Bird
Raised Fist0
Azurecloud~20 mins

Azure Firewall for centralized security - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Azure Firewall Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
Architecture
intermediate
2:00remaining
Designing a Centralized Azure Firewall Architecture

You want to centralize network security for multiple Azure virtual networks (VNets) in your organization using Azure Firewall. Which architecture best supports this goal while minimizing management overhead?

ADeploy a single Azure Firewall in a dedicated hub VNet and use VNet peering or VPN Gateway to route traffic from spoke VNets through the firewall.
BDeploy one Azure Firewall in each VNet and manage them separately.
CUse Network Security Groups (NSGs) on each subnet instead of Azure Firewall for centralized control.
DDeploy Azure Firewall only in the on-premises network and route Azure traffic through it.
Attempts:
2 left
💡 Hint

Think about a hub-and-spoke model to centralize security controls.

Configuration
intermediate
2:00remaining
Azure Firewall Network Rule Configuration

You configure an Azure Firewall network rule to allow outbound HTTPS traffic to a specific IP range. Which of the following rule configurations correctly allows TCP traffic on port 443 to IP range 192.168.1.0/24?

AProtocol: UDP, Source IP: *, Destination IP: 192.168.1.0/24, Destination Ports: 443
BProtocol: TCP, Source IP: *, Destination IP: 192.168.1.0/24, Destination Ports: 443
CProtocol: TCP, Source IP: 192.168.1.0/24, Destination IP: *, Destination Ports: 443
DProtocol: TCP, Source IP: *, Destination IP: 192.168.1.0/24, Destination Ports: 80
Attempts:
2 left
💡 Hint

Remember HTTPS uses TCP port 443 and the destination IP should be the allowed range.

security
advanced
2:00remaining
Azure Firewall Threat Intelligence Mode Behavior

You enable Threat Intelligence-based filtering on Azure Firewall with the mode set to 'Alert'. What is the expected behavior when traffic matches a known malicious IP or domain?

AThe firewall blocks the traffic and logs an alert.
BThe firewall blocks the traffic without logging.
CThe firewall allows the traffic and logs an alert.
DThe firewall allows the traffic without logging.
Attempts:
2 left
💡 Hint

Consider what 'Alert' mode means for threat intelligence in Azure Firewall.

service_behavior
advanced
2:00remaining
Azure Firewall Logging and Monitoring

Which Azure service must you configure to collect and analyze Azure Firewall logs for traffic and threat intelligence alerts?

AAzure Monitor Logs (Log Analytics Workspace)
BAzure Security Center only
CAzure Active Directory
DAzure DevOps Pipelines
Attempts:
2 left
💡 Hint

Think about where logs are stored and analyzed in Azure.

Best Practice
expert
3:00remaining
Implementing High Availability for Azure Firewall

You want to ensure your Azure Firewall deployment is highly available and resilient to zone failures. Which configuration meets this requirement?

AUse Azure Load Balancer in front of a single Azure Firewall instance.
BDeploy multiple Azure Firewalls in different regions without zone redundancy.
CDeploy Azure Firewall in a single availability zone with zone redundancy disabled.
DDeploy Azure Firewall with zone redundancy enabled across multiple availability zones.
Attempts:
2 left
💡 Hint

Consider Azure Firewall's built-in zone redundancy feature.

Practice

(1/5)
1. What is the primary purpose of Azure Firewall in a cloud environment?
easy
A. To centralize network security and control traffic
B. To store large amounts of data securely
C. To provide virtual machines for computing
D. To manage user identities and access

Solution

  1. Step 1: Understand Azure Firewall's role

    Azure Firewall is designed to protect cloud resources by controlling and monitoring network traffic centrally.

  2. Step 2: Differentiate from other services

    Storing data, providing VMs, or managing identities are roles of other Azure services, not Azure Firewall.

  3. Final Answer:

    To centralize network security and control traffic -> Option A

  4. Quick Check:

    Azure Firewall = Centralized network security [OK]
Hint: Azure Firewall controls traffic centrally, not data or users [OK]
Common Mistakes:
  • Confusing Azure Firewall with storage services
  • Thinking it manages user identities
  • Assuming it provides computing resources
2. Which subnet name is required when deploying Azure Firewall in a virtual network?
easy
A. Subnet1
B. AzureFirewallSubnet
C. FirewallSubnet
D. DefaultSubnet

Solution

  1. Step 1: Recall Azure Firewall deployment requirements

    Azure Firewall requires a dedicated subnet named exactly 'AzureFirewallSubnet' for deployment.

