Domain 3 of 4 · Chapter 1 of 4

Azure Infrastructure Security

Seven controls along one request path

Picture a single request arriving from the public internet and travelling all the way to a password your application needs. That request crosses the network in layers, the network and transport layers (3 and 4) that move packets and the application layer (7) that carries the web content, and it may end at a virtual machine (VM), a server you rent in Azure. Azure places a distinct security control at each of those layers, and this page seats seven of them along that one request path so you can name which control belongs where and pick the right one for a given threat.

The order runs outward-in. Azure DDoS Protection[1] meets the raw traffic at the edge and scrubs volumetric floods. Azure Firewall[2] filters the perimeter for every network at once. A Web Application Firewall[3] reads the web request itself for exploits. Virtual networks and subnets[4] carve the environment into isolated segments. A network security group[5] (NSG) allows or denies traffic right at a subnet or a network interface (NIC). Azure Bastion[6] is how an administrator reaches a VM without ever exposing it. And Azure Key Vault[7] is the guarded store the secret finally rests in.

This is defense in depth expressed as products: each layer is independent insurance, so getting past one still leaves the next. It maps onto the Microsoft Zero Trust model, whose assume breach principle motivates the segmentation and least-privilege network access this page is built on, and whose infrastructure and networks pillars these controls serve. The sections that follow walk the path one stop at a time, then close on the boundaries the exam turns on.

Public internet requestAzure DDoS Protectionscrubs layer 3-4 floodsAzure Firewallcentral perimeter, layers 3-7Web Application Firewalllayer 7 web exploitsVirtual network + subnetsisolate and segmentNetwork security groupallow/deny at subnet or NICAzure Bastionadmin access, no public IPAzure Key Vaultsecrets, keys, certificates
The request path: eight stops from a public internet request to a stored secret, each guarded by one Azure control.

The edge and the perimeter: DDoS, Firewall, and WAF

Your application's front door faces the public internet, and three different kinds of attack can arrive there: a flood that simply drowns your bandwidth, traffic from an address Microsoft already knows is malicious, and a crafted web request that tries to trick your code. Three Azure services, which Microsoft groups as the network security category, answer these in turn.

Azure DDoS Protection: absorbing floods at layers 3 and 4

A distributed denial-of-service (DDoS) attack tries to overwhelm your resources so genuine users cannot get through, and it comes in three shapes[1]: volumetric attacks that flood the network with bandwidth-consuming traffic, protocol attacks that exhaust server resources by abusing weaknesses in layer 3 and 4 protocols, and resource (application) layer attacks aimed at the web application itself. Azure DDoS Protection[8] monitors traffic around the clock and mitigates at layer 3 (network) and layer 4 (transport), which covers the volumetric and protocol shapes. It has two paid tiers: DDoS Network Protection guards an entire virtual network, and DDoS IP Protection is a pay-per-protected-IP model with the same core engine but without the value-added extras (rapid-response support, cost protection, and WAF discounts). Every Azure service already gets a free, default infrastructure-level DDoS protection, but its threshold is tuned high and it gives no telemetry or alerting, so a flood the platform shrugs off can still sink one application. Because DDoS Protection stops at layer 4, application-layer floods such as HTTP floods are handed to a WAF.

Azure Firewall: one stateful policy across every network

Azure Firewall[9] is a managed, cloud-based network security service that you typically deploy on a central hub virtual network so all your other VNets and on-premises networks route through it, giving one place to control traffic across subscriptions. It is stateful, meaning it tracks the state of active connections and judges traffic in context. Its rules work at both the network level (allow or deny by IP address, port, and protocol) and the application level (control access by fully qualified domain name, or FQDN, over HTTP/S), and its threat-intelligence filtering can alert on or deny traffic to and from IP addresses and domains that Microsoft's feed flags as malicious. It also performs source and destination network address translation (SNAT and DNAT). Azure Firewall is offered in Basic, Standard, and Premium tiers, where Premium adds a signature-based intrusion detection and prevention system (IDPS).

