update

Author: ceperezb

learn-pr/wwl-sci/design-solutions-network-security/1a-evaluate-network-designs-best-practices.yml

@@ -9,6 +9,6 @@ metadata:
   ms.author: ceperezb
   ms.topic: unit
   ai-usage: ai-generated
-durationInMinutes: 12
+durationInMinutes: 8
 content: |
   [!include[](includes/1a-evaluate-network-designs-best-practices.md)]

learn-pr/wwl-sci/design-solutions-network-security/3-design-solutions-traffic-filtering-network-security-groups.yml

@@ -8,6 +8,6 @@ metadata:
   author: ceperezb
   ms.author: ceperezb
   ms.topic: unit
-durationInMinutes: 11
+durationInMinutes: 10
 content: |
   [!include[](includes/3-design-solutions-traffic-filtering-network-security-groups.md)]

learn-pr/wwl-sci/design-solutions-network-security/9-summary.yml

@@ -8,6 +8,6 @@ metadata:
   author: ceperezb
   ms.author: ceperezb
   ms.topic: unit
-durationInMinutes: 3
+durationInMinutes: 4
 content: |
   [!include[](includes/9-summary.md)]

learn-pr/wwl-sci/design-solutions-network-security/includes/1-introduction.md

@@ -1,18 +1,20 @@
-This module provides an overview of some of the technical considerations and available capabilities to design solutions for network security as a Microsoft cybersecurity architect.
+As organizations adopt hybrid and multicloud architectures, the network perimeter extends well beyond a single data center or virtual network. A security architect must evaluate network designs against Zero Trust principles, segment workloads to limit lateral movement, filter traffic at multiple layers, monitor for threats in real time, and secure access for both internet-bound and private traffic.
 
-Imagine you're a cybersecurity architect for a multinational corporation. Your company decided to migrate its infrastructure to Azure. You're tasked with ensuring the security and efficiency of the network architecture. Securing network infrastructure involves understanding and implementing Azure's segmentation features, setting up network security groups, utilizing the network map functionality in Microsoft Defender for Cloud, analyzing network traffic, and managing internet and private access. The challenge lies in choosing the right tools and strategies to ensure optimal network performance and security.
+Imagine you're a cybersecurity architect at a large enterprise that operates across Azure, on-premises data centers, and multiple SaaS services. Leadership asks you to review the current network security posture and recommend improvements. You need to evaluate whether the existing segmentation strategy limits blast radius, determine whether traffic filtering rules follow least-privilege principles, assess monitoring coverage for blind spots, and decide how Microsoft Entra Internet Access and Private Access can replace legacy VPN and proxy infrastructure. Each decision affects the organization's ability to detect and contain threats before they spread.
 
 ## Learning objectives
 
 In this module, you learn how to:
 
+- Evaluate network designs to align with security requirements and best practices
 - Design solutions for network segmentation
 - Design solutions for filtering traffic with network security groups
-- Design solutions for network posture measurement
+- Design solutions for network posture management
 - Design solutions for network monitoring
-- Design solutions that use Microsoft Entra Internet Access and Private Access
+- Evaluate solutions that use Microsoft Entra Internet Access
+- Evaluate solutions that use Microsoft Entra Private Access
 
-The content in the module helps you prepare for the certification exam SC-100: Microsoft Cybersecurity Architect.
+The content in this module helps you prepare for the certification exam SC-100: Microsoft Cybersecurity Architect.
 
 ## Prerequisites
 

learn-pr/wwl-sci/design-solutions-network-security/includes/1a-evaluate-network-designs-best-practices.md

@@ -33,105 +33,47 @@ Each MCSB v2 control also maps to industry frameworks such as CIS Controls v8.1,
 
 ## Evaluate segmentation and traffic control
 
-Effective network segmentation is a core security requirement and aligns to MCSB v2 control NS-1. When evaluating a network design, determine whether it isolates workloads appropriately and controls traffic flow between segments.
+Effective network segmentation aligns to MCSB v2 control NS-1. When evaluating a network design, determine whether it isolates workloads appropriately and controls traffic flow between segments. Key evaluation questions include:
 
-### Network segmentation layers
+- Does the design use **subscriptions, VNets, and subnets** to create layered isolation boundaries between environments and workloads?
+- Are **network security groups (NSGs)** applied to subnets with least-privilege rules, and are **application security groups (ASGs)** used to simplify rule management?
+- Does the network use a **hub-and-spoke topology** (or Azure Virtual WAN) with centralized security services in the hub and deny-by-default routing between spokes?
+- Are **Security Admin Rules** in Azure Virtual Network Manager enforcing organizational guardrails that workload teams can't override?
 
