Merge pull request #49416 from ceperezb/CEPEREZB-sc100-design-solutions-network-security

Ceperezb sc100 design solutions network security

Author: JillGrant615

learn-pr/wwl-sci/design-solutions-network-security/4-design-solutions-network-posture-management.yml

@@ -4,10 +4,10 @@ title: Design solutions for network posture management
 metadata:
   title: Design solutions for network posture management
   description: "SC-100 preparatory module on: design solutions for network posture management."
-  ms.date: 09/26/2024
+  ms.date: 03/06/2025
   author: ceperezb
   ms.author: ceperezb
   ms.topic: unit
-durationInMinutes: 5
+durationInMinutes: 7
 content: |
   [!include[](includes/4-design-solutions-network-posture-management.md)]

learn-pr/wwl-sci/design-solutions-network-security/8-knowledge-check.yml

@@ -68,17 +68,14 @@ quiz:
         - content: "Traffic inspection is used to segregate public-facing services from private ones to reduce attack surfaces."
           isCorrect: false
           explanation: "Segregating public-facing services from private ones is an important security consideration, but it is not the primary purpose of traffic inspection."
-    - content: "What are some benefits of using Microsoft Defender for DNS in Azure?"
+    - content: What does the interactive network map in Microsoft Defender for Cloud provide?
       choices:
-        - content: "Defender for DNS detects and blocks all types of malicious web traffic."
-          isCorrect: false
-          explanation: "While Defender for DNS can block many types of malicious web traffic, it is not foolproof and should be used in conjunction with other security measures."
-        - content: "Defender for DNS uses machine learning algorithms to detect threat patterns in real-time."
+        - content: It provides a graphical view with security overlays giving recommendations and insights for hardening network resources.
           isCorrect: true
-          explanation: "Defender for DNS uses advanced analytics and machine learning algorithms to identify and stop malicious traffic in real-time."
-        - content: "Defender for DNS increases the speed of DNS resolution through the use of caching."
+          explanation: Correct. The interactive network map provides a graphical view with security overlays, showing the network topology of Azure workloads, connections between virtual machines and subnets, and recommendations for specific resources.
+        - content: It provides a list of all the users connected to the network.
           isCorrect: false
-          explanation: "While Defender for DNS may provide advantages over traditional DNS service, it does not directly impact the speed of DNS resolution."
-        - content: "Defender for DNS provides automatic updates of DNS records to minimize misconfigurations."
+          explanation: Incorrect. The network map does not provide a list of users, but rather a graphical view with security overlays giving recommendations and insights for hardening network resources.
+        - content: It provides a real-time traffic analysis of the network.
           isCorrect: false
-          explanation: "While it may provide some benefits in terms of management and automation, Defender for DNS does not directly impact DNS record configuration."  
+          explanation: Incorrect. While the network map does provide a view of possible traffic between resources, it does not provide real-time traffic analysis.

learn-pr/wwl-sci/design-solutions-network-security/includes/1-introduction.md

@@ -1,6 +1,6 @@
 This module provides an overview of some of the technical considerations and available capabilities to design solutions for network security as a Microsoft cybersecurity architect.
 
-Imagine you're a cybersecurity architect for a multinational corporation. Your company decided to migrate its infrastructure to Azure. You're tasked with ensuring the security and efficiency of the network architecture. Securing network infrastructure involves understanding and implementing Azure's segmentation features, setting up network security groups, utilizing Microsoft Defender for Domain Name Services (DNS), analyzing network traffic, and managing internet and private access. The challenge lies in choosing the right tools and strategies to ensure optimal network performance and security.
+Imagine you're a cybersecurity architect for a multinational corporation. Your company decided to migrate its infrastructure to Azure. You're tasked with ensuring the security and efficiency of the network architecture. Securing network infrastructure involves understanding and implementing Azure's segmentation features, setting up network security groups, utilizing the network map functionality in Microsoft Defender for Cloud, analyzing network traffic, and managing internet and private access. The challenge lies in choosing the right tools and strategies to ensure optimal network performance and security.
 
 ## Learning objectives
 

learn-pr/wwl-sci/design-solutions-network-security/includes/4-design-solutions-network-posture-management.md

@@ -1,14 +1,67 @@
-Microsoft Defender for DNS provides an additional layer of protection for resources that use Azure DNS's [Azure-provided name resolution](/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#azure-provided-name-resolution) capability.
+Microsoft Defender for Cloud continuously analyzes the security state of your Azure resources for network security best practices. When Defender for Cloud identifies potential security vulnerabilities, it creates recommendations that guide you through the process of configuring the needed controls to harden and protect your resources.
 
