β–ˆβ–ˆFRβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ β–ˆINTELLβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ

πŸ” Azure Security Deep-Dive: From Quiz Questions to Real-World Cloud Implementations (with Code)


This content originally appeared on DEV Community and was authored by Achref Rhouma

TL;DR:

This article takes four common Azure security quiz questions and turns them into actionable, production-ready infrastructure setups using Azure CLI, Bicep, and Terraform.

We go from β€œmultiple-choice answer” β†’ real deployment β†’ validation & best practices.

πŸ’‘ Why This Article?

Quizzes are fun. Passing certifications is satisfying.

But production workloads? That’s where the stakes are real β€” and that’s why I took four real Azure security quiz topics and built out full, working implementations you can deploy today.

Here’s what we’ll cover:

  1. Network Security Groups (NSGs) β€” Correctly allowing Internet inbound traffic.
  2. Identity Protection β€” Detecting β€œimpossible travel” and reacting.
  3. Key Vault RBAC β€” Granting a group create/delete permissions via Azure AD authentication.
  4. Defense in Depth β€” Correctly mapping Azure services to security layers.

1⃣ Network Security Groups β€” Allowing Internet Inbound (The Right Way)

Quiz Recap

To allow traffic from the Internet, which rule should be added?

βœ… Internet Inbound Allow

The Why:

A Network Security Group (NSG) acts like a firewall at the network interface or subnet level. By default, NSGs block inbound traffic from the Internet. If you want to allow it, you must create an Inbound Allow rule.

But here’s the catch:

  • The quiz makes it sound like β€œAllow All” β€” in production, that’s dangerous.
  • You must restrict by protocol, port, and source IP where possible.
  • Even better: Put a WAF or Reverse Proxy in front of direct inbound access.

πŸ–₯ Azure CLI Example 

RG=rg-secure-demo
LOC=westeurope
VNET=vnet-secure
SUBNET=app-subnet
NSG=nsg-app
RULE=Allow-HTTPS-Internet
PRIORITY=100

# Create RG and VNet
az group create -n $RG -l $LOC
az network vnet create -g $RG -n $VNET -l $LOC \
  --address-prefixes 10.10.0.0/16 \
  --subnet-name $SUBNET --subnet-prefix 10.10.1.0/24

# Create NSG
az network nsg create -g $RG -n $NSG

# Add inbound rule for HTTPS from Internet
az network nsg rule create \
  -g $RG --nsg-name $NSG -n $RULE \
  --priority $PRIORITY \
  --direction Inbound --access Allow --protocol Tcp \
  --source-address-prefixes Internet \
  --destination-port-ranges 443

# Attach NSG to subnet
az network vnet subnet update \
  -g $RG --vnet-name $VNET -n $SUBNET \
  --network-security-group $NSG

πŸ’‘ Tip: Never open RDP (3389) or SSH (22) to Internet. If unavoidable, enable Just-in-Time VM Access with Azure Bastion.

🧱 Bicep Version 

param location string = 'westeurope'

resource nsg 'Microsoft.Network/networkSecurityGroups@2024-03-01' = {
  name: 'nsg-app'
  location: location
  properties: {
    securityRules: [
      {
        name: 'Allow-HTTPS-Internet'
        properties: {
          access: 'Allow'
          direction: 'Inbound'
          priority: 100
          protocol: 'Tcp'
          sourceAddressPrefix: 'Internet'
          sourcePortRange: '*'
          destinationAddressPrefix: '*'
          destinationPortRange: '443'
        }
      }
    ]
  }
}

2⃣ Identity Protection β€” Impossible Travel

Quiz Recap

Which classification is used to detect risky sign-ins?

βœ… Abnormal / Impossible Travel

The Why:

Impossible travel is detected when a user signs in from two locations so far apart that traveling between them in the elapsed time would be physically impossible.

How Azure Detects It:

  • Location based on IP geolocation.
  • Sign-in logs processed by Microsoft’s risk detection engine.
  • Can trigger a Sign-In Risk classification.

πŸ” KQL Example to Spot Impossible Travel 

SigninLogs
| where ResultType == 0
| project TimeGenerated, UserPrincipalName, Location = tostring(LocationDetails.countryOrRegion)
| order by UserPrincipalName, TimeGenerated
| extend PrevLocation = prev(Location), PrevTime = prev(TimeGenerated), PrevUser = prev(UserPrincipalName)
| where UserPrincipalName == PrevUser and Location != PrevLocation
| where datetime_diff('minute', PrevTime, TimeGenerated) < 60

Real-World Action Plan:

  1. Enable Azure AD Identity Protection.
  2. Create a Conditional Access policy:
    • Target sign-in risk: Medium and above.
    • Grant MFA or block access.
  3. Start in report-only mode β†’ then enforce.

3⃣ Key Vault Data-Plane Access via RBAC

Quiz Recap

A group must create & delete keys in Key Vault using Azure AD auth. Which tool grants access?

βœ… RBAC (Role-Based Access Control)

πŸ–₯ Azure CLI Example 

RG=rg-secure-demo
LOC=westeurope
KV=kv-secure-$RANDOM
GROUP_NAME="kv-crypto-admins"

# Create Key Vault
az keyvault create -n $KV -g $RG -l $LOC

# Create AAD group
GROUP_ID=$(az ad group create --display-name "$GROUP_NAME" --mail-nickname "$GROUP_NAME" --query id -o tsv)

# Assign Key Vault Administrator role to group
ROLE="Key Vault Administrator"
SCOPE=$(az keyvault show -n $KV -g $RG --query id -o tsv)
az role assignment create \
  --assignee-object-id $GROUP_ID \
  --assignee-principal-type Group \
  --role "$ROLE" \
  --scope "$SCOPE"

πŸ’‘ Tip:

  • Prefer RBAC over legacy Access Policies.
  • For least privilege, create a custom role if β€œKey Vault Administrator” is too broad.

4⃣ Defense in Depth β€” Layer Mapping

Quiz Recap

Which statement is correct?

βœ… Application layer controls access to business & customer data.

Layer Mapping Table

Layer Primary Controls Azure Services
Perimeter DDoS/WAF, TLS termination Azure DDoS, Front Door, App Gateway
Network Segmentation, ACLs VNet, NSG, ASG, Private Link
Compute Hardening, patching, EDR Azure VM, Defender for Cloud
Identity AuthN/Z, least privilege Entra ID, Conditional Access
Application Input validation, secrets/data access Key Vault, Managed Identity
Data Encryption, backup Key Vault, SSE, Azure Backup
Monitoring Detect/respond Log Analytics, Sentinel

🧹 Clean-Up Command 

az group delete -n rg-secure-demo --yes --no-wait

πŸ“Œ Key Takeaways

  • NSG inbound rules must be precise β€” avoid * when possible.
  • Impossible travel is a high-confidence risk signal worth automating responses for.
  • Key Vault RBAC is the modern, centralized way to manage secrets and keys access.
  • Defense in Depth is layered; each layer complements the others.

πŸš€ Your Turn

Challenge:

Try expanding one of these configurations with:

  • Private endpoints for Key Vault.
  • Custom Conditional Access policies for specific apps.
  • NSG flow logs to Azure Monitor for traffic analysis.

πŸ’¬ Discussion Prompt:

What’s your favorite Azure security best practice that isn’t covered in most quizzes?

Post it in the comments β€” I’ll try to build it in code for a follow-up article.


This content originally appeared on DEV Community and was authored by Achref Rhouma