← Previous Chapter 13 — Azure Identity Services
Chapter 14 of 20 AZ-900 (Azure Fundamentals Certification) ↑ Index
Next → Chapter 15 — Azure Monitoring & Management
AZ-900 (Azure Fundamentals Certification) Chapter 14 of 20 by ClinuxTech

Chapter 14 — Azure Security Services

Security in the Cloud

Security is a shared responsibility (covered in Chapter 06), but Azure provides powerful tools to help you protect your resources, detect threats, and respond to incidents.

Azure security covers several domains:

Azure Security:
  ├── Cloud Security Posture (Microsoft Defender for Cloud)
  ├── Threat Detection and SIEM (Microsoft Sentinel)
  ├── Secret Management (Azure Key Vault)
  ├── Network Protection (DDoS Protection, Azure Firewall)
  ├── Identity Security (Covered in Chapter 13)
  └── Compliance and Trust (Covered in Chapter 19)

1. Microsoft Defender for Cloud

What Is It?

Microsoft Defender for Cloud (formerly Azure Security Center + Azure Defender) is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) tool.

It does three things:

  1. Assess — Continuously evaluates your security posture

  2. Secure — Provides recommendations to fix weaknesses

  3. Defend — Detects and responds to threats in real time

Secure Score

Defender for Cloud gives you a Secure Score — a percentage representing the health of your security posture.

Secure Score: 72%
─────────────────
  Max possible: 100
  Your score:    72
  Recommendations: 14 items to fix

Top recommendations:
  ✗ Enable MFA for accounts with Owner permissions
  ✗ Remediate vulnerabilities in SQL databases
  ✗ Apply disk encryption to virtual machines

Higher score = better security. Each recommendation you fix increases your score.

Defender Plans

Defender for Cloud has a free tier (CSPM only) and paid Defender plans for workload protection:

Plan

Protects

Defender for Servers

Windows and Linux VMs

Defender for SQL

SQL databases and servers

Defender for Storage

Azure Storage accounts

Defender for Containers

Kubernetes clusters

Defender for App Service

Web applications

Defender for Key Vault

Azure Key Vault

Defender for DNS

Azure DNS queries

Multi-Cloud Support

Defender for Cloud also works with AWS and Google Cloud resources — giving you a single security dashboard across multiple cloud providers.

2. Microsoft Sentinel

What Is It?

Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) solution.

In simple terms: it collects security data from across your organization, detects threats using AI, and responds automatically.

Data Sources:
  Azure services, Microsoft 365, on-premises, AWS, firewalls, endpoints
        │
        ▼
  Microsoft Sentinel (collects and analyzes)
        │
  AI/ML detects anomalies and threats
        │
        ▼
  Alert → Investigate → Respond (manual or automated playbook)

Key Capabilities

Capability

Description

Collect

Ingest data from 100+ built-in connectors

Detect

Built-in analytics rules + machine learning

Investigate

Visual investigation graphs

Respond

Automated playbooks using Azure Logic Apps

Hunt

Proactively search for threats with queries

When to Use Sentinel

  • Organizations needing a centralized security operations center (SOC)

  • Companies with complex multi-cloud or hybrid environments

  • When you want to automate threat response (close firewall ports, block user, etc.)

3. Azure Key Vault

What Is It?

Azure Key Vault is a cloud service for securely storing and accessing secrets — API keys, passwords, certificates, cryptographic keys, and connection strings.

The Problem Key Vault Solves

Bad practice — hard-coding secrets in application code:

# NEVER DO THIS:
db_password = "P@ssw0rd123!"
api_key = "sk-abc123xyz789"

If code is pushed to GitHub, secrets are exposed. Key Vault solves this by storing secrets securely and letting apps retrieve them at runtime.

Good practice — using Key Vault:

# Retrieve secret from Key Vault at runtime
db_password = key_vault_client.get_secret("database-password").value

What Key Vault Stores

Item

Description

Secrets

API keys, passwords, connection strings

Keys

Cryptographic keys (RSA, EC) for encryption/decryption

Certificates

SSL/TLS certificates with automatic renewal

Key Vault Security Features

Feature

Detail

HSM-backed

Keys can be stored in Hardware Security Modules (FIPS 140-2)

Access control

RBAC and access policies control who can read secrets

Audit logging

Every access is logged to Azure Monitor

Soft delete

Deleted secrets recoverable for configurable retention period

Purge protection

Prevent accidental permanent deletion

When to Use Key Vault

  • Store database passwords, API keys, connection strings

  • Manage SSL certificates for web applications

  • Encrypt/decrypt data using managed keys

  • Centralize secret management across multiple apps

4. Azure DDoS Protection

What Is a DDoS Attack?

