SlideShare a Scribd company logo

CCI2018 - Azure Network - Security Best Practices

W
walk2talk srl

Francesco Molfese presented on Azure network security best practices. He discussed how to use Azure networking services like virtual networks, network security groups, application security groups, service endpoints, Azure Firewall, and DDoS protection to implement a zero trust network model. A hub-spoke topology with services in the hub and workloads in the spokes provides segmentation and security. Monitoring, logging, and alerts from services like Network Watcher and Azure Monitor help provide visibility and protection. The presentation provided demos and recommendations on configuring these services to securely network Azure resources.

Technology
1 of 42
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
CCI2018 - Azure Network - Security Best Practices
SPONSOR
Who am I? Francesco Molfese francesco.molfese@progel.it LinkedIn: https://www.linkedin.com/in/francescomolfese/ Twitter: @FrancescoMolf • Senior Consultant presso Progel S.p.A. • Microsoft MVP Cloud Datacenter Management • Microsoft Certified Trainer (MCT) • Community Lead dello User Group Italiano di System Center e Operations Management Suite (http://www.ugisystemcenter.org)
Azure Network - Security Best Practices Francesco Molfese
Agenda • Network security challenges in the cloud • Azure Networking: which network security offering to use when • Understand Azure network security best practice
Azure Networking and Protection
What we get asked by customers around resource protection How do I control network and application access to resources? How do I embrace a zero trust network security model? How do I enable DDOS protection for my application? How do I protect my application from malicious intent? How do I do segmentation and isolation to protect resources?
Azure Networking Services CDN Front Door Traffic Manager Application Gateway Load Balancer Virtual Network Virtual WAN ExpressRoute VPN DNS Network Watcher ExpressRoute Monitor Azure Monitor Virtual Network TAP DDoS Protection Firewall Network Security Groups Web Application Firewall Virtual Network Endpoints
Virtual Networks Your virtual private network in the cloud • Private isolated logical network • Supports Network ACLs and IP Management • User defined routing for network virtual appliances • Extends on-premises network to the cloud • Provides secure connectivity to Azure services
Hub-spoke network topology in Azure Typical uses for this architecture include: • Workloads deployed in different environments (dev, testing, and production) that require shared services (DNS, IDS, NTP, or AD DS). • Workloads that do not require connectivity to each other, but require access to shared services. • Enterprises that require central control over security aspects, such as a firewall in the hub as a DMZ, and segregated management for the workloads in each spoke.
Hub-spoke benefits • Cost savings by centralizing services that can be shared by multiple workloads, such as network virtual appliances (NVAs) and DNS servers, in a single location. • Overcome subscriptions limits by peering VNets from different subscriptions to the central hub. • Separation of concerns between central IT (SecOps, InfraOps) and workloads (DevOps).
Hub & spoke architecture: native security services
Multiple protection services to enable rich controls • App Gateway with Web Application Firewall (WAF): Web Application Protection • Network & Application Security Groups (NSG): Internal VNET segmentation • Service endpoints: Secure access to public PaaS resources • Azure Firewall: Full VNET egress and ingress (non-http/s) protection • DDoS protection for Public IPs
Application Access Patterns Access private traffic -Networksecurity groups (NSGs) -Application security groups (ASGs) -User-Definedroutes (UDRs) Access to/from Internet -DDoSprotection -Web Application Firewall -Azure Firewall -NetworkVirtual Appliances Access to Azure PaaS services 1 3 2 ServiceEndpoints Backend Connectivity ExpressRoute VPN Gateways Users Internet Your Virtual Network BackEndMid-tierFrontEnd
Application Gateway and web application protection Layer 7 load balancer for web applications
Application Gateway Web application protection • Protects your application against prevalent X- Site Scripting and SQL Injection attacks • Blocks threats based on top 10 OWASP (Open Web Application Security Project) signatures • Integrated with Azure Security Center • Real-time logging with Azure Monitor App Gateway L7 LB WAF • Platform managed built in high availability and scalability • Layer 7 load balancing URL path, host based, round robin, session affinity, redirection • Centralized SSL management SSL offload and SSL policy • Public or ILB public internal or hybrid • Rich diagnostics Azure monitor, Log analytics Web Application Firewall (WAF)
Network Security Groups & Application Security Groups
Network and Application Security Groups Network Security Groups • Protects your workloads with distributed ACLs • Simplified configuration with augmented security rules • Enforced at every host, applied on multiple subnets Application Security Groups • Micro-segmentation for dynamic workloads • Named monikers for groups of VMs • Removes management of IP addresses Service Tags • Named monikers for Azure service IPs • Many Services tagged including AzureCloud Logging and troubleshooting • NSG flow logs for traffic monitoring • Integrated with Network Watcher • JIT access policies with Azure Security Center
Monitoring VMs App Servers Database Servers Log Servers Web Servers Domain Servers Quarantine VMs Domain Clients Network Security Group (NSG) Action Name Source Destination Port Deny QurantineVMs Any QurantineVMs Any Allow AllowInternetToWebServers Internet WebServers 80,443(HTTP) Allow AllowWebToApp WebServers AppServers 443 (HTTPS) Allow AllowAppToDb AppServers DatabaseServers 1443 (MSSQL) Allow AllowAppToLogServers AppServers LogServers 8089 Allow AllowOnPrem 10.10.0.0/16 192.168.10.0/24 MonitoingVMs 80 (HTTP) Deny DenyAllInbound Any Any Any Network security for your VNet traffic
Demo Securing VNet traffic with NSGs
Service Endpoints
Service Endpoints Policies • Prevent unauthorized access to Azure services • Restrict Virtual Network access to specific Azure services • Granular access control over service endpoints VNet 1 Account A SERVICE ENDPOINT Account B, … Allow Account A SERVICE ENDPOINT POLICY Enhanced VNet security for Azure services
Azure services available on Service Endpoints • Azure Storage • Azure SQL Database • Azure CosmosDB • Azure Keyvault • Azure Database services for PostgreSQL • Azure Database services for mySQL • Azure SQL Datawarehouse (Preview) • Azure Event Hubs (Preview) • Azure Service Bus (Preview)
