You need to recommend a solution for securing the landing zones. The solution must meet the landing zone requirements and the business requirements.
What should you configure for each landing zone?
You need to recommend a solution for securing the landing zones. The solution must meet the landing zone requirements and the business requirements.
What should you configure for each landing zone?
Microsoft Defender for Cloud is the most suitable option for securing the landing zones given the requirements. It provides a secure score scoped to the landing zone, helping meet the specific security needs by assessing and providing recommendations for improvement. It also minimizes the possibility of data exfiltration through continuous monitoring and threat detection. Additionally, as a cloud-native solution, it minimizes additional on-premises infrastructure and reduces the operational costs associated with administrative overhead, which aligns well with the business requirements.
One of the stipulations is to meet the business requirements of minimizing costs. ExpressRoute is expensive. Given the landing zone requirements of 1) "Use a DNS namespace of litware.com" 2) "Ensure that the Azure virtual machines in each landing zone communicate with Azure App Service web apps in the same zone over the Microsoft backbone network, rather than over public endpoints" I would say Private DNS Zone is the answer.
I would say Private endpoint connection but then that would only answer the first box and not actually the DNS namespace.. So i would say C now!
You seemed to have skipped all the other requirements. Also, how exactly does that reasoning help "secure the landing zones"? I'm not sure you are correct here.
Why not B? The question is related to a security recommendation. Microsoft Defender for Cloud makes sense.
I think its B because Secure Score is most directly related to the Security factor and that's provided by Defender for Cloud.
B is the answer. https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/security#security-in-the-azure-landing-zone-accelerator
B. Microsoft Defender for Cloud Minimize any additional on-premises infrastructure. Minimize the operational costs associated with administrative overhead. Provide a secure score scoped to the landing zone. Minimize the possibility of data exfiltration.
A. an ExpressRoute gateway <-- Not that it'd be advised, but one could employ a VPN Gateway instead between landing zones and achieve the hub-spoke landing zone architecture outcome. https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal B. Microsoft Defender for Cloud <-- Mandated given the requirement for Secure Score per Landing Zone C. an Azure Private DNS zone <-- Instead of Azure Private DNS zone, one could configure DNS queries to be forwarded to a self-operated DNS server in the hub to satisfy the litware.com zone requirement. Not recommended, but just to illustrate that 'Azure Private DNS zone' may not be mandatory. D. Azure DDoS Protection Standard <-- unrelated to the question
The key to answering this question lies in " Provide a secure score scoped to the landing zone" as mentioned in the case study. The only thing that can do this is Cloud Defender
Security in the Azure landing zone accelerator Security is at the core of the Azure landing zone accelerator. As part of the implementation, many tools and controls are deployed to help organizations quickly achieve a security baseline. For example, the following are included: Tools: Microsoft Defender for Cloud, standard or free tier Microsoft Sentinel Azure DDoS Network Protection (optional) Azure Firewall Web Application Firewall (WAF) Privileged Identity Management (PIM)
Defender for cloud offers a suite of security capabilities that help in acheiving teh requested outcome
B secure score
It is "C. an Azure private DNS zone" because C. an Azure Private DNS zone An Azure Private DNS zone would be used to provide DNS resolution within a virtual network in Azure. This meets the requirement to use a DNS namespace of litware.com. It also helps ensure that Azure virtual machines in each landing zone communicate with Azure App Service web apps in the same zone over the Microsoft backbone network by resolving to private IP addresses, rather than over public endpoints. This contributes to minimizing the possibility of data exfiltration and maximizing network bandwidth by keeping traffic within the Azure network. In addition, both ChatGPT and Google Bard is selected this option
I don't see how any other options that A fulfill the following: Ensure that the Azure virtual machines in each landing zone communicate with Azure App Service web apps in the same zone over the Microsoft backbone network, rather than over public endpoints. On the other hand, that is not a perfect fit either. It adds on-prem infrastructure, administrative overhead, and it doesnt provide a secure score. So perhaps B as well. Irreconcilable requirements I would say.
service endpoints and/OR private endpoints would be for A.
As noted in Landing Zone requirements: "Provide a secure score scoped to the landing zone" and with the business requirements being to keep costs down. With that in mind, being asked to secure the Landing Zone and meet business requirements, I feel B 'Defender for Cloud' is best choice.
Considering Litware’s requirements, the best option is B. Microsoft Defender for Cloud. Here are the reasons: Provision of Secure Score: Microsoft Defender for Cloud provides a secure score based on security best practices, evaluating the security posture of each landing zone and suggesting improvements. Prevention of Data Exfiltration: Defender for Cloud offers security policies and alerts to minimize the risk of data exfiltration. Minimization of Operational Costs: As a cloud-native security solution, it does not require additional on-premises infrastructure, reducing administrative overhead. While other options can address specific requirements, Microsoft Defender for Cloud is a comprehensive solution that optimizes both security and operational efficiency.
Requirements. Azure Landing Zone Requirements - Route all internet-bound traffic from landing zones through Azure Firewall in a dedicated Azure subscription. (Expressroute) Provide a secure score scoped to the landing zone. Ensure that the Azure virtual machines in each landing zone communicate with Azure App Service web apps in the same zone over the Microsoft backbone network, rather than over public endpoints. (Expressroute - Microsoft Backbone) Minimize the possibility of data exfiltration. Maximize network bandwidth. (Expressroute)
Microsoft Defender for Cloud provides "Cloud Security Posture Management" (CSPM), providing a security analysis of all the resources in your cloud estates
Answer: C https://www.youtube.com/watch?v=YJqZjdzC9xE&list=PLQ2ktTy9rklhzzkSEZvDZT4QSIVUQZD-Y&index=7 SC-100 Question 94
Based on the landing zone requirements and the business requirements, the recommended solution for securing the landing zones is option D, Azure DDoS Protection Standard. This solution will help minimize the possibility of data exfiltration and maximize network bandwidth. It will also provide a secure score scoped to the landing zone. An Azure Private DNS zone is not directly related to securing the landing zones, while an ExpressRoute gateway is used for private connectivity between on-premises infrastructure and Azure, which is not a requirement for securing the landing zones. Microsoft Defender for Cloud is a cloud-native security solution for protecting cloud workloads and is not directly related to securing the landing zones.
why not B. Microsoft Defender for Cloud? While Microsoft Defender for Cloud is a good solution for securing workloads and resources in Azure, it is not the most appropriate solution for securing the landing zones in this scenario. Microsoft Defender for Cloud focuses on threat protection and security posture management, whereas the landing zones requirements in this case study focus more on network and infrastructure security. Therefore, the best solution for securing the landing zones would be to route all internet-bound traffic from landing zones through Azure Firewall in a dedicated Azure subscription, which is option D. Azure DDoS Protection Standard is also a good option, as it helps protect against DDoS attacks by monitoring and absorbing the attack traffic. From ChatGPT