Tag: Azuresecurity

Posted on

Tips for passing Azure Security Engineer Certification (AZ- 500)

It was almost 2 years of break from the MS certifications before I tried AZ-500 early this week, it was an interesting one. It was the first MS certification I have ever appeared with hands on lab though it was bit of a surprise. I thought of sharing my experience on exam which might be helpful if you are trying get this certification.  

The exam is total 3 and half hours with 3 hours of exam time. I suggest you to go through exam skills outline before you starting the preparation. I started with course in the Linux Academy. I found it is especially good for Azure Active Directory as it covers all the features of AAD that is part of P2. The course covers almost all the subject required for the exam for us to start preparing for the exam. However, don’t stop it there…  we need to deep dive in to each subject with MS documentations. Importantly, you need to do lot of hands-on for each topic described in the exam skills outline.

Continue reading “Tips for passing Azure Security Engineer Certification (AZ- 500)”
Posted on

All about Application Security Group

What is Application Security Groups?

ASGs enable you to define fine-grained network security policies based on workloads, centralized on applications, instead of explicit IP addresses. Implementing granular security traffic controls improves isolation of workloads and protects them individually. If a breach occurs, this technique limits the potential impact of lateral exploration of your networks from hackers.

You may find the details in the MS site more about this which I do not want to copy and paste it here. Let’s talk about the use case and how we can make use of his in better way.

Deny all the communication and open the specific communication using ASG. Yes, you can create a Deny All rule with lower priority within your vNET. Then you create specific ports to open but you will select ASG as source and destination. This will open the communication between those servers have the specific ASG configured. Looks at the below pictures (figure1&2) to understand this better.

You do not have any option to add a server in the ASG but you need to go and select the required ASG from the vNIC of the VMs. You can add this option in the ARM templates to configure when you create this VM. This will reduce number NSG changes you need to make every time you add a server rather you select required ASG while you create the VM.

You need to remember few things about ASG.

  • You cannot make any settings on ASG but you can only add tags.
  • You can only select one ASG as source or destination in every NSG rules.
  • You can select multiple ASGs for single VM.
  • Limitations
    • 3000 per subscription
    • 20 per vNIC
    • 4000 IP configuration per ASG
  • You can only assign ASG from the same subscription.
  • You cannot have VMs from different vNETs in one ASG.
  • Both source and destination ASGs in your NSG rules should be in same vNET.

Continue reading “All about Application Security Group”