Azure Virtual Networks are used in conjunction with Network Security Groups to effectively handle the networking side of Azure which is a Microsoft cloud solution. The NSGs are more like the firewalls where they allow or deny traffic based on rules for that subnet or specific IP address. Azure VNets on the other hand are something that groups resources into essentially blocks of cloud application services that can be interconnected.
Azure Virtual Networks (VNets)
Azure VNets are a type of grouping in Azure to segment parts of your network and assign IP addresses. These VNets can allow for VNet peering or even connect to an on-premises network through a VPN. It is a fundamental building block of Azure Networks that allows for private, secure, and public networks. VNets also allow for segmentation through subnets and can allow for assignment of IP addresses.
Allowing for Hybrid Connectivity ensures that a VPN or ExpressRoute can connect on-premises data centers. VNets also allow for VNet peering to connect networks with a scalable solution for complex topologies. You can also use Azure Virtual Network Manager to oversee networks at scale in a cross-subscription manner. VNets are different than the subnets and are more like VLANs in computer networking.
Azure Network Security Groups (NSGs)
The Network Security Groups in Azure allow for the filtering of a VNet when it is in place to allow or deny a specific IP or a group of IP addresses. They can work with route tables to do things like flow control. There are also capabilities like allowing or denying access to certain ports or protocols in addition to subnets and specific IP addresses.
Having some capabilities of a layer 3 and 4 firewall helps NSGs attach to subnets or Network Interface Cards (NICs) in Azure. Attaching them to subnets is more in line with best practices and allows for more simplicity of management. If the NSG is attached to a subnet it will be effective via inheritance for that subnet associated with the NSG.
Conclusion
Understanding more about VNets and NSGs will allow you to know more about the security side of Azure. For me this understanding is more of an extension of the SC-900 that I have and delves into more of the networking side of Azure which is the AZ-700 training materials. In order to truly understand something, you need to learn it and teach someone else the material.
Network Automation
Network automation is something that is in the CCNA v1.1 exam and is 10% of that exam. Network automation covers topics like AI and machine learning, Ansible and Terraform, REST API’s and API’s in general along with JSON. Automation replaces manual processes to improve the speed, efficiency, and helps reduce human error. This is using software to configure and manage the network infrastructure. It can also operate both physical and virtual devices along with helping to test the infrastructure.
Artificial Intelligence and Machine Learning
This deals with the differences of generative AI, agentic AI, and machine learning. Generative AI is something that creates something new like new data or images. Agentic AI is more for autonomous actions to achieve something. There is also predictive AI that can predict variances in network baselines over time or something to predict future trends.
Machine learning is something that is used mainly for pattern detection and learning from the data. Machine learning is something that can analyze data flows to detect anomalies and variance from a network baseline. Generative AI can help with creating scripts or generating CLI commands for a given task. Agentic AI is where the AI can remediate issues with the network devices like isolation of an existing system due to an attack.
Ansible and Terraform
Ansible and Terraform both accomplish certain roles in network automation. Terraform is something that is more of infrastructure as code and is used for a desired end-state. Terraform does better at provisioning infrastructure and sets up the containers whereas Ansible is more for setting up the configuration of the network devices or the servers. Terraform works with HashiCorp Configuration Language (HCL) and Ansible uses YAML mainly for its configurations.
APIs, REST APIs, and JSON
APIs allow the software of one application to work with the software of another application. A REST API is something that is a structured way to talk to an API that acts as more of a style that works over HTTP. JSON is the language that is used to carry the data over the API using a REST API format.
Conclusion
I have the current CCNA v1.1 exam that I passed in December 2024. This exam covers Network Automation, AI/ML, Ansible and Terraform, REST APIs, APIs, and JSON. This information can help on the exam, which was in my opinion one of the exams that took longer to complete out of the time available. There are more technologies associated with network automation like Python, NAPALM and NETCONF APIs.
Network automation can provide enhanced network security, improve compliance, increase visibility and provide faster troubleshooting. This also provides the ability to automate VLAN changes, provide configuration backups and even software updates. Network automation lowers operational costs and provides faster provisioning of network services.