  2. Step 2: Check other options

    Other subnet names like 'FirewallSubnet' or 'DefaultSubnet' are incorrect and will cause deployment failure.

  3. Final Answer:

    AzureFirewallSubnet -> Option B

  4. Quick Check:

    Subnet name must be AzureFirewallSubnet [OK]
Hint: Use exact subnet name 'AzureFirewallSubnet' for firewall deployment [OK]
Common Mistakes:
  • Using generic subnet names instead of required one
  • Misspelling the subnet name
  • Not creating a dedicated subnet for Azure Firewall
3. Given this Azure Firewall rule collection, what traffic will be allowed? 
{
  "name": "AllowWeb",
  "rules": [
    {"name": "AllowHTTP", "protocol": "TCP", "port": 80, "action": "Allow"},
    {"name": "AllowHTTPS", "protocol": "TCP", "port": 443, "action": "Allow"}
  ]
}
medium
A. All traffic regardless of protocol or port
B. All TCP traffic on any port
C. Only HTTPS traffic on port 443
D. Only HTTP and HTTPS traffic on ports 80 and 443

Solution

  1. Step 1: Analyze the rule collection

    The rules explicitly allow TCP traffic on ports 80 (HTTP) and 443 (HTTPS) only.

  2. Step 2: Exclude other traffic

    Other ports or protocols are not allowed since no rules permit them.

  3. Final Answer:

    Only HTTP and HTTPS traffic on ports 80 and 443 -> Option D

  4. Quick Check:

    Rules allow TCP ports 80 and 443 only [OK]
Hint: Check ports and protocols in rules to find allowed traffic [OK]
Common Mistakes:
  • Assuming all TCP traffic is allowed
  • Ignoring port restrictions
  • Confusing protocol types
4. You deployed Azure Firewall but traffic is not passing through. Which configuration mistake could cause this?
medium
A. Subnet name is not 'AzureFirewallSubnet'
B. Public IP address is assigned to the firewall
C. Firewall rules allow HTTP and HTTPS traffic
D. Virtual network has multiple subnets

Solution

  1. Step 1: Identify deployment requirements

    Azure Firewall requires the subnet to be named 'AzureFirewallSubnet' exactly for proper routing.

  2. Step 2: Understand impact of wrong subnet name

    If the subnet name is incorrect, firewall won't route traffic, causing blockage.

  3. Final Answer:

    Subnet name is not 'AzureFirewallSubnet' -> Option A

  4. Quick Check:

    Correct subnet name is critical for traffic flow [OK]
Hint: Check subnet name first if firewall blocks traffic [OK]
Common Mistakes:
  • Assuming public IP causes blockage (it is required)
  • Ignoring subnet naming rules
  • Thinking multiple subnets cause traffic issues
5. You want to centralize security for multiple virtual networks using Azure Firewall. Which setup is best practice?
hard
A. Deploy separate Azure Firewalls in each virtual network without routing
B. Use network security groups only without Azure Firewall
C. Deploy one Azure Firewall in a hub virtual network and route traffic from spoke networks through it
D. Deploy Azure Firewall without a public IP address

Solution

  1. Step 1: Understand centralized security architecture

    Using a hub-and-spoke model, one Azure Firewall in the hub network protects multiple spoke networks by routing traffic through it.

  2. Step 2: Evaluate other options

    Deploying multiple firewalls increases cost and complexity; NSGs alone don't provide centralized control; firewall needs public IP for internet traffic.

  3. Final Answer:

    Deploy one Azure Firewall in a hub virtual network and route traffic from spoke networks through it -> Option C

  4. Quick Check:

    Hub-and-spoke with one firewall = centralized security [OK]
Hint: Use hub network firewall to protect multiple spokes [OK]
Common Mistakes:
  • Deploying multiple firewalls unnecessarily
  • Relying only on network security groups
  • Omitting public IP for Azure Firewall