Implement Platform Protection
A company is configuring a Network Security Group. To configure the group to allow traffic from public sources, what rule needs to be add to the default rules? a. Allow all virtual networks inbound and outbound b. Allow Azure load balancer inbound c. Allow Internet inbound
Allow Internet inbound Allow Internet inbound. NSGs have default inbound and outbound rules. There is a default allow Internet outbound rule, but not an allow Internet inbound rule.
When configuring Azure Firewall, the organization needs to allow Windows Update network traffic through the firewall. Which of the following rules should be configured? a. Destination inbound rules b. NAT rules c. Application rules
Application rules Application rules. Application rules define fully qualified domain names (FQDNs) that can be accessed from a subnet. Usage of FQDNs would be appropriate to allow Windows Update network traffic.
To interact with Azure APIs, an Azure Kubernetes Service (AKS) cluster requires which of following? a. AKS contributor b. Azure AD service principal c. Global Administrator permissions
Azure AD service principal Service principal, managed identity. To interact with Azure APIs, an AKS cluster requires either an Azure Active Directory (AD) service principal or a managed identity. A service principal or managed identity is needed to dynamically create and manage other Azure resources such as an Azure load balancer or Azure container registry.
An organization would like to limit outbound Internet traffic from a subnet, which product should be installed and configured? a. Azure Web Application Firewall b. Azure Firewall c. Load Balancer
Azure Firewall Azure Firewall. Azure Firewall can limit the outbound IP addresses and ports that can be accessed. Define network rules that assign source address, protocol, destination port, and destination address.
An organization has web servers in different regions and this organization wants to optimize the availability of the servers. Which of the network security is best suited for this purpose? a. Azure Application Gateway b. Azure Front Door c. Custom routing
Azure Front Door Azure Front Door. Azure Front Door grants the ability to define, manage, and monitor the global routing for web traffic by optimizing for best performance and instant global failover for high availability.
The organization is defining RBAC rules for the Azure Kubernetes security team. What is the best solution to grant permissions across the entire cluster? a. ClusterRoles and RoleBindings b. ClusterRoles and ClusterRoleBindings c. Roles and RoleBindings
ClusterRoles and ClusterRoleBindings ClusterRole, ClusterRoleBinding. Roles are used to grant permissions within a namespace. To grant permissions across the entire cluster, or to cluster resources outside a given namespace, instead use a ClusterRole. Once roles are defined to grant permissions to resources, assign those Kubernetes RBAC permissions with a RoleBinding. Role bindings are used to assign roles for a given namespace. To bind roles across the entire cluster, or to cluster resources outside a given namespace, instead use ClusterRoleBindings.
An organization has a security policy that prohibits exposing SSH ports to the outside world. You need to connect to an Azure Linux virtual machine to install software. What should you do? a. Configure the Bastion service b. Configure a Guest configuration on the virtual machine c. Create a custom script extension
Configure the Bastion service Configure the Bastion service. The Azure Bastion service provides secure and seamless RDP and SSH connectivity to your virtual machines directly in the Azure portal over SSL. When you connect via Azure Bastion, your virtual machines do not need a public IP address.
When using Azure Kubernetes Service (AKS) and there is a need to control the flow of traffic between pods and block traffic directly to the backend application; what is the best way to configure this? a. Create a AKS network policy b. Create an application gateway c. Create a Azure firewall
Create a AKS network policy Create a AKS network policy. The principle of least privilege should be applied to how traffic can flow between pods in an Azure Kubernetes Service (AKS) cluster. The Network Policy feature in Kubernetes defines rules for ingress and egress traffic between pods in a cluster.
An organization has a web application and is concerned about attacks that flood the network layer with a substantial amount of seemingly legitimate traffic, how can this type of attack be blocked? a. Add a Web Application Firewall b. Add an Azure Firewall c. Create a DDoS policy
Create a DDoS policy Create a DDoS policy to provide defense against the exhaustion resources. This exhaustion could make an application unavailable to legitimate users for example.
What type of disk encryption is used for Linux disks? a. BitLocker b. DM-Crypt c. FileVault
DM-Crypt DM-Crypt . Azure Disk Encryption is a capability that lets you encrypt your Windows and Linux IaaS VM disks. Azure Disk Encryption uses the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide OS and data disk encryption to help protect and safeguard your data.
Which of the following recommendations from Security Center is a medium-severity recommendation for virtual machines and servers? a. Disk encryption should be applied on virtual machines. b. Install endpoint protection solution on virtual machines. c. System updates should be installed on your machines.
Install endpoint protection solution on virtual machines. Install endpoint protection solution on virtual machines is a medium-severity recommendation.
When deploying the Azure Application Gateway and there is a need to ensure incoming requests are checked for common security threats like cross-site scripting and crawlers; how can this concern be addressed? a. Install a load balancer b. Install Azure Firewall c. Install the Web Application Firewall
Install the Web Application Firewall Install the Web Application Firewall. The web application firewall (WAF) is an optional component that handles incoming requests before they reach a listener. The web application firewall checks each request for many common threats, based on the Open Web Application Security Project (OWASP).
Which services below are features of Azure Application Gateway? a. Authentication b. Layer 7 load balancing c. Vulnerability assessments
Layer 7 load balancing Layer 7 load balancing, Offloading of CPUT intensive SSL termination, Round robin distribution of incoming traffic. Azure Application Gateway is a dedicated virtual offering various layer 7 load balancing capabilities for your application. It lets customers to optimize web farm productivity by offloading CPU intensive SSL termination to the application gateway, round robin distribution of incoming traffic, cookie-based session affinity, URL path-based routing, and the ability to host multiple websites behind a single Application Gateway.
Which attacks will using a Privileged access workstations protects companies from? a. Protects against attackers who have gained administrative access. b. Protects against server-based phishing attacks, various impersonation attacks, and credential theft attacks such as keystroke logging. c. Protects high impact IT administrative roles and tasks.
Protects high impact IT administrative roles and tasks. A PAW would protect IT administrative roles, by having them only use a dedicated machine for access.
A company, with both Azure and on-premises virtual machines, needs to ensure your virtual machines are kept up to date with security patches. Update Management is the Azure tool they will use, hopefully at limited cost. Will Update management monitor their virtual machines for updates? a. The Microsoft Monitoring Agent must be installed for both Windows and Linux virtual machines on-premises. b. Both the Update Management feature and the log data storage are free for the customer. c. Update Management in Azure Automation collects information about Windows and Linux virtual machines and manages operating system updates.
Update Management in Azure Automation collects information about Windows and Linux virtual machines and manages operating system updates. Update Management in Azure Automation collects and manages system update information for Windows and Linux virtual machines in Azure, physical or VMs in on-premises environments, and other cloud environments.
Which of the following features of Azure networking enables the redirect of Internet traffic back to the company's on-premises servers for packet inspection? a. User Defined Routes b. Cross-premises network connectivity c. Traffic Manager
User Defined Routes User-defined routes and forced tunneling. Use forced tunneling to redirect internet bound traffic back to the company's on-premises infrastructure. Forced tunneling is commonly used in scenarios where organizations want to implement packet inspection or corporate audits. Forced tunneling in Azure is configured via virtual network user-defined routes (UDR).
