Microsoft Azure Security Technologies (AZ-500)

What feature can be used to enforce network security policies in Azure?

• A. Network Security Groups (NSGs)
• B. Azure Firewall
• C. Azure VPN Gateway
• D. Azure DDoS Protection

The correct answer is: Network Security Groups (NSGs)

Network Security Groups (NSGs) are specifically designed to enforce network security policies in Azure. NSGs allow you to create rules that control inbound and outbound traffic to resources in your Azure environment. By defining these rules, you can specify which types of traffic are permitted or denied based on source and destination IP addresses, ports, and protocols. When you apply an NSG to a network interface card (NIC), subnet, or virtual machine, you effectively govern the flow of traffic to and from those resources. This granular control is essential for maintaining security posture, reducing the attack surface, and ensuring compliance with organizational security policies. Other options, while they play important roles in the overall security and network management within Azure, serve different specific functions. For example, Azure Firewall is a managed, stateful network security service that provides additional features like intrusion detection, application filtering, and threat intelligence capabilities. However, it is not the mechanism specifically used to enforce basic network security policies at the level of NSGs. Azure VPN Gateway is focused on establishing secure connections between Azure and on-premises networks or between Azure virtual networks. It does not define security policies directly related to network traffic management. Azure DDoS Protection provides defense against distributed denial-of-service (DDoS)