-Azure provides multiple segmentation options that create layers of isolation. Evaluate whether the design uses them effectively:
-
-- **Subscriptions** separate organizational units and provide platform-level isolation between environments such as production, development, and testing.
-- **Virtual networks (VNets)** provide network-level containment, with no traffic allowed between VNets by default — communication must be explicitly provisioned.
-- **Subnets** with **network security groups (NSGs)** create granular perimeters within a VNet. Evaluate whether NSG rules follow the principle of least privilege, with only required traffic allowed between subnets.
-- **Application security groups (ASGs)** simplify rule management by grouping VMs by application role, reducing rule complexity and the risk of misconfiguration.
-
-### Hub-and-spoke topology
-
-For most enterprise environments, evaluate whether the design uses a hub-and-spoke model. In this pattern, a central hub VNet hosts shared security services like Azure Firewall, and spoke VNets contain workloads. All traffic between spokes and to the internet routes through the hub. This design provides:
-
-- Centralized security policy enforcement
-- Consistent logging and monitoring at the hub
-- Reduced security posture management overhead as the network grows
-
-When the hub-and-spoke model is in place, verify that traffic between spokes is denied by default and only permitted paths are configured through the firewall.
+The next unit covers how to design these segmentation patterns in detail, including topology selection, Azure Virtual Network Manager, and microsegmentation within workloads.
 
 ## Evaluate defense-in-depth controls
 
-A strong network design applies defense-in-depth by layering multiple security controls. MCSB v2 controls NS-3 through NS-6 define the specific controls to evaluate at each layer.
-
-### Azure Firewall
-
-[Azure Firewall](/azure/firewall/overview) is a cloud-native, stateful firewall as a service. It provides centralized network and application rule enforcement across VNets and subscriptions. When evaluating, check whether the design:
-
-- Uses Azure Firewall as the central egress and east-west filtering point in a hub VNet
-- Leverages Azure Firewall Premium features such as TLS inspection and intrusion detection and prevention system (IDPS) for environments that require deep packet inspection
-- Integrates with Azure Firewall Manager to centrally manage policies across multiple firewalls
-
-### Azure Web Application Firewall
-
-For designs that include web-facing applications, evaluate whether [Azure Web Application Firewall (WAF)](/azure/web-application-firewall/overview) protects against Layer 7 attacks. WAF is available through Azure Application Gateway for regional workloads and through Azure Front Door for global workloads. Verify that the design uses managed rule sets aligned with OWASP top threats, rate limiting, and bot protection.
-
-### Azure DDoS Protection
-
-Evaluate whether the design enables Azure DDoS Protection on perimeter virtual networks that have internet-facing endpoints. Azure DDoS Protection automatically tunes to help protect your specific Azure resources and provides layer 3 and layer 4 mitigation. For web application protection at layer 7, WAF provides complementary defense.
-
-There are two tiers to consider:
-
-- **DDoS IP Protection** — Protects specific public IP addresses; suited for smaller or targeted deployments.
-- **DDoS Network Protection** — Covers entire virtual networks with advanced mitigation, analytics, and integration for larger enterprise environments.
+A strong network design applies defense-in-depth by layering multiple security controls. MCSB v2 controls NS-2 through NS-6 define the specific controls to evaluate. Assess whether the design includes:
 
-## Evaluate private connectivity and reduced exposure
-
-MCSB v2 controls NS-2 and NS-9 address private connectivity. A key evaluation criterion is whether the design minimizes the attack surface by reducing exposure to the public internet.
-
-### Azure Private Link and private endpoints
-
-Evaluate whether the design uses [Azure Private Link](/azure/private-link/private-link-overview) to access Azure PaaS services like Azure Storage and Azure SQL Database over private endpoints within the virtual network. This approach:
-
-- Removes public internet access to service resources
-- Keeps traffic on the Microsoft Azure backbone network
-- Protects against data exfiltration by mapping a private endpoint to a specific resource instance rather than the entire service
-
-For a security architect, the presence of private endpoints in a design is a strong indicator of least-exposure principles.
-
-### Azure Bastion for secure remote access
-
-Evaluate how the design handles administrative access to virtual machines. Designs that expose RDP or SSH ports directly to the internet present significant risk. Azure Bastion provides secure RDP/SSH connectivity through the Azure portal over TLS, without requiring public IP addresses on VMs. Check that the design uses Azure Bastion and combines it with just-in-time VM access in Microsoft Defender for Cloud to limit when ports are open.
-
-### Hybrid connectivity
-
-For hybrid environments, evaluate whether the design avoids sending sensitive traffic over the public internet. Azure ExpressRoute provides dedicated, private WAN connectivity between on-premises networks and Azure. Verify that the design uses ExpressRoute for sensitive or high-bandwidth workloads and that it terminates at the appropriate point relative to the perimeter firewall.
+- **[Azure Firewall](/azure/firewall/overview)** as the central egress and east-west filtering point, with Premium features (TLS inspection and IDPS) for environments that require deep packet inspection.
+- **[Azure Web Application Firewall (WAF)](/azure/web-application-firewall/overview)** on Application Gateway or Azure Front Door for Layer 7 protection against OWASP top threats on web-facing applications.
+- **[Azure DDoS Protection](/azure/ddos-protection/ddos-protection-overview)** on perimeter VNets with internet-facing endpoints. Choose DDoS IP Protection for targeted deployments or DDoS Network Protection for enterprise-wide coverage.
+- **[Azure Private Link](/azure/private-link/private-link-overview)** to access PaaS services through private endpoints, removing public internet exposure and keeping traffic on the Azure backbone.
+- **[Azure Bastion](/azure/bastion/bastion-overview)** for secure RDP/SSH access without exposing management ports, combined with just-in-time (JIT) VM access to limit when ports are open.
+- **Azure ExpressRoute** for hybrid connectivity that keeps sensitive traffic off the public internet.
 