Zero Trust
Zero trust is where the device or user is no longer trusted by the network. This is effective in the context of verify explicitly, least privilege, and assume breach. These are the three main concepts of zero trust. There are also six foundational pillars that are Identity, Endpoints, Application, Data, Infrastructure and Networks. This zero-trust model is a foundational security strategy that removes the perimeter-based security to a new model where users are no longer trusted by the network.
Zero Trust Concepts
These are combined into a zero-trust matrix where the user or device must be verified explicitly, meaning that the user should re-authenticate as needed to maintain security. Applying the concept of least privilege also allows the user to only be given permissions to what they need to do their job role. The assume breach concept is when there is an assumption that the attacker has already established a foothold in the network.
By verifying explicitly, you can use the user identity, location metrics and things like device health to verify if a user should be authenticated. With using the least privilege, you can limit a user with just-enough-access in addition to risk-based policies to minimize a compromise. For the assuming breach concept you can design security policies with the mindset that attackers are already in. This could be by encrypting data or using analytics for detecting threats.
Foundational Pillars
Within the Microsoft Zero Trust implementation, it categorizes six foundational pillars. For Identity, there should be strong authentication verification of users, devices and services. Endpoints should comply with the service health metrics before gaining access. With Application make sure that you manage shadow IT and any unauthorized applications.
Data is considered to be zero trust by classifying, labeling and encrypting data to provide security where that data lives. Infrastructure should be monitored to detect anomalies and flag any activity on the severs or VMs that are suspicious. Using network segmentation and micro-segmentation provides an additional layer of security.
Conclusion
Zero trust is often paired with defense in depth where there are controls at different levels and an attacker would need to peel the onion layer by layer in order to breach a network. There are the foundational pillars of zero trust that add to the three core concepts and provide more knowledge of the defense in depth strategy.
I currently hold the SC-900 and the CCST Cybersecurity exams and can relate my knowledge to the concept of Zero Trust. If you are studying for any of these two exams try to remember to look at the exam topics. Try to also run through the topics to see where you are weaker and study them more. It is wise to set up a study plan and attack each exam with consistent study sessions.
Network Security Concepts
Network Security is essentially the intersection between computer networking and cybersecurity. This field is one of the eight main CISSP domains and is something that I want to pursue. Some of the network security concepts include the CIA Triad, Defense in Depth, Firewalls, Encryption, Decryption, Network Segmentation, VPNs, and IDS/IPS devices.
CIA Triad
The CIA Triad is Confidentiality, Integrity, and Availability. This along with Authentication, Authorization and Non-repudiation are the main components of the CIA Triad. Confidentiality uses encryption to keep data protected. Integrity makes sure that the data is unaltered and accurate when data is in use. Availability is making data available for the people that are authorized to use the data.
Defense in Depth
Defense in Depth is the concept that everything should be protected and used as another layer of security so that an unauthorized user doesn’t have access to other systems which are protected by other security measures. These can be physical, administrative or technical controls that are used to prevent access to essential data or systems.
Network Security Devices
Firewalls, Intrusion Detection Systems, and Intrusion Prevention Systems are network security devices that can help protect a network. Firewalls are essentially perimeter security devices that can inspect, filter or control data in any direction from getting into or out of a network.
Intrusion Detection Systems are a network security device that is not inline and detects then alerts attempts to breach the network. Intrusion Prevention Systems are inline and can detect, alert, and prevent attacks from happening using automated responses. Firewalls, IDSs, and IPSs are able to be used together and will allow for a more secure network perimeter.
Other Concepts
VPNs can allow for encryption and decryption of data from different sites or remotely into an HQ and with Network Segmentation can be combined to form some of the Defense in Depth controls. Network Segmentation is mainly used for VLAN security in a LAN environment and there are also VXLANs that can separate client networks in a cloud environment.
Conclusion
These Network Security Concepts are sometimes used to justify network security measures. With Defense in Depth controls, there are some additional protections that network security has which is at the core of enterprise security measures. Network Segmentation is something that can happen in a Data Center with VXLANs providing virtual segmentation over an underlay network which are the physical switches and routers.
Network Security is the main field that I am wanting to go into, and I already have the Cisco CCST Cybersecurity and the SC-900 from Microsoft. These two complement each other nicely and I will be pursuing the ISC2 Certified in Cybersecurity as those three certifications will replace the need for me to get a CompTIA Security+ certification.