Become an Azure Network Security Ninja

Last update - April 8, 2026

Welcome to the Azure Network Security Ninja Training. This training is designed to help you build from foundational concepts to advanced deployment and operational guidance across Azure Network Security, with a focus on Azure DDoS Protection, Azure Firewall, Azure Firewall Manager, Azure Web Application Firewall and Azure Bastion. Whether you are just getting started or looking to deepen your expertise, this guide brings together core learning resources, product documentation, architecture guidance, and hands-on content in one place.

Check back here routinely, as we will continue to update this post as new capabilities and learning resources become available.

Anything in here that could be improved or may be missing? Let us know in the comments section. We are looking forward to hearing from you.

Azure Network Security Ninja Certificate

To obtain the Azure Network Security Ninja certificate:

1. Complete the Azure Network Security knowledge check.
2. If you score 80% or more, request your certificate from here.
3. If you score below 80%, review the training materials and try again.

Module 0 - How to use this training

• Who Is This Training For? - This Ninja training is designed for anyone who needs to design, deploy, secure, and operate Azure Network security controls in real environments. It is especially useful for cloud/network/security practitioners who want a structured path from fundamentals through to advanced scenarios. Whether you are new to Azure Network Security or looking to deepen your expertise, this training provides both foundational knowledge and real-world context.
• Recommended Prerequisites - To get the most from this training, you should have a basic understanding of Azure fundamentals, including virtual networks, compute, and identity. Familiarity with general networking concepts such as IP addressing, routing, and ports will also be helpful, along with an awareness of common security principles such as the OWASP Top 10 and Zero Trust. While hands-on experience with Azure is beneficial, it is not required, as the training is designed to guide you through key concepts step by step.
• Suggested Learning Path - This guide follows a practical, layered approach so you can either complete the training end‑to‑end (recommended for beginners) or jump to specific modules based on your role and goals; however, we strongly recommend following the modules in the order they appear, as each module builds on concepts introduced earlier. 
  • Module 1: Azure Network Security Fundamentals - Introduces core Azure Network Security concepts, key scenarios, and foundational features that underpin all subsequent modules.
  • Module 2: Azure DDoS Protection - Covers how Azure DDoS Protection defends applications against DDoS attacks.
  • Module 3: Azure Firewall and Azure Firewall Manager - Explores centralized network security using Azure Firewall and Azure Firewall Manager.
  • Module 4: Azure Web Application Firewall (WAF) - Focuses on protecting web applications from common threats using Azure Web Application Firewall.
  • Module 5: Azure Bastion - Describes how Azure Bastion enables secure, private administrative access to virtual machines.
  • Module 6: Deployment and Architecture – Describes reference architectures and deployment patterns for real-world Azure environments.
  • Module 7: Operations and Monitoring - Focuses on operations, best practices and include logging, metrics, alerting, and troubleshooting across Azure Network Security services.
  • Module 8: Security Integrations - Explores how Azure Network Security services integrate with other security platforms and services for end‑to‑end visibility and protection.
  • Module 9: Hands‑On Labs - Provides practical labs and guided exercises to validate concepts through real deployments and scenarios.
  • Module 10: Other Resources - Offers additional documentation, community links, and supporting resources for continued learning.

Module 1 - Azure Network Security Fundamentals

• Network Security in Azure:
  • Introduction to Azure security
  • What is Azure Network Security?
  • Azure Network Security Overview
  • Best practices for network security
• Web application protection in Azure:

  • Web architecture design - Azure Architecture Center

  • Secure your Azure App Service deployment - Azure App Service

  • Best practices for secure PaaS deployments
  • N-tier architecture style

Module 2 - Azure DDoS Protection

Azure DDoS Protection, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks. It is automatically tuned to help protect your specific Azure resources in a virtual network. Protection is simple to enable on any new or existing virtual network, and it requires no application or resource changes.

• Azure DDoS Protection Overview
• Azure DDoS Protection Tier Comparison
• ▶️Video - Getting started with Azure DDoS Protection
• Key Features and Scenarios
  • Azure DDoS Protection features
  • 📝Blog - Azure DDoS Support for QUIC Protocol

Module 3 - Azure Firewall and Azure Firewall Manager

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeter.