Web Application Firewall: guarding the web request at layer 7

Where Azure Firewall watches the network and can allow or block whole domains, a Web Application Firewall (WAF)[3] reads inside the web request itself, giving centralized protection for web applications against common exploits at layer 7. This is why Azure Firewall reaching into layer 7 does not make a WAF redundant: the firewall's application awareness means FQDN and protocol control, not the OWASP exploit inspection a WAF performs. A WAF applies the Open Web Application Security Project (OWASP) core rule set to block classics such as SQL injection, cross-site scripting (XSS), and the HTTP floods that DDoS Protection cannot see, and it lets you patch a newly found vulnerability in one place instead of on every app. Azure WAF is delivered through Azure Application Gateway[10] for a regional web app, Azure Front Door for a globally distributed one, and Azure CDN for content delivery. The exam boundary is crisp: DDoS Protection for network-layer floods, a WAF for application-layer web exploits, and the two together for defense in depth.

Containing the blast radius: segmentation and NSGs

A firewall at the perimeter does nothing to stop an attacker who is already inside from moving sideways. Segmentation is the answer: divide the network into compartments so a breach in one cannot spread to the rest, which is the Zero Trust assume breach principle applied to network design.

Virtual networks, subnets, and peering

An Azure virtual network (VNet)[4] is the fundamental building block of your private network in Azure and the isolation boundary: by default no traffic flows across VNets or inbound from outside, so any communication must be explicitly provisioned. Within a VNet you create subnets, smaller segments that let you separate workloads with different needs, for example web servers in one subnet and database servers in another, each with its own controls. When two VNets genuinely must talk, VNet peering[11] connects them so their resources communicate as if on one network, over the private Azure backbone rather than the public internet, and global VNet peering does this across regions. Each boundary between segments is a place to inspect and filter traffic.

Network security groups filter within a VNet

The filter that sits closest to a resource is the network security group (NSG)[5]. It holds inbound and outbound security rules that allow or deny traffic to and from Azure resources, evaluated in priority order (lower numbers first, and once a rule matches, evaluation stops) using five pieces of information: source, source port, destination, destination port, and protocol. That is the five-tuple. You attach one NSG to a subnet or to a network interface (NIC); the same NSG can be reused on many subnets and NICs. Azure adds default rules you cannot delete (though you can override them with a higher-priority rule) whose net effect is to allow traffic within the VNet and from the Azure load balancer while denying all other inbound traffic from the internet. Application security groups (ASGs) let you write those rules against named groups of VMs, such as WebServers or DbServers, instead of tracking IP addresses by hand.

Firewall filters across, an NSG filters within

This is the single most confused pair on the page, and Microsoft draws the line by scope. A network security group provides distributed traffic filtering to limit traffic to resources within a VNet, at the subnet or NIC. Azure Firewall[5] is a centralized, fully stateful firewall-as-a-service that protects across different VNets and subscriptions and adds FQDN and threat-intelligence filtering an NSG has no concept of. They are complementary, not alternatives: the figure shows Azure Firewall in a central hub filtering across peered spoke VNets, while each spoke keeps its own NSGs guarding traffic within, at each subnet. Use both for defense in depth.

Hub VNetAzure Firewallfilters across VNetsSpoke VNet AWeb subnet+ NSGDB subnet+ NSGSpoke VNet BApp subnet+ NSGData subnet+ NSGpeeringpeering
Azure Firewall filters across VNets from a central hub; a network security group filters within a VNet at each subnet or interface.

Reaching a VM without exposing it: Azure Bastion

To administer a VM you eventually need Remote Desktop Protocol (RDP) or Secure Shell (SSH) onto it, and the traditional way, opening those management ports to the internet, hands attackers exactly the target they scan for: a reachable machine with an open RDP or SSH port becomes the foothold for reaching everything else.

