Differences

This shows you the differences between two versions of the page.

--- azure:az-500:platform_protection [2022/06/27 13:33] – [Service Endpoints] mmuze
+++ azure:az-500:platform_protection [2022/07/22 00:42] (current) – mmuze
@@ Line 37: / Line 37: @@
   * [[https://docs.microsoft.com/en-us/learn/modules/perimeter-security/6-azure-firewall-features]]
   * Azure Firewall has built-in high-availability and scalability, so no additional load-balancers are needed.
+    * Has built-in AZ redundancy capabilities
   * **Azure Firewall** supports three types of rules, NAT, network and application.
   * Network rules are applied first then application.
@@ Line 45: / Line 46: @@
   * **Service Tags** can be used (for Azure services) in firewall rules in place of IPs for Azure services to simplify things by abstracting away the need to specify IPs.
   * **FQDN Tags** can be used in firewall rules to allow traffic to all FQDNs that are part of the tag.
+==== Premium SKU ====
+  * TLS inspection
+  * IDPS
+  * URL filtering - extends standard tier FQDN capabilities to handle full URL
+  * web categories - allows filtering based on categories of website content (e.g. social media, gambling, etc.)
 ===== Azure Firewall Manager =====
@@ Line 53: / Line 61: @@
 ====== Application Gateway ======
   * [[https://docs.microsoft.com/en-us/learn/modules/network-security/8-azure-application-gateway]]
+  * Is a layer 7 device
+{{ :azure:az-500:app-gateway.png |}}
 ====== Front Door ======
   * **Front Door** is a global layer 7 load-balancer service
+  * [[https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq]]
   * The Premium v2 sku supports **Private Endpoints** for the origin servers
+=== Application Gateway vs Front Door ===
+> While both Front Door and Application Gateway are layer 7 (HTTP/HTTPS) load balancers, the primary difference is that Front Door is a non-regional service whereas Application Gateway is a regional service.
 ====== Network Security Groups (NSGs) ======
@@ Line 76: / Line 92: @@
       * The Service Endpoint route takes a higher precedence than the default route.
+{{ :azure:az-500:service-endpoints.png |}}
 ===== Private Endpoint =====
   * **Private Endpoint** allows you to connect your virtual network to services in Azure without a public IP address at the source or destination.
   * The key difference between Private Link and Service Endpoints is that with Private Link you are injecting the multi-tenant PaaS resource into your virtual network.
-  * With Service Endpoints, traffic still left you Vnet and hit the public endpoint of the PaaS resource, with Private Link the PaaS resource sits within your Vnet and gets a private IP on your Vnet. When you send traffic to the PaaS resource, it does not leave the virtual network.
+  * With Service Endpoints, traffic still leaves your Vnet and hits the public endpoint of the PaaS resource, with Private Link the PaaS resource sits within your Vnet and gets a private IP on your Vnet. When you send traffic to the PaaS resource, it does not leave the virtual network.
+{{ :azure:az-500:private-endpoint.png }}
-{{:azure:az-500:private-endpoint.png |}}
 ====== § ======
-=== Force Tunneling ===
+=== Forced Tunneling ===
 > Forced tunneling lets you redirect or "force" all Internet-bound traffic back to your on-premises location via a Site-to-Site VPN tunnel for inspection and auditing.
 This is sometimes referred to as back hauling.
+====== Disk Encryption ======
+  * Windows uses BitLock for disk encryption
+  * Linux uses DM-Crypt for disk encryption
+  * Disks are stored as page blobs in storage accounts
+  * Customer managed keys can be used and kept in Azure Key Vault
+====== Container Security ======
+  * ACR = Azure Container Registry
+  * [[https://docs.microsoft.com/en-us/azure/container-registry/container-registry-roles|ACR Roles]]