• Azure Firewall Overview
• Azure Firewall Manager Overview
• Introduction to Azure Firewall
• Introduction to Azure Firewall Manager
• ▶️Video - Manage application and network connectivity with Azure Firewall
• ▶️Video - Getting started with Azure Firewall Manager
• Azure Firewall features by SKU
• Changing Azure Firewall SKUs
• ▶️Video - Azure Firewall SKUs - Basic vs Standard vs Premium
• ▶️Video - Single Click Migration for Azure Firewall
• Key Features and Scenarios:
  • Azure Firewall TLS Inspection
  • Azure Firewall Premium certificates
  • 📝Blog - Certificate Management Overview for Azure Firewall Premium TLS Inspection
  • ▶️Video - Content Inspection Using TLS Termination with Azure Firewall Premium
  • Azure Firewall DNS settings
  • 📝Blog - Enabling Central Visibility For DNS Using Azure Firewall Custom DNS and DNS Proxy
  • URL Filtering and Web Categories
  • Use Azure Firewall to protect Microsoft 365
  • 📝Blog - Protect Office365 and Windows365 with Azure Firewall
  • Azure Firewall Packet Capture
  • 📝Blog - Using Packet Capture for troubleshooting Azure Firewall flows
  • Azure Firewall IDPS signature rule categories
  • 📝Blog - Intrusion Detection and Prevention System (IDPS) Based on Signatures

Module 4 - Azure Web Application Firewall

Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities. You can deploy WAF on Azure Application Gateway, Azure Front Door, and Application Gateway for Containers.

• Azure WAF Overview
• Introduction to Web Application Firewall
• ▶️Video - Introduction to Web Application Firewall (WAF)
• Azure Web Application Firewall on Azure Application Gateway
• Azure Web Application Firewall on Application Gateway for Containers
• Azure Web Application Firewall on Azure Front Door
• Key Features and Scenarios:
  • Azure Web Application Firewall in Application Gateway - DRS and CRS rule groups and rules
  • Azure Web Application Firewall in Azure Front Door - DRS rule groups and rules
  • How to mask sensitive data on Azure Web Application Firewall on Application Gateway
  • How to mask sensitive data on Azure Web Application Firewall on Azure Front Door
  • 📝Blog - Public Preview: Support for DRS and Mask sensitive data on Application Gateway WAF
  • 📝Blog - A Closer Look at Azure WAF’s Data Masking Capabilities for Azure Front Door
  • Web Application Firewall JavaScript Challenge on Azure Application Gateway (Preview)
  • Web Application Firewall JavaScript Challenge on Azure Front Door
  • 📝Blog - General Availability of JavaScript Challenge in Azure Front Door WAF
  • 📝Blog - Azure WAF Public Preview: JavaScript Challenge
  • 📝Blog - Azure WAF’s Bot Manager 1.1 and JavaScript Challenge: Navigating the Bot Threat Terrain
  • Azure Front Door Web Application Firewall CAPTCHA
  • 📝Blog - Securing web applications with Azure Front Door WAF CAPTCHA
  • 📝Blog - General Availability of CAPTCHA in Azure Front Door WAF
  • WAF Request Size Limits in Azure Application Gateway
  • 📝Blog - Independent Configuration of Size Enforcement and Inspection Limits in Application Gateway WAF
  • 📝Blog - Securing Containerized Applications with Application Gateway for Containers and Azure WAF
  • HTTP DDoS Ruleset (Preview) - Application Gateway WAF
  • 📝Blog - Application layer DDoS protection using the HTTP DDoS Ruleset in Azure WAF

Module 5 - Azure Bastion

Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP/SSH connectivity to your virtual machines directly over TLS from the Azure portal, or via the native SSH or RDP client already installed on your local computer. Azure Bastion is deployed directly in your virtual network and supports all VMs in the virtual network using private IP addresses.