Azure Bastion[6] removes that exposure. It is a fully platform-managed service you provision inside your virtual network, and it brokers RDP and SSH sessions to your VMs straight from the Azure portal over Transport Layer Security (TLS) on port 443. Because the session rides in through Bastion, the VM needs no public IP address, no agent, and no special client, and its RDP or SSH ports never face the internet, which also takes the VM off the map for port scanners. Bastion is deployed per virtual network (and serves peered VNets too), not per VM or per subscription, so once it is in place every VM in that network is reachable this way. The figure traces the path: an administrator opens a session from a browser in the Azure portal, the request reaches Azure Bastion[12] over TLS 443, and Bastion connects onward to the target VM using a private IP.

Two misreadings to avoid. Bastion is not a VPN: it does not extend your on-premises network into Azure, it brokers a single portal-based session. And it is not a jump-box VM that you stand up and patch yourself; it is a managed platform-as-a-service (PaaS) that Azure keeps hardened and current, including against zero-day exploits.

Administratorbrowser in Azure portalAzure Bastionmanaged broker in the VNetTarget VMprivate IP onlyover TLS 443RDP/SSHNo public IP, no open RDP or SSH port
Azure Bastion brokers RDP and SSH from the Azure portal over TLS 443, so the target VM keeps only a private IP.

A guarded home for secrets, keys, and certificates

Once code needs a database password or an API key, the worst place to keep it is in the code. Azure Key Vault[7] is the managed store that centralizes these secrets so applications fetch them at runtime instead, which shrinks the chance of a credential leaking into source control.

Key Vault handles three kinds of protected material, and the exam expects you to recognize all three: secrets (passwords, connection strings, API keys, and other arbitrary values), keys (the cryptographic keys used to encrypt data), and certificates (public and private TLS/SSL certificates it can provision and renew). Access is a two-step gate: authentication, which proves who the caller is, is always handled by Microsoft Entra ID[13], and authorization, which decides what they may do, is handled by Azure role-based access control (RBAC) or a Key Vault access policy. Key Vault logs every access for monitoring, and it is designed so that Microsoft cannot see or extract your data. It comes in two tiers: Standard protects keys in software, while Premium stores them in a hardware security module (HSM), tamper-resistant hardware the keys never leave, for stricter compliance needs.

The trap to sidestep is treating Key Vault as an identity store. It holds an application's secrets, keys, and certificates, not user accounts or sign-in credentials; those live in Microsoft Entra ID, which Key Vault itself leans on to authenticate its own callers. By granting each application access to only the specific secrets it needs, Key Vault serves the Zero Trust principle of least privilege access and limits the blast radius if a credential is ever exposed.

Exam-pattern recognition: the boundaries tested

SC-900 questions on this domain almost always turn on telling two similar controls apart. These are the lines that decide the answer.

The boundaries that get tested

  • DDoS Protection versus WAF. A network-layer or transport-layer flood (volumetric or protocol, layers 3 and 4) points to Azure DDoS Protection; a web exploit or application-layer flood (SQL injection, cross-site scripting, HTTP flood, layer 7) points to a Web Application Firewall. If the stem mentions the OWASP top 10, the answer is WAF.
  • Azure Firewall versus NSG. Central control across many VNets and subscriptions, with FQDN or threat-intelligence filtering, means Azure Firewall. A simple allow or deny on the five-tuple at one subnet or network interface means a network security group. A stem that says filtering across virtual networks is signalling Firewall; within a virtual network is signalling NSG.
  • DDoS Network Protection versus IP Protection. Whole-VNet coverage is Network Protection; billing per protected public IP is IP Protection. The free default infrastructure-level protection is not a substitute, because it gives no telemetry, alerting, or tuned thresholds.
  • Azure Bastion. Any stem about reaching a VM with RDP or SSH but without a public IP or an open management port is Bastion. It is not a VPN and not a self-managed jump box.
  • Key Vault. Storing an application's secrets, keys, or certificates is Key Vault. Storing user identities or sign-in credentials is Microsoft Entra ID, not Key Vault.

Where this domain goes next

These controls protect the infrastructure; the rest of the domain watches over it. Microsoft Defender for Cloud and secure-score management assess and harden the posture of these resources, Microsoft Sentinel collects their signals for security information and event management (SIEM) and response, and Microsoft Defender XDR extends threat protection across endpoints, identities, email, and apps.

