© Copyright Microsoft Corporation. All rights reserved.

FOR USE ONLY AS PART OF VIRTUAL TRAINING DAYS PROGRAM. THESE MATERIALS ARE NOT AUTHORIZED FOR
DISTRIBUTION, REPRODUCTION OR OTHER USE BY NON-MICROSOFT PARTIES.
MOD 4: Azure Security and Network Security
Module outline
Module 04 – Outline

You will learn the following concepts:

▪ Azure Security features

• Security Center and resource hygiene
• Key Vault, Sentinel, and Dedicated Hosts
▪ Azure network security
• Defense in depth
• Network Security Groups and Firewalls
• DDoS protection
Security tools and features
Security tools and features - Objective Domain

Describe the features and the functionality of:

• Azure Security Center, including policy compliance, security alerts, secure score, and
resource hygiene
• Azure Sentinel
• Key Vault
• Azure Dedicated Hosts
Azure Security Center

Azure Security Center is a monitoring service that provides threat protection across both
Azure and on-premises datacenters.

• Provides security recommendations

• Detect and block malware
• Analyze and identify potential attacks
• Just-in-time access control for ports
Walkthrough-Azure Security Center

Open Azure Security Center and

view some of the common features
and configuration options.

1. Launch Azure Security Center.

2. View Policy compliance options.
3. Review your Secure Score.
4. Set a Security Alert.
5. Explore Resource Hygiene.
Azure Security Center - capabilities
Azure Sentinel
Azure Sentinel is a security information management (SIEM) and security automated
response (SOAR) solution that provides security analytics and threat intelligence across
an enterprise.

Connector and Integrations:

• Office 365
• Azure Active Director
• Azure Advanced Threat Protection
• Microsoft Cloud App Security
Azure Key Vault

Azure Key Vault stores application secrets in a

centralized cloud location in order to securely control
access permissions and access logging.
• Secrets management.
• Key management.
• Certificate management.
• Storing secrets backed by hardware security
modules (HSMs).
Walkthrough-Implement Azure Key Vault

Create an Azure Key vault and then

create a password secret within the
key vault.

1. Create an Azure key vault.

2. Add a secret to the Azure key vault.
Azure Dedicated Host

Azure Dedicated Host provides physical servers that host one or more Azure virtual
machines that is dedicated to a single organization’s workload.

Benefits
• Hardware isolation at the server level
• Control over maintenance event timing
• Aligned with Azure Hybrid Use Benefits
Secure network connectivity
Secure Network Connectivity - Objective Domain

Describe the concept and functionality of:

• Defense in depth
• Network Security Groups (NSG)

• Azure Firewall
• Azure DDoS protection
Defense in depth

Physical Security
• A layered approach to securing computer
systems. Identity & Access

• Provides multiple levels of protection. Perimeter

• Attacks against one layer are isolated from Network

subsequent layers. Compute

Application

Data
Shared Security Responsibility On-Premises IaaS PaaS SaaS

Data governance and Customer Customer Customer Customer

Rights Management
• Migrating from customer- Client endpoints Customer Customer Customer Customer
controlled to cloud-based Account and access Customer Customer Customer Customer
datacenters shifts the management

responsibility for security. Identity and directory

infrastructure
Customer Customer Microsoft/
Customer
Microsoft/
Customer
Application Customer Customer Microsoft/ Microsoft
Customer
• Security becomes a shared Network controls Customer Customer Microsoft/ Microsoft
Customer
concern between cloud Operating system Customer Customer Microsoft Microsoft
providers and customers.
Physical hosts Customer Microsoft Microsoft Microsoft

Physical network Customer Microsoft Microsoft Microsoft

Physical datacenter Customer Microsoft Microsoft Microsoft

Network Security Groups (NSGs)

Network Security Groups (NSGs) filter network traffic to and from Azure resources on
Azure Virtual Networks.

• Set inbound and outbound rules to filter by source and destination IP address, port,
and protocol.
• Add multiple rules, as needed, within subscription limits.
• Azure applies default, baseline security rules to new NSGs.
• Override default rules with new, higher priority rules.
Azure Firewall

A stateful, managed Firewall as a Service (FaaS) that grants/denies server access based
on originating IP address, in order to protect network resources.
• Applies inbound and outbound traffic filtering rules
• Built-in high availability
• Unrestricted cloud scalability
• Uses Azure Monitor logging
Azure Distributed Denial of Service (DDoS) protection

DDoS attacks overwhelm and exhaust network resources, making apps slow
or unresponsive.
• Sanitizes unwanted network traffic before it impacts service availability.
• Basic service tier is automatically enabled in Azure.
• Standard service tier adds mitigation capabilities that are tuned to protect Azure
Virtual Network resources.
Defense in Depth Reviewed
Physical Security
Combining network security solutions
• NSGs with Azure Firewall to achieve Identity & Access
defense in depth. Perimeter
• Perimeter layer protects your network
Network
boundaries with Azure DDoS Protection
and Azure Firewall. Compute
• Networking layer only permits traffic to
Application
pass between networked resources with
Network Security Group (NSG) inbound and
Data
outbound rules.
Walkthrough - Secure network traffic

Create and configure inbound

& outbound security port rules.
Module 4 Review

• Azure Security Center and resource

hygiene
• Key Vault, Sentinel, and Dedicated Hosts
• Defense in depth
• DDoS protection
Microsoft Learn Modules
(docs.microsoft.com/Learn)