Perimeter Security

Author: tuxerrante

docs/software-engineering/Azure/AZ104.md docs/software-engineering/Azure/AZ-104.mddocs/software-engineering/Azure/AZ104.md renamed to docs/software-engineering/Azure/AZ-104.md

@@ -627,8 +627,6 @@ Apps used
 
 **Key Principle**: *"Never trust, always verify."*
 
-### ✅ Key Features:
-
 * Access is granted **at access time** based on identity and policy evaluation.
 * Avoids reliance on network location (IP, subnet, etc.).
 * Strong identity verification, least privilege access, and micro-segmentation.
@@ -648,8 +646,6 @@ flowchart TD
 
 **Definition**: A lightweight computer that relies on a server to perform most processing tasks.
 
-### ✅ Characteristics:
-
 * Minimal or **no local data storage**.
 * All applications and processing occur **on the server**.
 * Enhances **security** and simplifies **desktop management**.
@@ -662,11 +658,12 @@ flowchart TD
 
 **Private IPs** allow resources within an Azure Virtual Network (VNet) to communicate securely without exposure to the internet.
 
-### ✅ Key Features:
-
 * **Non-routable** (RFC 1918 compliant).
 * Used for internal communication between VMs in the same or peered VNets.
 * **Allocated dynamically** or statically from the VNet’s address space.
+* IPs are associated with NICs via Azure Resource Manager (ARM) configurations, not manually or directly by the admin.
+For load balancers, IPs are assigned to frontend configurations, not directly to the NIC.
+
 
 **🔎 Tip**: Private IPs are the default addressing method inside Azure VNets. Public IPs are required only for external communication.
 
@@ -683,7 +680,7 @@ flowchart TD
 
 **Purpose**: Automatically mitigates distributed denial of service (DDoS) attacks.
 
-### ✅ How It Works:
+By examining network traffic patterns and looking for any irregularities that could point to a DDoS assault, Azure DDoS Protection Standard operates. To build a baseline of typical traffic behavior, it employs traffic profiling and machine learning techniques. A suspicious alert is raised for any traffic that deviates from this baseline.
 
 * Monitors network traffic to build a **baseline** of normal behavior.
 * Uses **machine learning** to detect **anomalies**.
@@ -718,18 +715,15 @@ graph LR
 To allow HTTP (port 80) and block SSH (port 22) to Marketing VMs:
 
 * Create an **Application Rule** to allow HTTP.
-* Create a **Network Rule** to **block SSH**.
+* SSH traffic is already denied by default rules.
 
-**🔎 Best Practice**: Use Application Rules for web-based FQDN filtering and Network Rules for lower-level IP filtering.
 
 ---
 
 ## 6. Azure Firewall Manager
 
 **Purpose**: Centralized management for Azure Firewall policies across regions/subscriptions.
 
-### ✅ Benefits:
-
 * Unified visibility and **policy enforcement**.
 * Consistency across **multiple firewalls**.
 * Integration with **Secure Virtual Hub** in Azure Virtual WAN.
@@ -742,8 +736,6 @@ To allow HTTP (port 80) and block SSH (port 22) to Marketing VMs:
 
 **Definition**: A private, dedicated connection between on-premises infrastructure and Azure.
 
-### ✅ Features:
-
 * **Bypasses the public internet** for secure, low-latency communications.
 * Supported via **IP VPN** (MPLS) or Ethernet connections.
 * Offers **layer 2 and layer 3 connectivity** options.
@@ -756,8 +748,6 @@ To allow HTTP (port 80) and block SSH (port 22) to Marketing VMs:
 
 **Azure VPN Gateway** allows encrypted communication over public networks.
 
-### ✅ Uses:
-
 * **Site-to-site VPNs** (on-prem to Azure).
 * **VNet-to-VNet VPNs** (intra-Azure region).
 * Supports **IKEv2 and IPsec** protocols.
@@ -776,8 +766,6 @@ graph TD
 
 **Definition**: A VM-based appliance offering advanced networking capabilities like IDS/IPS, WAF, or custom routing.
 
-### ✅ Use Case:
-
 * Performs **deep packet inspection**.
 * **Controls inbound and outbound** traffic.
 * Useful when built-in services like Azure Firewall don’t meet specific requirements.
@@ -790,8 +778,6 @@ graph TD
 
 **Forced Tunneling**: Routes **all** Azure VNet traffic destined for the internet through on-premises via a VPN connection.
 
-### ✅ Purpose:
-
 * Enforce **centralized security inspection**.
 * Ensure **logging and compliance**.
 * Directs outbound traffic via on-prem **proxy or firewall**.