1.3. The Security Boundary

Imagine a medieval castle: it doesn't rely on just the outer wall. There's the moat, then the wall, then the gatehouse, then the keep. If attackers breach one defense, they face another. Cloud security works the same way—and the exam tests whether you understand which defense belongs where.

💡 First Principle: Security in Azure follows defense in depth—multiple independent security controls that an attacker must bypass. Think of it like airport security: TSA screening, locked cockpit doors, air marshals. No single layer is perfect, so multiple layers provide resilience.

What breaks without defense in depth:

• A single misconfigured NSG rule exposes your database to the internet
• An insider threat bypasses all your perimeter controls
• A compromised VM becomes a launchpad for lateral movement

Consider this scenario: you've blocked internet access at the NSG level, but a developer deploys a VM with a public IP. Without additional controls (Azure Policy, Azure Firewall), your security posture just collapsed. The exam expects you to design for these failure modes.