Demo Service Endpoint Configuration
Azure Firewall
Azure Firewall Central governance of all traffic flows • Built-in high availability and auto scale • Network and application traffic filtering • Centralized policy across VNets and subscriptions Complete VNET protection • Filter Outbound, Inbound, Spoke-Spoke & Hybrid Connections traffic (VPN and ExpressRoute) Centralized logging • Archive logs to a storage account, stream events to your Event Hub, or send them to Log Analytics or Security Integration and Event Management (SIEM) system of choice Cloud native stateful Firewall as a service Spoke VNets On-Premises
Azure Firewall features (GA) • Application rules • FQDN Filtering • FQDN Tags (e.g. Azure Backup, App Service Environment) • Default infrastructure rule collection • Fully stateful network rules • NAT support • Default Source Network Address Translation (SNAT) • Destination Network Address Translation (DNAT) • Monitoring • Azure Monitor Logging • Azure Monitor Metrics • Support for inbound and hybrid connections • Network watcher integration Coming soon: Azure Security Center Integration (JIT)
FQDN tags in Azure Firewall • An FQDN tag represents a group of fully qualified domain names (FQDNs) associated with well known Microsoft services • FQDN tags can be used in application rules to allow the required outbound network traffic through your firewall • Supported tags: • Windows Update • Windows Diagnostics • Microsoft Active Protection Service (MAPS) • App Service Environment • Azure Backup • Some tags may require additional configuration. For example, ASE has customer-specific Storage and SQL endpoints, which must be enabled using Service endpoints
Inbound traffic filtering recommendation • Application Gateway WAF is the preferred service for inbound application level HTTP/S protection • Use Azure Firewall inbound network level protection for non-HTTP/S protocols (e.g. SSH, RDP, FTP) • Destination Network Address Translation (DNAT) • Inbound traffic filtering is enabled by mapping of your firewall public IP and port to a private IP and port • Known issues • DNAT doesn’t work for port 80 and 22. These can be specified as 80, 22 as the translated ports. For example, you can map public ip:81 to private ip:80. We are working to fix this soon.
Azure Firewall for hybrid links Traffic filtering between Azure VNETs and on-premises networks • Works with either Azure VPN Gateway or Express Route Gateway No support for traffic routing from on- premises to internet • This is a key roadmap feature for Azure Firewall in a Virtual WAN Hub
Hybrid links filtering: recommended configuration • UDR on the spoke subnet pointing to Azure Firewall private IP as default gateway • BGP route propagation must be Disabled on this route table • UDR on the hub gateway subnet pointing to Azure Firewall as next hop to spoke networks • Pointing to Azure Firewall as the default gateway is not supported on gateway subnets • No UDR on Azure Firewall subnet (it learns routes from BGP) • Allow spokes to use VPN/ER gateway in the hub • Set AllowGatewayTransit when peering VNet-Hub to VNet-Spoke • Set UseRemoteGateways when peering VNet-Spoke to VNet-Hub
Demo Azure Firewall
Azure Firewall synergies and recommendations Application Gateway WAF • Provides inbound protection for web applications (L7) • Azure Firewall provides network level protection(L3) for all ports and protocols and application level protection (L7) for outbound HTTP/S. Azure Firewall should be deployed alongside Azure WAF • Azure Firewall can be combined with 3rd party WAF/DDoS solutions Network Security Groups (NSG) • NSG and Azure Firewall are complementary, with both you have defense and in-depth • NSGs provides host based, distributed network layer traffic filtering to limit traffic to resources within virtual networks • Azure Firewall is a fully stateful centralized network firewall as-a-service, providing network and application level protection across virtual networks and subscriptions Service endpoints • Recommended for secure access to Azure PaaS services • Can be leveraged with Azure Firewall for central logging for all traffic by enabling service endpoints in the Azure Firewall subnet and disabling it on the connected spoke VNETs
Azure DDoS Protection
DDoS Attack Trends Attack Frequency Attack Size Attack Vectors 58% Vs. 2017 1.7 Tbps Peak 4X > 50Gbps 56% Multi-vector • Continued growth in frequency, size, sophistication, and impact • Often utilized as ‘cyber smoke screen’ to mask infiltration attacks 400 Gbps (NTP amp) 650 Gbps (Mirai) 1.7 Tbps (Memcached) 2+ Tbps (???) Attack Downtime 35% Businesses impacted
Azure DDoS Protection overview
Azure DDoS Protection Standard DDoS Attack Analytics Mitigation Reports • Near real time attack data snapshot • Stats include attack vectors, protocols, traffic, top sources & ASNs and more • Summary report at the end of the attack Mitigation Flow Logs • Near real time sampled flow logs with details of action taken during attack mitigation • Logs include Source & Destination IP with Port and Action taken DDoS Rapid Response (DRR) • Access to Rapid Response team during an active attack for specialized support • Mitigation policy customizations for anticipated events Recommendations in Azure Security Center to protect Virtual Networks against DDoS attacks Support for Azure Firewall, IPv6 Virtual Networks & VPN Gateway as protected resources
Recap Azure network security best practice
Key Takeaways • Pick network security offerings based on application access patterns • Layer security by mix-and-match based on your requirements • Scale the security model, as your workloads scale
Protection services enabling zero trust Centralized outbound and inbound (non-HTTP/S) network and application (L3-L7) filtering Distributed inbound & outbound network (L3- L4) traffic filtering on VM, Container or subnet Restrict access to Azure service resources (PaaS) to only your Virtual Network Centralized inbound web application protection from common exploits and vulnerabilities Azure FirewallDDoS protection Web Application Firewall Network Security Groups Service Endpoints DDOS protection tuned to your application traffic patterns Prevent SQL injection, stop cross site scripting and an array of other types of attacks using cloud native approach Better central governance of all traffic flows, full devops integration using cloud native high availability with autoscale Full granular distributed end node control at VM/subnet for all network traffic flows Extend your Virtual Network controls to lock down Azure service resources (PaaS) access SegmentationApplication protection
Q & A
Let the past go and step off into the future