• Azure Bastion Overview
• Azure Bastion SKUs
• What's new in Azure Bastion
• Azure Bastion Cost Optimization Principles
• Key Features and Scenarios: 
  • 📝Blog - Secure Access to Your Azure Virtual Machines for Free with Bastion Developer
  • 📝Blog - Private only Bastion: Connect Through Bastion Without a Public IP
  • 📝Blog - Public Preview: Entra ID support for RDP connections in portal

Module 6 - Deployment and Architecture

• Azure DDoS Protection:

  • Create and configure Azure DDoS Network Protection using the Azure portal 

  • Create and configure Azure DDoS Network Protection using Azure PowerShell 

  • Create and configure Azure DDoS IP Protection using the Azure portal 

  • Create and configure Azure DDoS IP Protection using PowerShell 

  • 📝Blog - Protecting the Public IPs of Secured Virtual Hub Azure Firewalls against DDoS Attacks

• Azure Firewall and Firewall Manager:

  • Deploy & configure Azure Firewall Basic and policy using the Azure portal

  • Deploy & configure Azure Firewall Standard and policy using the Azure portal

  • Deploy & configure Azure Firewall Premium and policy using the Azure portal
  • Install Azure Firewall in a Virtual WAN hub - Azure Virtual WAN
  • 📝Blog - Fortify Your Azure Firewall: Custom Public IP Configuration on Secured Virtual Hub Deployments
  • Azure Firewall Draft + Deployment
  • Integrate Azure Firewall with Azure Standard Load Balancer
  • Azure Firewall forced tunneling
  • 📝Blog - Configuring Azure Firewall in Forced Tunneling mode
  • Azure Firewall Explicit proxy (preview) 
  • 📝Blog - Demystifying Explicit proxy: Enhancing Security with Azure Firewall
  • 📝Blog - Deploy Azure Firewall to inspect traffic to a private endpoint | Microsoft Community Hub
  • Azure Firewall SNAT private IP address ranges 
  • 📝Blog - Azure Firewall's Auto Learn SNAT Routes: A Guide to Dynamic Routing and SNAT Configuration
  • Filter inbound Internet traffic with Azure Firewall DNAT using the portal 
  • 📝Blog - Azure Firewall NAT Behaviors
  • 📝Blog - Private IP DNAT Support and Scenarios with Azure Firewall
  • Azure Firewall Manager Architecture Options
  • Use Azure Firewall policy to define a rule hierarchy
  • 📝Blog - Organizing rule collections and rule collection groups in Azure Firewall Policy
  • Use Azure Firewall to protect Azure Kubernetes Service (AKS) clusters
  • Limit Network Traffic with Azure Firewall in Azure Kubernetes Service (AKS) - Azure Kubernetes Service
• Azure Web Application Firewall:

  • Create an Application Gateway with a Web Application Firewall Using the Azure Portal

  • Create a WAF policy for Azure Front Door using the Azure Portal 
  • Configuring Azure Web Application Firewall on Application Gateway for Containers
  • Configure per-site WAF policies using PowerShell
  • ▶️Video - Using Azure WAF Policies to Protect Your Web Application at Different Association Levels
  • 📝Blog - Azure Web Application Firewall: WAF config versus WAF policy
• Azure Bastion:

  • Deploy Azure Bastion from the Azure portal 

  • Deploy private-only Bastion
  • Deploy Bastion using PowerShell
  • Azure Bastion configuration settings
  • VNet peering and Azure Bastion architecture
  • Connect to AKS Private Cluster Using Azure Bastion (Preview)
  • 📝Blog - Azure Bastion: Enterprise-grade secure access made simple
• Reference architectures and platforms:

  • Azure DDoS Protection reference architectures

  • Hub-spoke network topology in Azure
  • 📝Blog - Using Azure Firewall as a Network Virtual Appliance (NVA)
  • Azure Virtual WAN Overview
  • Install Azure Firewall in a Virtual WAN hub
  • Secure your virtual hub using Azure Firewall Manager
  • Deploy an Azure Firewall Manager security partner provider 
  • 📝Blog - Fortify Your Azure Firewall: Custom Public IP Configuration on Secured Virtual Hub Deployments
  • Implement a secure hybrid network
  • Deploy and configure Azure Firewall and policy in a hybrid network using the Azure portal
  • Deploy and configure Azure Firewall in a hybrid network by using PowerShell 
  • Determine how best to combine App Gateway and Azure Front Door
• Layered protection architectures:
  • Azure Firewall and Application Gateway for Virtual Networks
  • Implement a Zero Trust Network for Web Applications by Using Azure Firewall and Azure Application Gateway
  • 📝Blog - Zero Trust with Azure Network Security
  • 📝Blog - Zero Trust with Azure Firewall, Azure DDoS Protection and Azure WAF: A practical use case
  • ▶️Video - Zero Trust Web Application Security with Azure WAF and Azure Firewall
  • ▶️Video - Zero Trust - Defense in Depth with Azure Firewall and Azure WAF

