Bird
Raised Fist0
Azurecloud~5 mins

Azure Firewall for centralized security - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is Azure Firewall?
Azure Firewall is a cloud-based network security service that protects your Azure Virtual Network resources by filtering and controlling traffic centrally.
Click to reveal answer
beginner
How does Azure Firewall help with centralized security?
It provides a single place to create, enforce, and log application and network connectivity policies across multiple Azure subscriptions and virtual networks.
Click to reveal answer
intermediate
Name two types of rules you can configure in Azure Firewall.
You can configure Network rules (for IP addresses, ports, and protocols) and Application rules (for fully qualified domain names - FQDNs).
Click to reveal answer
intermediate
What is the benefit of Azure Firewall's integration with Azure Monitor?
It allows you to collect logs and metrics for traffic analysis, threat detection, and auditing, helping you understand and improve your security posture.
Click to reveal answer
advanced
Why is Azure Firewall considered stateful?
Because it keeps track of the state of active connections and makes decisions based on the context of traffic, not just individual packets.
Click to reveal answer
What type of service is Azure Firewall?
APhysical hardware firewall
BCloud-based network security service
CAntivirus software
DIdentity management service
Which rule type in Azure Firewall controls traffic based on domain names?
AApplication rules
BNetwork rules
CUser rules
DIP rules
What does it mean that Azure Firewall is stateful?
AIt blocks all incoming traffic
BIt only filters traffic by IP address
CIt requires manual updates
DIt tracks active connections to make decisions
How does Azure Firewall support centralized security management?
ABy managing policies across multiple virtual networks and subscriptions
BBy installing software on each virtual machine
CBy encrypting data at rest
DBy providing user authentication
What is a key benefit of integrating Azure Firewall with Azure Monitor?
AAutomatic patching of firewall software
BIncreasing storage capacity
CCollecting logs and metrics for security analysis
DReducing network latency
Explain how Azure Firewall provides centralized security for Azure resources.
Think about managing security rules and monitoring from one place.
You got /4 concepts.
    Describe the difference between network rules and application rules in Azure Firewall.
    Consider what each rule type looks at to allow or block traffic.
    You got /3 concepts.

      Practice

      (1/5)
      1. What is the primary purpose of Azure Firewall in a cloud environment?
      easy
      A. To centralize network security and control traffic
      B. To store large amounts of data securely
      C. To provide virtual machines for computing
      D. To manage user identities and access

      Solution

      1. Step 1: Understand Azure Firewall's role

        Azure Firewall is designed to protect cloud resources by controlling and monitoring network traffic centrally.

      2. Step 2: Differentiate from other services

        Storing data, providing VMs, or managing identities are roles of other Azure services, not Azure Firewall.

      3. Final Answer:

        To centralize network security and control traffic -> Option A

      4. Quick Check:

        Azure Firewall = Centralized network security [OK]
      Hint: Azure Firewall controls traffic centrally, not data or users [OK]
      Common Mistakes:
      • Confusing Azure Firewall with storage services
      • Thinking it manages user identities
      • Assuming it provides computing resources
      2. Which subnet name is required when deploying Azure Firewall in a virtual network?
      easy
      A. Subnet1
      B. AzureFirewallSubnet
      C. FirewallSubnet
      D. DefaultSubnet

      Solution

      1. Step 1: Recall Azure Firewall deployment requirements

        Azure Firewall requires a dedicated subnet named exactly 'AzureFirewallSubnet' for deployment.

      2. Step 2: Check other options

        Other subnet names like 'FirewallSubnet' or 'DefaultSubnet' are incorrect and will cause deployment failure.

      3. Final Answer:

        AzureFirewallSubnet -> Option B

      4. Quick Check:

        Subnet name must be AzureFirewallSubnet [OK]
      Hint: Use exact subnet name 'AzureFirewallSubnet' for firewall deployment [OK]
      Common Mistakes:
      • Using generic subnet names instead of required one
      • Misspelling the subnet name
      • Not creating a dedicated subnet for Azure Firewall
      3. Given this Azure Firewall rule collection, what traffic will be allowed? 
      {
  "name": "AllowWeb",
  "rules": [
    {"name": "AllowHTTP", "protocol": "TCP", "port": 80, "action": "Allow"},
    {"name": "AllowHTTPS", "protocol": "TCP", "port": 443, "action": "Allow"}
  ]
}
      medium
      A. All traffic regardless of protocol or port
      B. All TCP traffic on any port
      C. Only HTTPS traffic on port 443
      D. Only HTTP and HTTPS traffic on ports 80 and 443

      Solution

      1. Step 1: Analyze the rule collection

        The rules explicitly allow TCP traffic on ports 80 (HTTP) and 443 (HTTPS) only.

      2. Step 2: Exclude other traffic

        Other ports or protocols are not allowed since no rules permit them.

      3. Final Answer:

        Only HTTP and HTTPS traffic on ports 80 and 443 -> Option D

      4. Quick Check:

        Rules allow TCP ports 80 and 443 only [OK]
      Hint: Check ports and protocols in rules to find allowed traffic [OK]
      Common Mistakes:
      • Assuming all TCP traffic is allowed
      • Ignoring port restrictions
      • Confusing protocol types
      4. You deployed Azure Firewall but traffic is not passing through. Which configuration mistake could cause this?
      medium
      A. Subnet name is not 'AzureFirewallSubnet'
      B. Public IP address is assigned to the firewall
      C. Firewall rules allow HTTP and HTTPS traffic
      D. Virtual network has multiple subnets

      Solution

      1. Step 1: Identify deployment requirements

        Azure Firewall requires the subnet to be named 'AzureFirewallSubnet' exactly for proper routing.

      2. Step 2: Understand impact of wrong subnet name

        If the subnet name is incorrect, firewall won't route traffic, causing blockage.

      3. Final Answer:

        Subnet name is not 'AzureFirewallSubnet' -> Option A

      4. Quick Check:

        Correct subnet name is critical for traffic flow [OK]
      Hint: Check subnet name first if firewall blocks traffic [OK]
      Common Mistakes:
      • Assuming public IP causes blockage (it is required)
      • Ignoring subnet naming rules
      • Thinking multiple subnets cause traffic issues
      5. You want to centralize security for multiple virtual networks using Azure Firewall. Which setup is best practice?
      hard
      A. Deploy separate Azure Firewalls in each virtual network without routing
      B. Use network security groups only without Azure Firewall
      C. Deploy one Azure Firewall in a hub virtual network and route traffic from spoke networks through it
      D. Deploy Azure Firewall without a public IP address

      Solution

      1. Step 1: Understand centralized security architecture

        Using a hub-and-spoke model, one Azure Firewall in the hub network protects multiple spoke networks by routing traffic through it.

      2. Step 2: Evaluate other options

        Deploying multiple firewalls increases cost and complexity; NSGs alone don't provide centralized control; firewall needs public IP for internet traffic.

      3. Final Answer:

        Deploy one Azure Firewall in a hub virtual network and route traffic from spoke networks through it -> Option C

      4. Quick Check:

        Hub-and-spoke with one firewall = centralized security [OK]
      Hint: Use hub network firewall to protect multiple spokes [OK]
      Common Mistakes:
      • Deploying multiple firewalls unnecessarily
      • Relying only on network security groups
      • Omitting public IP for Azure Firewall