Sentinel as options. Those are real Microsoft products, but they answer identity, compliance, posture, or SIEM questions — not "which infrastructure control filters this traffic." If the stem is about a packet path, a flood, an HTTP exploit, an admin connection, or a stored secret, the answer is one of the six services in this chapter, not an identity or compliance product.