Module 7 - Operations and Monitoring

• Azure DDoS Protection:

• • Azure DDoS Rapid Response

  • Azure DDoS Protection simulation testing
  • 📝Blog - Strengthening Your Defenses: Simulation Testing for Azure DDoS Protection
  • ▶️Video - DDoS Attack Simulations
  • Azure DDoS Protection fundamental best practices
  • 📝Blog - Maximizing Effectiveness: Best Practices for Azure DDoS Protection and Application Resilience
  • Configure Azure DDoS Protection metric alerts through portal
  • Monitor Azure DDoS Protection
  • Configure Azure DDoS Protection metric alerts through portal 
  • Configure Azure DDoS Protection diagnostic logging alerts
  • 📝Utilizing Azure DDoS Protection Workbook for DDoS attack traffic Analysis
  • ▶️Video - Deep Dive into DDoS Attack Analytics and Metrics
  • 📝Blog - Monitoring Azure DDoS Protection Mitigation Triggers
  • 📝Blog - Automating Enriched DDoS Alerts Using Logic Apps
• Azure Firewall and Firewall Manager:

  • Configure customer-controlled maintenance for Azure Firewall

  • Use FQDN filtering in network rules

  • Monitor Azure Firewall - Logs and metrics

  • Monitoring data reference for Azure Firewall
  • Using Azure Firewall Workbooks

  • 📝Blog - Azure Firewall: New Embedded Workbooks

  • 📝Blog - Exploring the New Resource Specific Structured Logging in Azure Firewall
  • 📝Blog - Logging and Metrics Enhancements to Azure Firewall now in Preview
  • 📝Blog - Azure Firewall: New Monitoring and Logging Updates
  • 📝Blog - Maximizing savings with Azure Firewall and Azure Monitor basic table plan
  • ▶️Video - Azure Firewall Management, Monitoring, and Troubleshooting
  • Azure Firewall Policy Analytics
  • ▶️Video - Azure Firewall Policy Analytics
  • 📝Blog - Exploring Azure Firewall Policy Analytics
  • 📝Blog - DNS flow trace logs in Azure Firewall are now generally available
• Azure Web Application Firewall:
  • Best practices for Azure Web Application Firewall in Azure Front Door
  • Best practices for Azure Web Application Firewall (WAF) on Application Gateway
  • 📝Blog - Azure WAF Post Deployment Check - Best Practices
  • Upgrade CRS or DRS Ruleset Version - Azure Web Application Firewall 

  • Monitoring metrics for Azure Application Gateway Web Application Firewall 

  • Resource logs for Azure Web Application Firewall
  • Use Azure Log Analytics to examine Application Gateway Web Application Firewall logs 
  • Monitoring and Logging - Azure Web Application Firewall on Azure Front Door
  • 📝Blog - Comprehensive Guide to Monitoring Azure WAF Metrics and Logs
  • Troubleshoot and Tune WAF for Azure Front Door 
  • ▶️Video - Boosting your Azure Web Application (WAF) deployment
  • 📝Blog - Azure WAF tuning with AD B2C applications
  • 📝Blog - Azure WAF Tuning for Web Applications
  • 📝Blog - Navigating Azure WAF Exclusions
  • 📝Blog - Application Gateway WAF Triage Workbook
  • Upgrade Migrate from WAF Config to WAF Policy
  • [New!] Azure Application Gateway WAF Insights (Preview)
• Azure Bastion:
  • View or upgrade an Azure Bastion SKU
  • Secure Your Azure Bastion Deployment
  • 📝Blog - Unlocking Secure VM Connectivity with Azure Bastion
  • 📝Blog - Best Practices for Securing Access to VMs
  • Azure Bastion session monitoring and management
  • Configure Azure Bastion Session Recording
• Network Security Hub:

  • 📝Blog - Introducing the new Network Security Hub in Azure

• Governance and Policy Compliance (Built-in Azure Policies):