A Distributed Denial of Service (DDoS) attack floods your service with massive amounts of traffic from many sources, making it unavailable to legitimate users.

DDoS Attack:
  Thousands of infected computers (botnet)
        │
        │  Millions of fake requests
        ▼
  Your Web Server (overwhelmed — crashes for real users)

Azure DDoS Protection Tiers

Tier

Cost

Features

Network Protection (Basic)

Free

Automatically enabled for all Azure resources — basic volumetric attack mitigation

Network Protection (Standard)

~$2,944/month

Advanced mitigation, real-time attack monitoring, attack analytics, SLA guarantee

IP Protection

Per-IP pricing

Standard features applied to specific public IPs

DDoS Standard Key Features

  • Always-on traffic monitoring — detects attacks in real time

  • Adaptive tuning — learns your application's traffic patterns

  • Attack analytics — detailed reports on attacks

  • Attack metrics — available in Azure Monitor

  • DDoS Rapid Response — Microsoft DDoS experts assist during an attack

  • Cost protection — credit for scale-out costs incurred during an attack

5. Azure Firewall

What Is It?

Azure Firewall is a managed, cloud-native network security service that protects your Azure Virtual Network resources. It is a fully stateful firewall as a service with built-in high availability and scalability.

Internet
  │
  │  Traffic filtered here
  ▼
Azure Firewall
  ├── Allow: HTTPS to approved destinations
  ├── Block: HTTP to blocked websites
  └── Allow: RDP from trusted IPs only
  │
  ▼
Your Azure Virtual Network (protected)

Key Features

Feature

Description

FQDN filtering

Allow/block by domain name (e.g., allow *.microsoft.com)

Network rules

Allow/block by IP, port, and protocol

Application rules

HTTP/HTTPS filtering

Threat intelligence

Block known malicious IPs and domains

DNAT

Translate incoming public IPs to private IPs

Forced tunneling

Route all internet traffic through the firewall

Premium SKU

TLS inspection, IDPS (Intrusion Detection and Prevention)

Azure Firewall vs. NSG

 

Azure Firewall

Network Security Group (NSG)

Type

Fully managed cloud service

VNet feature

Scope

Cross-VNet, cross-subscription

Single VNet/subnet

Filtering

IP, port, FQDN, app protocol

IP and port only

Threat Intelligence

Yes

No

Cost

Paid service

Free

Best for

Central network security hub

Subnet/resource-level filtering

6. Azure Web Application Firewall (WAF)

What Is It?

WAF protects web applications from common web exploits. It is available on:

  • Azure Application Gateway — regional protection

  • Azure Front Door — global protection

What WAF Blocks

Based on OWASP (Open Web Application Security Project) rules:

Attack Type

Description

SQL Injection

Malicious SQL code in input fields

Cross-Site Scripting (XSS)

Injecting client-side scripts

Command Injection

Running OS commands via app

Path Traversal

Accessing files outside web root

Protocol Anomalies

Malformed HTTP requests

Security Services Summary

Service

Purpose

Defender for Cloud

Security posture score + threat protection

Microsoft Sentinel

SIEM — centralized threat detection and response

Key Vault

Secure storage for secrets, keys, certificates

DDoS Protection

Protect against volumetric network attacks

Azure Firewall

Centralized network traffic filtering

WAF

Protect web apps from OWASP top 10 attacks

Defense in Depth

Azure security is built on the concept of defense in depth — multiple layers of security so that if one layer is breached, the next layer still protects you.

Layer 1: Physical security (Azure data centers)
Layer 2: Identity and access (Entra ID, MFA, RBAC)
Layer 3: Network perimeter (DDoS Protection, Azure Firewall)
Layer 4: Network (NSGs, VNet)
Layer 5: Compute (Defender for Servers, OS hardening)
Layer 6: Application (WAF, secure coding)
Layer 7: Data (encryption, Key Vault, access controls)

Quick Recap

Defender for Cloud → Security posture + threat protection
Sentinel           → SIEM — collect, detect, respond to threats
Key Vault          → Secure secrets, keys, certificates
DDoS Protection    → Block volumetric attacks on your services
Azure Firewall     → Filter network traffic centrally
WAF                → Block web attacks (SQL injection, XSS)

Defense in Depth = Multiple layers — no single point of failure

Official References

Next Chapter → Chapter 15: Azure Monitoring & Management

 

Tags: Azure Azure Tutorial Cloud Computing Azure Beginner Microsoft Azure Az900
← Previous Chapter Chapter 13 — Azure Identity Services
View All Chapters
Next Chapter → Chapter 15 — Azure Monitoring & Management