AZ-500 Microsoft Azure Security Technologies Exam

Are you a guardian of your domain? Lean how to leverage your aptitude in security to protect Microsoft Azure technologies, with a goal of earning the Microsoft Certified: Azure Security Engineer Associate certification!

Practice Test

Expert
Exam

Plan, implement, and manage an Azure Firewall, including AzureFirewall Manager and firewall policies

Plan and implement security for public access to Azure resources

Design and Deploy Hierarchical Firewall Policies

Azure Firewall Manager is a central service for policy-based management of multiple Azure Firewall instances. It lets you create firewall policies and assign those policies to secured hubs or virtual networks. By using a hierarchical model, you can define a parent policy at the top level and one or more child policies that inherit or override specific settings. This structure ensures consistent governance while allowing targeted customizations for different teams or environments.

Firewall policies are organized into rule collection groups, each with a numeric priority that determines processing order. Within these groups, you define rule collections of type DNAT, network, or application. For example:

  • DNAT rules for inbound port forwarding
  • Network rules for L3/L4 traffic filtering
  • Application rules for FQDN or URL filtering
    Each rule collection also has its own priority, enabling precise control over how and when traffic is evaluated.

In a hierarchical setup, a parent policy always takes precedence over any child policies regardless of numeric rule priority. This rule inheritance ensures that critical security baselines enforced by the parent are never bypassed. Child policies can only add or strengthen rules—they cannot weaken or remove the parent’s settings. This maintains a strong security boundary across subscriptions and regions.

Integrating Microsoft Threat Intelligence feeds into your firewall policies enhances protection by alerting or blocking traffic from known malicious IP addresses and domains. You can configure threat-intel in alert only or alert and deny modes, and define allowlists to exempt trusted hosts. Using Azure Policy, you can enforce that every deployed firewall policy enables threat intelligence, uses the correct SKU, and follows tagging standards, ensuring continuous compliance across your environment.

For centralized enforcement and auditing, enable diagnostic logging and collect Azure Monitor metrics on your firewall policies. Logs capture events from rule matches, threat-intel alerts, and NAT translations, which you can query in Log Analytics or forward to a SIEM solution. This end-to-end visibility supports proactive monitoring, policy tuning, and forensic investigations across your entire Azure Firewall fleet.

Conclusion

Planning and managing Azure Firewall with Azure Firewall Manager and hierarchical firewall policies helps enforce a strong, consistent security posture. By defining parent and child policies, organizing rules into prioritized collections, integrating threat intelligence, and enabling diagnostic logging, you achieve centralized enforcement and auditing. These practices ensure that your Azure Firewall instances remain compliant, resilient, and tailored to your organization’s needs.

Plan and implement Transport Layer Securityto applications,including Azure App Service and API ManagementPlan and implement an Azure Application Gateway