 ## Evaluate identity-aware network security with Global Secure Access
 
-Microsoft's Security Service Edge (SSE) solution — comprising Microsoft Entra Internet Access and Microsoft Entra Private Access under the unified [Global Secure Access](/entra/global-secure-access/overview-what-is-global-secure-access) platform — extends security controls beyond the traditional network perimeter with identity-centric network security.
-
-Global Secure Access integrates with Microsoft Entra Conditional Access to enforce policies based on user identity, device compliance, location, and risk level at the network layer. This approach aligns with Zero Trust by verifying explicitly at the point of access.
+Microsoft's Security Service Edge (SSE) solution — [Global Secure Access](/entra/global-secure-access/overview-what-is-global-secure-access) — extends security controls beyond the traditional network perimeter by tying enforcement directly to identity. It comprises two components: Microsoft Entra Internet Access for outbound internet and Microsoft 365 traffic, and Microsoft Entra Private Access for Zero Trust Network Access to private resources.
 
 When evaluating a design that includes Global Secure Access, assess whether:
 
-- **Traffic forwarding profiles** are configured to route Microsoft 365 traffic, internet traffic, and private application traffic through the appropriate security controls
-- **Web content filtering** policies restrict access to risky or inappropriate web categories
-- **Conditional Access policies** are linked to security profiles to enforce identity-aware access decisions on network traffic
+- **Traffic forwarding profiles** route Microsoft 365 traffic, internet traffic, and private application traffic through the appropriate security controls.
+- **Web content filtering** policies restrict access to risky or inappropriate web categories.
+- **Conditional Access policies** are linked to security profiles to enforce identity-aware access decisions.
+- **The compliant network check** is required for Microsoft Entra-integrated applications to mitigate token theft.
+- **Private Access** replaces or complements VPN with identity-verified, per-application connectivity to on-premises resources.
 
-## Evaluate network monitoring and posture management
-
-A network design is incomplete without continuous visibility and monitoring. MCSB v2 controls NS-7 and NS-8 emphasize centralized network security management and detecting insecure protocols. Evaluate whether the design includes:
+Later units in this module cover Internet Access and Private Access evaluation in detail.
 
-- **Microsoft Defender for Cloud** networking recommendations and the interactive network map for visualizing topology, identifying unprotected resources, and surfacing risk-based recommendations.
-- **Azure Network Watcher** tools such as NSG flow logs, packet capture, and Traffic Analytics for real-time and historical analysis of traffic patterns.
-- **Centralized logging** that sends firewall, NSG flow, and DDoS diagnostic logs to Azure Monitor or Microsoft Sentinel.
+## Evaluate network monitoring and posture management
 
-Without monitoring, security gaps in the network design go undetected, reducing the effectiveness of the security controls in place.
+A network design is incomplete without continuous visibility. MCSB v2 controls NS-7 and NS-8 emphasize centralized network security management and detecting insecure protocols. Evaluate whether the design includes:
 
-## Learn more
+- **Microsoft Defender for Cloud** networking recommendations, attack path analysis, and adaptive network hardening for continuous posture assessment.
+- **VNet flow logs** and **Traffic Analytics** for traffic pattern analysis across the environment.
+- **Azure Firewall structured logs** with IDPS and threat intelligence logging enabled.
+- **Centralized SIEM integration** that sends network logs to Microsoft Sentinel for cross-source correlation and incident detection.
 