Four network controls: which layer, which scope, which threat

DimensionAzure DDoS ProtectionAzure FirewallWeb Application Firewall (WAF)Network security group (NSG)
Layer3 and 4 (network, transport)3 through 7 (network and application)7 (HTTP/S application)3 and 4 (five-tuple)
Scope and placementPer VNet (Network Protection) or per public IP (IP Protection)Centralized hub, across VNets and subscriptionsPer web app via App Gateway, Front Door, or CDNDistributed, within a VNet at a subnet or network interface
Primary threat stoppedVolumetric and protocol floodsMalicious IPs and FQDNs, unwanted egressOWASP exploits: SQL injection, XSS, HTTP floodsUnwanted traffic by allow or deny rule
Rule modelAuto-tuned mitigation, no rules to writeNetwork and application rules, FQDN and threat-intel filteringOWASP core rule set plus custom rulesPriority-ordered allow or deny on the five-tuple

Decision tree

Volumetric or protocolflood? (layers 3-4)Web-app exploit atlayer 7? (SQLi, XSS)Central egress or FQDNcontrol across VNets?Allow or deny at asubnet or NIC?Admin RDP or SSHto a VM?Azure DDoS Protectionlayers 3-4 floodsWeb Application FirewallOWASP, layer 7Azure Firewallacross VNets, FQDNNetwork security groupfive-tuple, subnet or NICAzure BastionRDP/SSH, no public IPAzure Key Vaultsecrets, keys, certificatesYesYesYesYesYesNoNoNoNoNo

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

DDoS Protection guards layers 3 and 4; a WAF guards layer 7

Azure DDoS Protection mitigates network- and transport-layer floods (volumetric and protocol attacks at layers 3 and 4) but does not read HTTP content, so application-layer attacks such as HTTP floods, SQL injection, and cross-site scripting fall to a Web Application Firewall. Microsoft positions the two as complementary, so DDoS Protection plus a WAF is the defense-in-depth answer covering both the network and the application.

Trap Reaching for Azure DDoS Protection to stop an HTTP flood or SQL injection; those are layer 7 attacks a WAF handles, not DDoS Protection.

3 questions test this
DDoS attacks come in volumetric, protocol, and application-layer forms

The three shapes are volumetric attacks that saturate bandwidth, protocol attacks that exhaust server resources by abusing layer 3 and 4 weaknesses, and resource (application) layer attacks aimed at the web application itself. Azure DDoS Protection covers the first two at layers 3 and 4; the application-layer form is left to a WAF.

2 questions test this
DDoS Network Protection covers a VNet; IP Protection is billed per IP

The two paid DDoS tiers share the same core mitigation engine but differ in scope and billing: DDoS Network Protection protects an entire virtual network, while DDoS IP Protection is a pay-per-protected-public-IP model. IP Protection omits the value-added extras Network Protection includes, namely DDoS rapid-response support, cost protection, and WAF discounts.

Trap Assuming DDoS IP Protection includes rapid-response support and cost protection; those value-added services come only with DDoS Network Protection.

6 questions test this
Every Azure resource has free default DDoS protection, but it is thin

Azure gives all resources a default infrastructure-level DDoS protection at no cost, but its thresholds are tuned high and it provides no telemetry, alerting, or per-application tuning. A flood the platform treats as harmless can still overwhelm one application, which is why the paid tiers add monitoring, alerts, and adaptive tuning.

Trap Treating the free default infrastructure-level DDoS protection as equivalent to DDoS Network Protection; it lacks telemetry, alerting, and application-tuned thresholds.

3 questions test this
Azure Firewall is a managed, stateful, centralized network security service

Azure Firewall is a cloud-native, fully stateful firewall-as-a-service you typically place on a central hub VNet so every other VNet and on-premises network routes through one policy, giving centralized control across subscriptions. Being stateful, it tracks active connections and judges traffic in context, and it provides built-in high availability across availability zones.

