3.5. Reflection Checkpoint: Networking Security Mastery

You have now explored the network security controls available in Azure. These controls work together to implement defense-in-depth.

Scenario Synthesis: An organization needs:

• All outbound traffic from spoke VNets to flow through a central firewall
• Web applications protected from OWASP vulnerabilities
• Private access to storage accounts without public internet exposure
• High-bandwidth encrypted connectivity (50 Gbps) to on-premises

Reflection Question: How would you configure UDRs, Azure Firewall, WAF, Private Endpoints, and ExpressRoute Direct with MACSec to meet these requirements?

Self-Assessment Prompts:

• Can you explain the difference between service endpoints and private endpoints?
• Do you know how to configure UDRs to force traffic through Azure Firewall?
• Can you identify when to use Front Door vs. Application Gateway?
• Do you understand why ExpressRoute Direct with MACSec is needed for high-bandwidth encryption?
• Can you calculate the number of service endpoints needed for a given scenario?