  • Azure DDoS Network Protection should be enabled

  • Public IP addresses should have resource logs enabled for Azure DDoS Network Protection
  • Virtual networks should be protected by Azure DDoS Network Protection
  • Azure Firewall Policy Analytics should be Enabled
  • Azure Firewall Policy should enable Threat Intelligence
  • Azure Firewall Standard should be upgraded to Premium for next generation protection
  • Azure Firewall Policy should enable Threat Intelligence
  • Azure Firewall Standard should be upgraded to Premium for next generation protection
  • Virtual Hubs should be protected with Azure Firewall
  • Azure Firewall Policy should have DNS Proxy Enabled
  • Azure Firewall should be deployed to span multiple Availability Zone
  • Web Application Firewall (WAF) should be enabled for Application Gateway
  • Web Application Firewall (WAF) should be enabled for Azure Front Door Service
  • Web Application Firewall (WAF) should use the specified mode for Application Gateway
  • Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service

Module 8 - Security Integrations

• Integration with Microsoft Sentinel:

  • 📝Blog - Automate your attack response with Azure DDoS Protection solution for Microsoft Sentinel

  • 📝Blog - Azure DDoS Solution for Microsoft Sentinel
  • ▶️Video - Azure DDoS Protection Integration with Microsoft Sentinel
  • ▶️Video - Azure DDoS Sentinel Solution Integration with WAF Playbook
  • Azure Firewall with Microsoft Sentinel overview 
  • 📝Blog - New Detections, Hunting Queries and Response Automation in Azure Firewall Solution for Azure Sentinel
  • 📝Blog - Malware Detection in Sentinel for Azure Firewall
  • ▶️Video - Azure Firewall Integration with Microsoft Sentinel
  • Using Microsoft Sentinel with Azure Web Application Firewall
  • 📝Blog - Integrating Azure Web Application Firewall with Azure Sentinel
  • 📝Blog - Automated Detection and Response for Azure WAF with Sentinel
  • 📝Blog - Enhancing Your Azure Security: Azure DDoS Sentinel Solution and WAF Playbook Integration
  • ▶️Video - Automated Detection and Response for SQLi and XSS Attacks for Azure WAF using Microsoft Sentinel
• Integration with Microsoft Defender for Cloud:

  • 📝Blog - Azure Network Security Integration with Microsoft Defender for Cloud

• Integration with Microsoft Security Copilot:

  • 📝Blog - Azure Firewall and WAF integrations in Microsoft Security Copilot

  • Azure Firewall integration in Microsoft Security Copilot
  • 📝Blog - Azure Firewall integration in Security Copilot: protect networks at machine speed with Gen AI

  • 📝Blog - Copilot in Azure embedded experience for Azure Firewall integration in Security Copilot

  • ▶️Video - Azure Firewall Integration in Microsoft Copilot for Security
  • Azure Web Application Firewall integration in Microsoft Security Copilot

  • 📝Blog - Azure WAF integration in Security Copilot- Protect web applications using Gen AI

  • 📝Blog - Azure WAF Integration in Security Copilot is Now Generally Available
  • ▶️Video - Azure Web Application Firewall (WAF) Integration in Microsoft Copilot for Security

Module 9 - Hands-on Labs

• 🛠️Azure Network Security Labs
• 🛠️Azure Network Security Demo Labs
• 📝Blog - Building a POC for TLS inspection in Azure Firewall
• Azure WAF Security Protection and Detection Lab:
  • 📝Blog - Tutorial Overview: Azure Web Application Firewall Security Protection and Detection Lab
  • 📝Blog - Part 1 - Lab Setup: Azure WAF Security Protection and Detection Lab
  • 📝Blog - Part 2 - Reconnaissance Playbook: Azure WAF Security Protection and Detection Lab
  • 📝Blog - Part 3 - Vulnerability Exploitation Playbook: Azure WAF Security Protection and Detection Lab
  • 📝Blog - Part 4 - Data Disclosure and Exfiltration Playbook: Azure WAF Security Protection and Detection Lab
  • 🛠️Azure WAF Attack Testing Lab
• Network Security Dashboard for Microsoft Defender for Cloud:
  • 📝Blog - Introducing the Network Security Dashboard for Microsoft Defender for Cloud
  • 🛠️Network Security Dashboard for Microsoft Defender for Cloud
• 🛠️Azure Network Security Interactive Guide

Module 10 - Other Resources

• Azure DDoS Protection documentation
• Azure Firewall documentation
• Azure Firewall Manager documentation
• Azure Bastion documentation
• 📝Azure Network Security Blog Posts
• 🛠️Azure Network Security GitHub
• ▶️Azure Network Security Webinars

Are you ready to take your knowledge check? If so, click here. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again.

Note: it can take up to 24 hours for you to receive your certificate via email.