8 questions test this
Azure Firewall filters by FQDN and Microsoft threat intelligence

Beyond IP, port, and protocol network rules, Azure Firewall filters application traffic by fully qualified domain name (FQDN) over HTTP/S, and its threat-intelligence filtering alerts on or denies traffic to and from IP addresses and domains Microsoft's feed flags as malicious. It also performs source and destination network address translation (SNAT and DNAT).

7 questions test this
Azure Firewall filters across networks; an NSG filters within one

Both control traffic to virtual-network resources, but by scope. A network security group does distributed filtering within a VNet, at a subnet or network interface, on the five-tuple. Azure Firewall is a centralized, stateful service that protects across VNets and subscriptions and adds FQDN and threat-intelligence filtering an NSG cannot do. They are complementary layers, not an either-or choice.

Trap Using a network security group where you need FQDN or threat-intelligence filtering; an NSG only allows or denies on the five-tuple, so that job belongs to Azure Firewall.

9 questions test this
NSG rules allow or deny on the five-tuple in priority order

A network security group evaluates rules by priority (lower numbers first, and evaluation stops at the first match) using five values: source, source port, destination, destination port, and protocol. Each rule either allows or denies, and you can override the undeletable default rules by adding a higher-priority, lower-numbered rule.

6 questions test this
Attach one NSG per subnet or NIC, but reuse it widely

You can associate at most one network security group with a given subnet and one with a given network interface (NIC), but the same NSG can be attached to many subnets and NICs at once. This lets a single rule set cover many resources that share the same security needs.

A new NSG allows intra-VNet and outbound internet traffic by default

Every NSG ships with default rules (three inbound, three outbound) you cannot delete. Their net effect allows traffic within the virtual network and from the Azure load balancer, allows outbound to the VNet and the internet, and denies all other inbound traffic from the internet. You change this only by adding higher-priority rules.

Trap Assuming a new NSG blocks everything by default; its default rules already allow traffic within the VNet and outbound to the internet, denying only other inbound traffic.

6 questions test this
VNets block cross-VNet and inbound traffic by default

An Azure virtual network is the isolation boundary of your private network in Azure: by default no traffic crosses between VNets or arrives inbound from outside, so any communication must be explicitly provisioned. This default-deny posture is what makes segmentation the practical basis of the Zero Trust assume breach principle.

Trap Assuming resources in two different VNets can talk by default; cross-VNet traffic is denied until you explicitly provision it, for example with peering.

3 questions test this
Subnets segment a VNet to contain a breach

Within a VNet, subnets divide the network into smaller segments with their own controls, for example separating web servers from database servers. Segmenting this way limits lateral movement, so a compromise in one subnet is harder to spread, which serves the Zero Trust assume breach principle directly.

6 questions test this
VNet peering connects two VNets over the private Azure backbone

Peering links two virtual networks so their resources communicate as if on one network, and the traffic travels over the private Azure backbone rather than the public internet. Global VNet peering extends this connection across Azure regions.

2 questions test this
Azure Bastion gives RDP and SSH without a public IP or open ports

Azure Bastion is a managed PaaS service provisioned inside a VNet that brokers Remote Desktop Protocol (RDP) and Secure Shell (SSH) sessions to your VMs from the Azure portal over TLS on port 443. The VM keeps only a private IP and never exposes an RDP or SSH port to the internet, which removes the open management port attackers scan for.

Trap Assuming the target VM still needs a public IP with Azure Bastion; the point is that the VM keeps only a private IP while Bastion brokers the session over TLS.

15 questions test this
Bastion is a managed broker, not a VPN or a jump box you patch

Azure Bastion brokers a single portal-based RDP or SSH session; it does not extend an on-premises network into Azure the way a VPN does, and it is not a jump-box VM you deploy and patch yourself. Azure keeps the Bastion service hardened and current, including against zero-day exploits.

Trap Treating Azure Bastion as a VPN or a self-managed jump-box VM; it is a fully managed session broker that Azure patches and hardens for you.

2 questions test this
Bastion is deployed per virtual network, not per VM

You provision one Azure Bastion per virtual network, and it also serves peered VNets, rather than one per VM or per subscription. Once it is deployed, every VM in that network and its peers becomes reachable through it.

