Technical Lab: Map requirements to features and capabilities of Azure Firewall
Questionsβ
Question 1 β Multiple Choiceβ
An organization needs to inspect and filter outbound HTTP and HTTPS traffic from its VMs to the internet based on fully qualified domain names (FQDNs), not IP addresses. The team is evaluating whether to use network rules or application rules in Azure Firewall.
Which statement correctly describes the distinction between these two rule types for this requirement?
- A) Network rules support FQDN filtering as long as Azure Firewall DNS is configured; application rules are only needed for HTTPS traffic with TLS inspection.
- B) Application rules were designed to filter HTTP and HTTPS traffic based on FQDNs, including wildcard support; network rules operate at layer 3 and 4 and do not dynamically resolve FQDNs for web traffic.
- C) Application rules and network rules are equivalent for FQDN filtering in HTTP traffic; the difference is only in support for additional protocols like MSSQL and RDP.
- D) Network rules support FQDN only for Microsoft Service Tags; for arbitrary FQDNs on the internet, only application rules are valid.
Question 2 β Technical Scenarioβ
A team configures Azure Firewall to protect a hub-and-spoke architecture. VMs in the spokes need to access api.example.com on port 443. The administrator creates the following application rule:
Name: Allow-API
Source type: IP Address
Source: 10.0.0.0/8
Protocol: HTTPS:443
Target FQDN: api.example.com
Action: Allow
After deployment, VMs cannot access the endpoint. The administrator confirms that UDR routes are correct and point to Azure Firewall. What is the most likely cause of the problem?
- A) Application rules do not support CIDR with /8 prefix; the source field must contain an individual IP address or group of IPs.
- B) Azure Firewall requires application rules for HTTPS with FQDN to have TLS inspection enabled; without it, HTTPS traffic is blocked by default.
- C) The application rule was created, but Azure Firewall has an implicit deny rule for all unmatched traffic; since there's no network rule allowing DNS traffic from VMs to Azure Firewall to resolve the FQDN, resolution fails before the rule is evaluated.
- D) The
Target FQDNfield in application rules only accepts wildcard FQDNs (*.example.com); exact FQDNs are ignored by the matching engine.
Question 3 β Multiple Choiceβ
A company is evaluating the difference between Azure Firewall Standard and Azure Firewall Premium to decide which SKU meets their security requirements. The critical requirement is the ability to inspect the content of encrypted HTTPS sessions to detect malware and exploits in outbound traffic.
Which SKU meets this requirement and through which specific mechanism?
- A) Azure Firewall Standard, through application rules with FQDN filtering, which inspect the SNI header of TLS sessions to identify malicious content.
- B) Azure Firewall Premium, through the TLS inspection feature, which performs man-in-the-middle decryption of HTTPS traffic to enable payload analysis by the intrusion detection system.
- C) Both SKUs support TLS inspection; the difference is in throughput capacity and number of simultaneously supported rules.
- D) Azure Firewall Premium, through the IDPS feature operating in passive alert mode, which analyzes TLS session metadata without needing to decrypt traffic.
Question 4 β True or Falseβ
In Azure Firewall, network rules take precedence over application rules when both match the same traffic flow, regardless of the priority order configured in the rule collections.
Question 5 β Technical Scenarioβ
An organization uses Azure Firewall to control access from internal VMs to Azure services. The requirement is to allow VMs to access Azure Storage and Azure Key Vault while blocking any other destinations. The administrator considers two approaches:
Approach 1: Create network rules with Storage and AzureKeyVault Service Tags as destinations.
Approach 2: Create application rules with specific FQDNs of Storage and Key Vault endpoints.
The security architect questions which approach offers more granular control. Which analysis is correct?
- A) Both approaches are equivalent in granularity; the difference is only operational, as Service Tags are automatically updated by Microsoft while FQDNs require manual maintenance.
- B) Approach 1 is more granular because Service Tags represent only the IPs of private service endpoints, while FQDNs include all public and private endpoints.
- C) Approach 2 is more granular because it allows restricting access to specific storage accounts or key vaults through exact FQDNs, while Service Tags allow access to all resources of that service in the region or globally.
- D) Approach 1 is more granular because Azure Firewall resolves Service Tags in real-time, applying policies per destination IP with greater precision than FQDN resolution, which can have TTL variation.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
Application rules in Azure Firewall operate at layer 7 and were specifically designed to inspect HTTP and HTTPS traffic, supporting FQDN filtering with wildcards (e.g., *.microsoft.com). The firewall dynamically resolves the FQDN and associates the returned IPs with the rule.
Network rules operate at layers 3 and 4 (IP, port, protocol). While they support FQDNs in some specific scenarios, they were not designed to filter web traffic by domain name dynamically and comprehensively. Option A confuses DNS dependency with FQDN support in network rules. Option C equates capabilities that are fundamentally distinct. Option D correctly mixes the limitation of network rules but the conclusion is imprecise: network rules support FQDNs for Microsoft Service Tags, not just generic tags.
Answer Key β Question 2β
Answer: C
Azure Firewall depends on DNS resolution to evaluate application rules based on FQDN. VMs in spokes, when using Azure Firewall as the default gateway via UDR, need their DNS queries to reach a server that can resolve them. If the VMs' DNS is configured to a server not reachable by Azure Firewall, or if there's no network rule allowing DNS traffic (UDP/TCP port 53) from VMs, resolution fails before the application rule is even evaluated.
Option A is wrong: application rules accept CIDRs normally. Option B is wrong: TLS inspection is not mandatory for HTTPS application rules to work; without it, Azure Firewall uses SNI for FQDN matching. Option D is wrong: exact FQDNs are fully supported in application rules.
Answer Key β Question 3β
Answer: B
Only Azure Firewall Premium offers the TLS inspection feature, which functions as an intermediate proxy: the firewall terminates the client's TLS session, inspects the decrypted payload, and establishes a new TLS session with the destination. This allows the IDPS (Intrusion Detection and Prevention System), also exclusive to Premium, to analyze the actual content of HTTPS traffic to detect malware and exploits.
Option A is wrong: SNI reading does not constitute content inspection, it only identifies the destination domain. Option C is wrong: Standard does not support TLS inspection. Option D is partially correct in mentioning IDPS in Premium, but wrong in stating it operates without traffic decryption; HTTPS payload analysis requires TLS inspection enabled.
Answer Key β Question 4β
Answer: False
In Azure Firewall, processing order is determined by rule type, not collection priority. The sequence is: DNAT rules first, then network rules, then application rules. Network rules take precedence over application rules in processing order, but this doesn't mean a network rule with numerically low priority overrides an application rule of any priority.
The statement is false because it mixes two distinct concepts: type order (network before application) and priority within each type (numerically lower = higher). A network rule with priority 200 does not override a network rule with priority 100, but any matched network rule prevents evaluation of application rules for that flow. Understanding this hierarchy is essential to avoid unexpected permissions or blocks.
Answer Key β Question 5β
Answer: C
Approach 2 offers greater granularity because specific FQDNs allow restricting access to individual resources within a service. For example, myaccount.blob.core.windows.net restricts access only to that storage account, while the Storage Service Tag allows traffic to any storage account hosted by Microsoft in the region or globally, depending on configuration.
Option A is wrong in equating the approaches in terms of granularity: the difference goes beyond operational maintenance. Option B reverses reality: Service Tags represent public service IPs, not just private endpoints. Option D confuses resolution precision with control granularity; TTL variation is an operational consideration, not a policy granularity argument.