-- [Zero Trust security overview](/security/zero-trust/zero-trust-overview)
-- [Microsoft cloud security benchmark v2 — Network Security controls](/security/benchmark/azure/mcsb-v2-network-security)
-- [Azure network security best practices](/azure/security/fundamentals/network-best-practices)
-- [Azure Firewall Premium features](/azure/firewall/premium-features)
-- [Azure DDoS Protection overview](/azure/ddos-protection/ddos-protection-overview)
-- [Azure Web Application Firewall overview](/azure/web-application-firewall/overview)
-- [Azure Private Link overview](/azure/private-link/private-link-overview)
-- [Azure Bastion overview](/azure/bastion/bastion-overview)
-- [Global Secure Access overview](/entra/global-secure-access/overview-what-is-global-secure-access)
-- [Secure networks with Zero Trust](/security/zero-trust/deploy/networks)
+Later units in this module cover posture management and monitoring design in detail.

learn-pr/wwl-sci/design-solutions-network-security/includes/2-design-solutions-network-segmentation.md

@@ -99,12 +99,3 @@ Beyond VNet and subnet boundaries, design microsegmentation within individual wo
 - **NSG rules between application tiers** — For a three-tier application, allow only the web tier to communicate with the application tier, and only the application tier to communicate with the database tier. Deny all other inter-tier traffic.
 - **Private endpoints** — Use [Azure Private Link](/azure/private-link/private-link-overview) to access PaaS services through private endpoints within the VNet, eliminating public internet exposure and mapping each endpoint to a specific resource instance to prevent data exfiltration to other accounts.
 - **Azure Bastion** — Replace direct RDP/SSH access with [Azure Bastion](/azure/bastion/bastion-overview), which provides secure remote access over TLS through the Azure portal without exposing management ports.
-
-## Learn more
-
-- [Azure Well-Architected Framework — Segmentation strategy](/azure/well-architected/security/segmentation)
-- [Azure Virtual Network Manager overview](/azure/virtual-network-manager/overview)
-- [Security admin rules in Azure Virtual Network Manager](/azure/virtual-network-manager/concept-security-admins)
-- [Azure Network Security Perimeter](/azure/private-link/network-security-perimeter-concepts)
-- [Azure Firewall overview](/azure/firewall/overview)
-- [Azure Virtual WAN overview](/azure/virtual-wan/virtual-wan-about)

learn-pr/wwl-sci/design-solutions-network-security/includes/3-design-solutions-traffic-filtering-network-security-groups.md

@@ -90,14 +90,3 @@ Designing NSG rules is only effective when you can verify and monitor how they f
 - **Traffic Analytics** — Processes flow log data to provide insights into traffic patterns, top talkers, security threats, and bandwidth consumption across your network.
 - **IP flow verify** — An Azure Network Watcher capability that tests whether a specific packet is allowed or denied to or from a VM, identifying which NSG rule is responsible. Use this tool to troubleshoot connectivity issues.
 - **Effective security rules** — Shows the aggregate of all NSG rules applied to a network interface, including default rules and rules from both subnet and NIC-level NSGs. Review effective rules to verify that your intended filtering is in place.
-
-Designing solutions for network monitoring is covered in a subsequent unit.
-
-## Learn more
-
-- [Network security groups overview](/azure/virtual-network/network-security-groups-overview)
-- [How network security groups filter network traffic](/azure/virtual-network/network-security-group-how-it-works)
-- [Application security groups](/azure/virtual-network/application-security-groups)
-- [Azure service tags overview](/azure/virtual-network/service-tags-overview)
-- [Virtual network flow logs](/azure/network-watcher/vnet-flow-logs-overview)
-- [Security admin rules in Azure Virtual Network Manager](/azure/virtual-network-manager/concept-security-admins)

learn-pr/wwl-sci/design-solutions-network-security/includes/4-design-solutions-network-posture-management.md

@@ -74,11 +74,3 @@ Designing a posture management solution also requires governance mechanisms that
 
 **Azure Policy** provides the enforcement layer. Use built-in or custom policy definitions to deny the creation of resources that violate your network standards, such as subnets without NSGs, VNets without DDoS protection, or VMs with public IP addresses in production subscriptions. Combine policy with Defender for Cloud recommendations to create a closed loop of detection and prevention.
 
-## Learn more
-
-- [What is Microsoft Defender for Cloud?](/azure/defender-for-cloud/defender-for-cloud-introduction)
-- [Cloud security posture management (CSPM)](/azure/defender-for-cloud/concept-cloud-security-posture-management)
-- [Networking security recommendations reference](/azure/defender-for-cloud/recommendations-reference-networking)
-- [Identify and remediate attack paths](/azure/defender-for-cloud/how-to-manage-attack-path)
-- [Governance rules in Defender for Cloud](/azure/defender-for-cloud/governance-rules)
-- [Azure Policy built-in definitions for Azure networking](/azure/virtual-network/policy-reference)