4 questions test this
Key Vault manages secrets, keys, and certificates

Azure Key Vault centralizes three kinds of protected material: secrets (passwords, connection strings, API keys), cryptographic keys used to encrypt data, and public and private TLS/SSL certificates it can provision and renew. Applications fetch these at runtime so credentials never sit in application code.

7 questions test this
Key Vault holds app secrets, not user identities

Key Vault stores an application's secrets, keys, and certificates, not user accounts or sign-in credentials. Those identities live in Microsoft Entra ID, which Key Vault itself relies on to authenticate its callers before authorizing them with Azure RBAC or a Key Vault access policy.

Trap Storing user sign-in credentials in Key Vault; user identities belong in Microsoft Entra ID, while Key Vault holds application secrets, keys, and certificates.

Key Vault Premium backs keys with an HSM; Standard uses software

Key Vault's Standard tier protects keys with software, while the Premium tier stores them in a hardware security module (HSM), tamper-resistant hardware the keys never leave. Choose Premium when compliance requires HSM-backed key protection; both tiers offer the same secrets, keys, and certificate management otherwise.

Trap Assuming HSM-backed keys come with the Standard tier; hardware security module protection requires the Premium tier of Key Vault.

1 question tests this
Key Vault authenticates via Entra ID, authorizes via RBAC or access policy

Access to Key Vault is a two-step gate: authentication, which proves the caller's identity, is always handled by Microsoft Entra ID, and authorization, which decides what the caller may do, is handled by Azure role-based access control (RBAC) or a Key Vault access policy. Every access is logged so you can monitor use.

Azure WAF runs on Application Gateway, Front Door, or CDN

A Web Application Firewall gives centralized layer-7 protection using the OWASP core rule set against exploits like SQL injection and cross-site scripting, and Azure delivers it through Application Gateway (regional), Azure Front Door (global), or Azure CDN. Patching a vulnerability once at the WAF then covers every application behind it.

Trap Expecting Azure Firewall to block SQL injection or cross-site scripting; those layer-7 web exploits are a WAF's job, delivered through Application Gateway, Front Door, or CDN.

11 questions test this
A network security group is stateful, so an allowed connection gets automatic return traffic

A network security group allows or denies both inbound and outbound traffic at no extra cost and with no dedicated appliance. Because it is stateful, when it permits a connection the return traffic for that connection is allowed automatically, so you never add a matching reverse rule. When it is associated with a subnet, its rules apply to every resource connected to that subnet.

Trap Assuming an inbound allow rule needs a matching outbound rule for the reply traffic.

13 questions test this
WAF Detection mode only logs a matching request; Prevention mode blocks it

In Detection mode an Azure WAF records matching requests in the WAF logs but lets them through, which is useful for tuning rules before enforcement. In Prevention mode it actively blocks a matching request, returns a 403 response, and logs the event.

Trap Leaving a tuned policy in Detection mode when the goal is to actively stop malicious requests.

4 questions test this
DDoS Protection reports attacks through Azure Monitor telemetry, alerts, and post-attack reports

Azure DDoS Protection surfaces rich telemetry through Azure Monitor, including near real-time metrics of packets dropped, forwarded, or tagged during mitigation. It can alert your operations team at the start and stop of an attack, provides attack analytics reports in about five-minute increments during the event, and delivers a forensic mitigation summary report after the attack ends.

5 questions test this

Also tested in

References

  1. SC-900: Describe Azure DDoS Protection
  2. SC-900: Describe Azure Firewall
  3. SC-900: Describe Web Application Firewall
  4. SC-900: Describe network segmentation in Azure
  5. SC-900: Describe Azure Network Security Groups
  6. SC-900: Describe Azure Bastion
  7. SC-900: Describe Azure Key Vault
  8. Azure DDoS Protection overview
  9. What is Azure Firewall?
  10. What is Azure Web Application Firewall?
  11. What is Azure Virtual Network?
  12. What is Azure Bastion?
  13. About Azure Key Vault