Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| azure:az-500:platform_protection [2022/06/24 00:38] – [Service Endpoints] mmuze | azure:az-500:platform_protection [2022/07/22 00:42] (current) – mmuze | ||
|---|---|---|---|
| Line 37: | Line 37: | ||
| * [[https:// | * [[https:// | ||
| * Azure Firewall has built-in high-availability and scalability, | * Azure Firewall has built-in high-availability and scalability, | ||
| + | * Has built-in AZ redundancy capabilities | ||
| * **Azure Firewall** supports three types of rules, NAT, network and application. | * **Azure Firewall** supports three types of rules, NAT, network and application. | ||
| * Network rules are applied first then application. | * Network rules are applied first then application. | ||
| Line 45: | Line 46: | ||
| * **Service Tags** can be used (for Azure services) in firewall rules in place of IPs for Azure services to simplify things by abstracting away the need to specify IPs. | * **Service Tags** can be used (for Azure services) in firewall rules in place of IPs for Azure services to simplify things by abstracting away the need to specify IPs. | ||
| * **FQDN Tags** can be used in firewall rules to allow traffic to all FQDNs that are part of the tag. | * **FQDN Tags** can be used in firewall rules to allow traffic to all FQDNs that are part of the tag. | ||
| + | |||
| + | ==== Premium SKU ==== | ||
| + | * TLS inspection | ||
| + | * IDPS | ||
| + | * URL filtering - extends standard tier FQDN capabilities to handle full URL | ||
| + | * web categories - allows filtering based on categories of website content (e.g. social media, gambling, etc.) | ||
| + | |||
| ===== Azure Firewall Manager ===== | ===== Azure Firewall Manager ===== | ||
| Line 50: | Line 58: | ||
| * [[https:// | * [[https:// | ||
| + | |||
| + | ====== Application Gateway ====== | ||
| + | * [[https:// | ||
| + | * Is a layer 7 device | ||
| + | |||
| + | {{ : | ||
| + | ====== Front Door ====== | ||
| + | * **Front Door** is a global layer 7 load-balancer service | ||
| + | * [[https:// | ||
| + | * The Premium v2 sku supports **Private Endpoints** for the origin servers | ||
| + | |||
| + | === Application Gateway vs Front Door === | ||
| + | |||
| + | > While both Front Door and Application Gateway are layer 7 (HTTP/ | ||
| + | |||
| ====== Network Security Groups (NSGs) ====== | ====== Network Security Groups (NSGs) ====== | ||
| Line 60: | Line 83: | ||
| ====== Service Endpoints and Private Endpoints ====== | ====== Service Endpoints and Private Endpoints ====== | ||
| ===== Service Endpoints ===== | ===== Service Endpoints ===== | ||
| - | * Service Endpoints allow you to restrict access to your PaaS resources to traffic coming from your Azure Virtual Network. | + | * Service Endpoints allow you to restrict access to your PaaS resources to traffic coming from your Azure Virtual Network. By default many Azure services allow access from the Internet to the service' |
| * [[https:// | * [[https:// | ||
| * **Service Endpoints** makes it so the source IP used by a VM to access public Azure services (e.g. Blob Storage) is a private IP from the VM VNet. The service/ | * **Service Endpoints** makes it so the source IP used by a VM to access public Azure services (e.g. Blob Storage) is a private IP from the VM VNet. The service/ | ||
| Line 69: | Line 92: | ||
| * The Service Endpoint route takes a higher precedence than the default route. | * The Service Endpoint route takes a higher precedence than the default route. | ||
| + | {{ : | ||
| ===== Private Endpoint ===== | ===== Private Endpoint ===== | ||
| - | * **Private Endpoint** allows you to connect your virtual network to services in Azure without a public IP address at the source or destination. | + | * **Private Endpoint** allows you to connect your virtual network to services in Azure without a public IP address at the source or destination. |
| + | * The key difference between Private Link and Service Endpoints is that with Private Link you are injecting the multi-tenant PaaS resource into your virtual network. | ||
| + | * With Service Endpoints, traffic still leaves your Vnet and hits the public endpoint of the PaaS resource, with Private Link the PaaS resource sits within your Vnet and gets a private IP on your Vnet. When you send traffic to the PaaS resource, it does not leave the virtual network. | ||
| + | {{ : | ||
| ====== § ====== | ====== § ====== | ||
| - | === Force Tunneling === | + | === Forced |
| > Forced tunneling lets you redirect or " | > Forced tunneling lets you redirect or " | ||
| This is sometimes referred to as back hauling. | This is sometimes referred to as back hauling. | ||
| + | |||
| + | ====== Disk Encryption ====== | ||
| + | * Windows uses BitLock for disk encryption | ||
| + | * Linux uses DM-Crypt for disk encryption | ||
| + | * Disks are stored as page blobs in storage accounts | ||
| + | * Customer managed keys can be used and kept in Azure Key Vault | ||
| + | |||
| + | ====== Container Security ====== | ||
| + | * ACR = Azure Container Registry | ||
| + | * [[https:// | ||
| + | |||