HOTSPOT
-
You have an Azure subscription that contains an Azure firewall named AzFW1. AzFW1 has a firewall policy named FWPolicy1.
You need to add rule collections to FWPolicy1 to meet the following requirements:
• Allow traffic based on the FQDN of the destination.
• Allow TCP traffic.
Which types of rule collections should you add for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
1. Application only 2. Network or DNAT
Answers: https://learn.microsoft.com/en-us/azure/firewall/fqdn-filtering-network-rules Differences in application rules vs. network rules If the protocol is HTTP/S or MSSQL, use application rules for FQDN filtering. For services like AzureBackup, HDInsight, etc., use application rules with FQDN tags. For any other protocols, you can use network rules for FQDN filtering. Answer can be found for TCP https://learn.microsoft.com/en-us/azure/firewall/policy-rule-sets#rule-collection-groups Answer = 1. Application only 2. Network or DNAT
as you stated "For any other protocols, you can use network rules for FQDN filtering.", means network rules also can be used for FQDN, so answer is right Network and Application rules
Hi guys , let me give you some useful information about AzureFirewall questions which you might see in the exam based on my handout I suppose it will help you to answer this question and some other questions as well ,however, please note that I will add my tips as reply comment as page does not allow to put long comment. Thanks for understanding In Azure Firewall should be deployed to its subnet and the name of the Azure Firewall subnet should as AzureFirewallSubnet and its range should be at least /26. In this subnet besides Azure Firewall nothing can not live
AzureFirewall has 3 types of Rules : 1-DNAT 2-Network Rules 3-Application Rules The priority of rules start to executed from DNAT , Network and Application rules. Within the rules lower priority comes first for example if you have 2 rules let 's say Network rules which one has lower priority that will be executed first.Rule priortiy does not affect to the sequence of execution (DNAT,network, application) Threat Detection can take precedence over network and application rules which means in case threat detection is block/prevent mode even network or application rule allows Threat detection can block request.
Let's now answer this question: 1-DNAT rule is a rule which determine incoming traffic to our AzureFirewall, for example let's imagine we have Hub spoke network and AzureFirewall(AF) configured to Hub and in the spokes we have virtual machines which from internet we would like to connect. In this case we can use DNAT rule here. We choose source type which shows source which tries to communicate with vm which lives in spoke vnet behind AF. Source type can be IP or IP groups as a destenation IP address we choose Public Ip of our Azure FW and translate it via public ip of azure fw and port to the private ip of our vm via port number. As we see here , for the we allow traffic based on IP and IP group and a protocol we can choose TCP during the communication of our VM with internet. So for the first one we can skip DNAT and for the second box we can choose it
For the Network Rule let's imagine scenario where we would like to make ping available between our spoke networks where we have Hub network, we can create Network rule which allows us to choose Source Type, Source Ip group destination type and protocol as well(which can be tcp, udp, icmp as well). This means for the both box 1 and box 2 we can choose . Application Rule , this is level 7 operation and only rule where we can use url as well , besides this we can use fqdn as well . Url can be use only with premium Azure firewall. All in all my answer for box-1 is: Application , NETWORK box-2:Network, DNAT
To support the answer: https://learn.microsoft.com/en-us/azure/firewall/policy-rule-sets Network rules Network rules allow or deny inbound, outbound, and east-west traffic based on the network layer (L3) and transport layer (L4). You can use a network rule when you want to filter traffic based on IP addresses, any ports, and any protocols. Application rules Application rules allow or deny outbound and east-west traffic based on the application layer (L7). You can use an application rule when you want to filter traffic based on fully qualified domain names (FQDNs), URLs, and HTTP/HTTPS protocols. Answer = Box 1 : Application. Box-2 : Network.
Second answer makes no sense to me, 1. Application only - I agree needed for FQDN/URL 2. Network - Just layer 4 traffic, port based and destination 0.0.0.0 Not sure why DNAT is needed... DNAT = Port forwarding concept = You can use a DNAT rule when you want a public IP address to be translated into a private IP address. DNAT rules DNAT rules allow or deny inbound traffic through one or more firewall public IP addresses. You can use a DNAT rule when you want a public IP address to be translated into a private IP address. The Azure Firewall public IP addresses can be used to listen to inbound traffic from the Internet, filter the traffic and translate this traffic to internal resources in Azure.