HOTSPOT -
You are designing security for a runbook in an Azure Automation account. The runbook will copy data to Azure Data Lake Storage Gen2.
You need to recommend a solution to secure the components of the copy process.
What should you include in the recommendation for each component? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Box 1: Azure Web Application Firewall with network service tags
A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules.
You can use service tags to define network access controls on network security groups, Azure Firewall, and user-defined routes.
Incorrect:
* Not Azure private link with network service tags
Network service tags are not used with Private links.
Box 2: Automation Contributor built-in role
The Automation Contributor role allows you to manage all resources in the Automation account, except modifying other user's access permissions to an
Automation account.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview https://docs.microsoft.com/en-us/azure/automation/automation-role-based-access-control
wrong one, I would select - Key Vault for box1 and for box 2 is Private Link
Ans is wrong - Azure key vault is for Application ad Data Security so key vault - Box1 and Private link is for Vnet security so Box2 =Private link
Yes, Private Link is for VNet security, but there's no reference to VNet here. What am I missing? thx
Data Security : Access Keys stored in Azure Key Vault Network access control : Azure Private Link with network service tags
Data Security : Access Keys stored in Azure Key Vault Network access control : Azure Private Link with network service tags https://learn.microsoft.com/en-us/azure/automation/automation-security-guidelines
None of the answers provided is a good answer. They are fragmentary or just wrong. Key Vault with access keys is a bad answer because using shared access keys is only recommended if a service accessing the storage cannot use a managed identity or a certificate to authenticate. "Azure Private Link with network service tags" doesn't mean anything. Network Service Tags can be used in NSG rules, and in routing rules, if either were specified, but they aren't.
these are both good points. I was also confused how everyone keeps saying to use private link with service tags. Service tags are not used with private links / endpoints. I would still go with A for data security since key vault can be very explicitly secured but the point you made is great. For the second question, I would go with the app gateway with WAF since it is at least controlling network access. Honestly though, I think something has been written wrong here. The answers dont make sense.
https://learn.microsoft.com/en-us/azure/automation/automation-security-guidelines
in exam Nov 23, Agree with Alex
Data Security : Key Vault Network Access Control : Private links/endpoints
Hey all, Lets exclude the nonsensical options first: Automation Contributor role is the RBAC role for working with the Automation service, "design-time" if you will, and hence has nothing to do with securing data run-time. Private link with network service tags is nonse for N/W security. There is no such thing. Network service tags is used in NSGs and firewall rules. Hence, even though these options seem strange as well but in theory relevant: Data Security: Key vault N/W Security: App GW with WAF
Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use managed identities. For more information, see migrating from an existing Run As accounts to managed identity to start migrating the runbooks from Run As account to managed identities before 30 September 2023.
Note: This has nothing to do with the question
Data Security : Access Keys stored in Azure Key Vault Network access control : Azure Private Link with network service tags
App GW with WAF cant play a role because it applies to client facing which is not the ASK in the question.
Box1:Key Vault Box2:Private Link
A & C - Secure the assets in Azure Automation including credentials, certificates, connections and encrypted variables. These assets are protected in Azure Automation using multiple levels of encryption. By default, data is encrypted with Microsoft-managed keys. For additional control over encryption keys, you can supply customer-managed keys to use for encryption of Automation assets. These keys must be present in Azure Key Vault for Automation service to be able to access the keys. Use Azure Private Link to securely connect Hybrid runbook workers to Azure Automation. Azure Private Endpoint is a network interface that connects you privately and securely to a an Azure Automation service powered by Azure Private Link. Private Endpoint uses a private IP address from your Virtual Network (VNet), to effectively bring the Automation service into your VNet. https://learn.microsoft.com/en-us/azure/automation/automation-security-guidelines
Data security: Access keys stored in Azure Key Vault: This ensures that sensitive keys are securely stored and managed, reducing the risk of unauthorized access. Network access control: Azure Private Link with network service tags: This provides secure and private connectivity to Azure services, ensuring that data transfer occurs over a private network rather than the public internet.
• Data safety: Lock keys in Key Vault, network isolation with Private Link & service tags for secured Azure Data Lake Gen2 copy via Automation runbook. • Network control: Private Link & service tags shield your Azure Data Lake Gen2 copy process from the public internet for enhanced security.
Have we managed to figure out the correct answer? Data: Azure key vault Network: Private link with service tags. I have my doubts if service tags are supported by azure private links.
Box1: Key Vault Box2: Private Link