5.1 Choose the Right Infrastructure Security Control

Match the Control to the Security Job

SC-900 questions about Azure infrastructure security are usually product-selection questions. The wording often describes a risk, a traffic path, or an administrative habit, then asks which Microsoft security solution addresses it. Start by identifying what is at risk: public availability, web application requests, network paths, VM management access, or sensitive secret material. That first step prevents confusing controls that all sound like network security but operate at different layers.

A practical way to reason about the topic is to ask where enforcement must happen. Azure DDoS Protection is about absorbing or mitigating denial-of-service traffic against publicly reachable resources. Azure Firewall is about centrally enforcing and logging connectivity policy. Web Application Firewall, or WAF, is about inspecting HTTP and HTTPS application traffic for common web exploits. Network security groups, or NSGs, are about allow and deny rules close to subnets and network interfaces.

The controls also work together. A production web application might use DDoS Protection for network-layer availability, WAF for application-layer inspection, Azure Firewall for hub network policy, NSGs for subnet-level filtering, Bastion for private VM administration, and Key Vault for certificates or database secrets. SC-900 does not require designing a full enterprise landing zone, but it does expect you to know that these services are complementary rather than interchangeable.

Watch for wording that points to a layer. Mentions of layer 3 or layer 4, floods, or denial of service usually point to DDoS Protection. Mentions of HTTP requests, managed rules, OWASP-style risks, or application exploits point to WAF. Mentions of route control, outbound filtering, centralized firewall policy, or traffic inspection across virtual networks point to Azure Firewall. Mentions of inbound and outbound allow or deny rules near subnets point to NSGs.

There is also an identity and data protection angle. Azure Bastion is not an identity governance product, but it helps remove direct public RDP and SSH exposure from virtual machines. Key Vault is not a firewall, but it supports least privilege by moving passwords, tokens, keys, and certificates out of code and into a controlled service protected by authentication and authorization.

For exam practice, avoid picking the most advanced-sounding product. Pick the control whose purpose matches the request. If the prompt says protect a VM from open management ports, WAF is wrong because the problem is not web request inspection. If the prompt says protect an app from SQL injection, DDoS Protection is incomplete because the problem is at the web application layer.

• Identify the protected asset first.
• Identify whether the question is about availability, inspection, segmentation, administration, or secrets.
• Choose the Azure service designed for that job.
• Remember that real architectures often combine several of these controls.