Know the difference between Azure Firewall and WAF

virtual hubs vs. virtual network

An AppGateway combines a L7 load-balancer and WAF

Logs can be sent to EventHub, Log Analytics or Azure Storage

Alerts can be sent to Security Center

Is a firewall that can be put in front of certain Azure services (e.g. storage accounts, Azure SQL)

Azure provides VNet integrations for AppServices Apps and Functions

network restrictions on AppServices and Functions traffic

User Defined Routes (UDR) are supported to handle routing of traffic

Know network security options for App Service, Functions, AKS and storage

Service Endpoints limits access to specified VNets for all instances of a PaaS service via the Microsoft backbone network (instead of the internet)

Private Endpoints (PEs) limits access to specific instances of PaaS services to go over a private network integrated with a customer VNet

NSGs don't factor into PEs since the resource is mapped to an IP in the VNet.

PEs include built-in data exfiltration protection

SEs require the use of network virtual appliance or firewall to get data exfiltration protection

Private Link is the Azure service provided by various PaaS services that enables Private Endpoints. There can be third-party Private Link services in an addition to the Azure provided ones.

A Private Endpoint must be deployed in the same region and subscription as the VNet, but the Private Link service can be deployed in a different region and the VNet and PE