-From within Azure DNS, Defender for DNS monitors the queries from these resources and detects suspicious activities without the need for any additional agents on your resources.
+The Networking features of Defender for Cloud include:
 
-## What are the benefits of Microsoft Defender for DNS?
+- Networking security recommendations
+- Network map requires Microsoft Defender for Servers Plan 2.
 
-Microsoft Defender for DNS detects suspicious and anomalous activities such as:
+### View your networking resources and their recommendations
 
--   **Data exfiltration** from your Azure resources using DNS tunneling
--   **Malware** communicating with command and control servers
--   **DNS attacks** - communication with malicious DNS resolvers
--   **Communication with domains used for malicious activities** such as phishing and crypto mining
+The asset inventory page of Microsoft Defender for Cloud shows the security posture of the resources you connected to Defender for Cloud. Defender for Cloud periodically analyzes the security state of resources connected to your subscriptions to identify potential security issues and provides you with active recommendations. Active recommendations are recommendations that can be resolved to improve your security posture.
+
+Defender for Cloud periodically analyzes the security state of resources connected to it. When resources have active security recommendations or security alerts associated with it, they appear in the inventory.
+
+The Inventory page provides information about:
+
+- Connected resources. Quickly see which resources are connected to Defender for Cloud.
+- Overall security state: Get a clear summary about the security state of connected Azure, AWS, and GCP resources, including the total resources connected to Defender for Cloud, resources by environment, and a count of unhealthy resources.
+- Recommendations, alerts: Drill down into the state of specific resources to see active security recommendations and security alerts for a resource.
+- Risk prioritization: Risk-based recommendations assign risk levels to recommendations, based on factors such as data sensitivity, internet exposure, lateral movement potential, and potential attack paths.
+- Risk prioritization is available when the Defender CSPM plan is enabled.
+- Software. You can review resources by installed applications. To take advantage of the software inventory, either the Defender Cloud Security Posture Management (CSPM) plan, or a Defender for Servers plan must be enabled.
+
+The Inventory uses Azure Resource Graph (ARG) to query and retrieve data at scale. For deep custom insights, you can use KQL to query the inventory.
+
+From the asset inventory page, use the resource type filter to select the networking resources that you want to investigate, across a multicloud environment (Azure, AWS, GCP).
+
+# [Network filters](#tab/network-filters)
+:::image type="content" source="../media/network-filters-inventory-v2.png" lightbox="../media/network-filters-inventory-v2.png" alt-text="Screen shot of the filter option in the  inventory feature in Microsoft Defender for  Cloud.":::
+
+# [Health and recommendations](#tab/health-recommendations)
+:::image type="content" source="../media/network-recommendation-resource-health.png" lightbox="../media/network-recommendation-resource-health.png" alt-text="Screen shot of the network recommendations for a selected network resource.":::
+
+---
+
+The recommendations that appear in your environment are based on the resources that you're protecting and on your customized configuration. 
+
+For a complete list of the all the network security recommendations you might in Microsoft Defender for Cloud, see [Networking security recommendations](/azure/defender-for-cloud/recommendations-reference-networking)
+
+### Network Map
+
+The interactive network map provides a graphical view with security overlays giving you recommendations and insights for hardening your network resources. Using the map you can see the network topology of your Azure workloads, connections between your virtual machines and subnets, and the capability to drill down from the map into specific resources and the recommendations for those resources.
+
+The network map can show you your Azure resources in a Topology view and a Traffic view.
+
+#### The topology view
+In the Topology view of the networking map, you can view the following insights about your networking resources:
+
+- In the inner circle, you can see all the VNets within your selected subscriptions, the next circle is all the subnets, the outer circle is all the virtual machines.
+- The lines connecting the resources in the map let you know which resources are associated with each other, and how your Azure network is structured.
+- Use the severity indicators to quickly get an overview of which resources have open recommendations from Defender for Cloud.
+- You can select any of the resources to drill down into them and view the details of that resource and its recommendations directly, and in the context of the Network map.
+- If there are too many resources being displayed on the map, Microsoft Defender for Cloud uses its proprietary algorithm to 'smart cluster' your resources, highlighting the ones that are in the most critical state, and have the most high severity recommendations.
+
+:::image type="content" source="../media/network-map-and-recommendation.png" lightbox="../media/network-map-and-recommendation.png" alt-text="Screen shot of the network map and a side panel showing recommendations for a selected node.":::
+
+Because the map is interactive and dynamic, every node is clickable, and the view can change based on the filters. You can modify what you see on the network map by using the filters at the top. You can focus the map based on:
+
+- Security health: You can filter the map based on Severity (High, Medium, Low) of your Azure resources.
+- Recommendations: You can select which resources are displayed based on which recommendations are active on those resources. For example, you can view only resources for which Defender for Cloud recommends you enable Network Security Groups.
+- Network zones: By default, the map displays only Internet facing resources, you can select internal VMs as well.
+
+#### The Traffic view
+
+The Traffic view provides you with a map of all the possible traffic between your resources. This provides you with a visual map of all the rules you configured that define which resources can communicate with whom. This enables you to see the existing configuration of the network security groups and quickly identify possible risky configurations within your workloads.
+
+The strength of this view is in its ability to show you allowed connections together with the vulnerabilities that exist, so you can use this cross-section of data to perform the necessary hardening on your resources. For example, you might detect two machines that you weren’t aware could communicate, enabling you to better isolate the workloads and subnets.
 
