You need to recommend a solution for securing the landing zones. The solution must meet the landing zone requirements and the business requirements. What should you configure for each landing zone?
One of the stipulations is to meet the business requirements of minimizing costs. ExpressRoute is expensive.
Given the landing zone requirements of
1) "Use a DNS namespace of litware.com"
2) "Ensure that the Azure virtual machines in each landing zone communicate with Azure App Service web apps in the same zone over the Microsoft backbone network, rather than over public endpoints"
I would say Private DNS Zone is the answer.
Its B, Defender for Cloud.
Why not the other options?
A. ExpressRoute Gateway: While ExpressRoute provides private connectivity between Azure and on-premises environments, it's more suited for dedicated, high-performance, private connections rather than overall security management.
C. Azure Private DNS Zone: This helps resolve domain names privately but does not address comprehensive security concerns such as regulatory compliance or threat detection, which are key parts of the requirement.
D. Azure DDoS Protection Standard: While DDoS protection is crucial for defending against distributed denial of service attacks, it’s not comprehensive enough to meet all the security and regulatory compliance requirements outlined for the landing zones.
You seemed to have skipped all the other requirements. Also, how exactly does that reasoning help "secure the landing zones"? I'm not sure you are correct here.
While Microsoft Defender for Cloud is also important for overall security, Azure Private DNS zone directly addresses several of the critical requirements for securing the landing zones
Considering Litware’s requirements, the best option is B. Microsoft Defender for Cloud. Here are the reasons:
Provision of Secure Score: Microsoft Defender for Cloud provides a secure score based on security best practices, evaluating the security posture of each landing zone and suggesting improvements.
Prevention of Data Exfiltration: Defender for Cloud offers security policies and alerts to minimize the risk of data exfiltration.
Minimization of Operational Costs: As a cloud-native security solution, it does not require additional on-premises infrastructure, reducing administrative overhead.
While other options can address specific requirements, Microsoft Defender for Cloud is a comprehensive solution that optimizes both security and operational efficiency.
A. an ExpressRoute gateway <-- Not that it'd be advised, but one could employ a VPN Gateway instead between landing zones and achieve the hub-spoke landing zone architecture outcome. https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal
B. Microsoft Defender for Cloud <-- Mandated given the requirement for Secure Score per Landing Zone
C. an Azure Private DNS zone <-- Instead of Azure Private DNS zone, one could configure DNS queries to be forwarded to a self-operated DNS server in the hub to satisfy the litware.com zone requirement. Not recommended, but just to illustrate that 'Azure Private DNS zone' may not be mandatory.
D. Azure DDoS Protection Standard <-- unrelated to the question
Requirements. Azure Landing Zone Requirements
- Route all internet-bound traffic from landing zones through Azure Firewall in a dedicated Azure subscription. (Expressroute)
Provide a secure score scoped to the landing zone.
Ensure that the Azure virtual machines in each landing zone communicate with Azure App Service web apps in the same zone over the Microsoft backbone network, rather than over public endpoints. (Expressroute - Microsoft Backbone)
Minimize the possibility of data exfiltration.
Maximize network bandwidth. (Expressroute)
The key to answering this question lies in " Provide a secure score scoped to the landing zone" as mentioned in the case study. The only thing that can do this is Cloud Defender
It is "C. an Azure private DNS zone" because C. an Azure Private DNS zone
An Azure Private DNS zone would be used to provide DNS resolution within a virtual network in Azure. This meets the requirement to use a DNS namespace of litware.com. It also helps ensure that Azure virtual machines in each landing zone communicate with Azure App Service web apps in the same zone over the Microsoft backbone network by resolving to private IP addresses, rather than over public endpoints. This contributes to minimizing the possibility of data exfiltration and maximizing network bandwidth by keeping traffic within the Azure network.
In addition, both ChatGPT and Google Bard is selected this option
Microsoft Defender for Cloud provides "Cloud Security Posture Management" (CSPM), providing a security analysis of all the resources in your cloud estates
I don't see how any other options that A fulfill the following:
Ensure that the Azure virtual machines in each landing zone communicate with Azure App Service web apps in the same zone over the Microsoft backbone network, rather than over public endpoints.
On the other hand, that is not a perfect fit either. It adds on-prem infrastructure, administrative overhead, and it doesnt provide a secure score.
So perhaps B as well. Irreconcilable requirements I would say.
B is the answer.
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/security#security-in-the-azure-landing-zone-accelerator
B. Microsoft Defender for Cloud
Minimize any additional on-premises infrastructure.
Minimize the operational costs associated with administrative overhead.
Provide a secure score scoped to the landing zone.
Minimize the possibility of data exfiltration.
Based on the landing zone requirements and the business requirements, the recommended solution for securing the landing zones is option D, Azure DDoS Protection Standard. This solution will help minimize the possibility of data exfiltration and maximize network bandwidth. It will also provide a secure score scoped to the landing zone. An Azure Private DNS zone is not directly related to securing the landing zones, while an ExpressRoute gateway is used for private connectivity between on-premises infrastructure and Azure, which is not a requirement for securing the landing zones. Microsoft Defender for Cloud is a cloud-native security solution for protecting cloud workloads and is not directly related to securing the landing zones.
why not B. Microsoft Defender for Cloud?
While Microsoft Defender for Cloud is a good solution for securing workloads and resources in Azure, it is not the most appropriate solution for securing the landing zones in this scenario. Microsoft Defender for Cloud focuses on threat protection and security posture management, whereas the landing zones requirements in this case study focus more on network and infrastructure security.
Therefore, the best solution for securing the landing zones would be to route all internet-bound traffic from landing zones through Azure Firewall in a dedicated Azure subscription, which is option D. Azure DDoS Protection Standard is also a good option, as it helps protect against DDoS attacks by monitoring and absorbing the attack traffic.
From ChatGPT
Security in the Azure landing zone accelerator
Security is at the core of the Azure landing zone accelerator. As part of the implementation, many tools and controls are deployed to help organizations quickly achieve a security baseline.
For example, the following are included:
Tools:
Microsoft Defender for Cloud, standard or free tier
Microsoft Sentinel
Azure DDoS Network Protection (optional)
Azure Firewall
Web Application Firewall (WAF)
Privileged Identity Management (PIM)
As noted in Landing Zone requirements: "Provide a secure score scoped to the landing zone" and with the business requirements being to keep costs down. With that in mind, being asked to secure the Landing Zone and meet business requirements, I feel B 'Defender for Cloud' is best choice.
This section is not available anymore. Please use the main Exam Page.SC-100 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
PlumpyTumbler
Highly Voted 2 years, 8 months agoariania
7 months, 2 weeks agoawssecuritynewbie
2 years, 2 months agoPeteNZ
2 years, 1 month agoGranwizzard
Highly Voted 2 years, 7 months agodc2k79
2 years, 4 months agoAli96
Most Recent 2 months, 1 week agoorrery
9 months, 2 weeks agolt9898
1 year, 2 months agoayadmawla
1 year, 2 months agoMurtuza
1 year, 3 months agoKdosec
1 year, 3 months agoMurtuza
1 year, 3 months agoConanBarb
1 year, 7 months agonExoR
1 year, 4 months agoslobav
1 year, 7 months agozellck
1 year, 11 months agouffman
2 years agoMaciekMT
2 years agoMaciekMT
2 years agosmudo1965
2 years, 1 month agoOK2020
2 years, 1 month agoGurulee
2 years, 1 month ago