-A full list of the alerts provided by Microsoft Defender for DNS is on the [alerts reference page](/azure/defender-for-cloud/alerts-reference#alerts-dns).

learn-pr/wwl-sci/design-solutions-network-security/includes/9-summary.md

@@ -1,6 +1,6 @@
-In this module, you have learned about the various features Azure offers for network security segmentation, including Subscriptions, Virtual Networks (VNets), Network Security Groups (NSGs), Application Security Groups (ASGs), and Azure Firewall. You've also explored the three common patterns for segmenting a workload in Azure: Single VNet, Multiple VNets with peering, and Multiple VNets in a hub and spoke model. Additionally, you've delved into the functionalities of Azure network security groups and Microsoft Defender for DNS, both crucial for maintaining network security.
+In this module, you have learned about the various features Azure offers for network security segmentation, including Subscriptions, Virtual Networks (VNets), Network Security Groups (NSGs), Application Security Groups (ASGs), and Azure Firewall. You've also explored the three common patterns for segmenting a workload in Azure: Single VNet, Multiple VNets with peering, and Multiple VNets in a hub and spoke model. Additionally, you've delved into the functionalities of Azure network security groups and network map both crucial for maintaining network security.
 
-The main takeaways from this module include understanding how to use Azure's segmentation features to secure your network and resources. You've learned how to choose the appropriate segmentation pattern based on your operational needs. You've also gained knowledge on how to use Azure network security groups to filter network traffic and how Microsoft Defender for DNS adds an extra layer of protection to your resources. Furthermore, you've learnt about the importance of capturing and analyzing network traffic in real-time using Azure VPN Gateway and Azure Network Watcher. Lastly, you've understood how Microsoft Entra Internet Access and Microsoft Entra Private Access can enhance your organization's internet security and manage access to private apps and resources respectively.
+The main takeaways from this module include understanding how to use Azure's segmentation features to secure your network and resources. You've learned how to choose the appropriate segmentation pattern based on your operational needs. You've also gained knowledge on how to use Azure network security groups to filter network traffic and how network map in Defender for Cloud helps protect your network resources. Furthermore, you've learnt about the importance of capturing and analyzing network traffic in real-time using Azure VPN Gateway and Azure Network Watcher. Lastly, you've understood how Microsoft Entra Internet Access and Microsoft Entra Private Access can enhance your organization's internet security and manage access to private apps and resources respectively.
 
 ## Learning objectives
 
@@ -10,13 +10,15 @@ You learned how to:
 - Design solutions for filtering traffic with network security groups
 - Design solutions for network posture measurement
 - Design solutions for network monitoring
-- Evaluate solutions that use Entra Internet Access and Entra Private Access
+- Evaluate solutions that use Microsoft Entra Internet Access and Microsoft Entra Private Access
 
 ## Learn more with security documentation
 
 - [Implement network segmentation patterns - Microsoft Azure Well-Architected Framework | Microsoft Learn](/azure/architecture/framework/security/design-network-segmentation)
 - [Azure network security groups overview | Microsoft Learn](/azure/virtual-network/network-security-groups-overview)
-- [Microsoft Defender for DNS - the benefits and features | Microsoft Learn](/azure/defender-for-cloud/defender-for-dns-introduction)
+- [Protect network resources](/azure/defender-for-cloud/protect-network-resources)
+- [Networking security recommendations](/azure/defender-for-cloud/recommendations-reference-networking)
+- [Review the asset inventory](/azure/defender-for-cloud/asset-inventory)
 - [Plan for traffic inspection - Cloud Adoption Framework | Microsoft Learn](/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-traffic-inspection)
 
 ## Learn more with reference architectures

learn-pr/wwl-sci/design-solutions-network-security/index.yml

@@ -3,7 +3,7 @@ uid: learn.wwl.design-solutions-network-security
 metadata:
   title: Design solutions for network security
   description: "You learn how to design secure network solutions using techniques like network segmentation, traffic filtering, network monitoring and posture management."
-  ms.date: 09/09/2024
+  ms.date: 03/06/2025
   author: ceperezb
   ms.author: ceperezb
   ms.topic: module