More Related Content

What's hot (20)

PPTX
Azure Networking: Innovative Features and Multi-VNet Topologies
Marius Zaharia
 
PDF
Let's Talk About: Azure Monitor
Pedro Sousa
 
PDF
Understanding Azure AD
New Horizons Ireland
 
PPTX
Microsoft azure
Mohammad Ilyas Malik
 
PDF
Azure Arc Overview from Microsoft
David J Rosenthal
 
PDF
Understanding Azure Networking Services
InCycleSoftware
 
PDF
Az 104 session 2 implement and manage azure webapps and container
AzureEzy1
 
PDF
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
WinWire Technologies Inc
 
PPTX
Microsoft Azure Technical Overview
gjuljo
 
PPTX
Let's Talk About: Azure Networking
Pedro Sousa
 
PDF
Microsoft Azure Fundamentals
Adwait Ullal
 
PDF
Azure Service Endpoints vs. Private Links
Matthias Güntert
 
PPTX
Azure security and Compliance
Karina Matos
 
PPTX
Microsoft Azure cloud services
Najeeb Khan
 
PDF
Azure Site Recovery - BC/DR - Migrations & assessments in 60 minutes!
Johan Biere
 
PDF
Microsoft Azure Overview | Cloud Computing Tutorial with Azure | Azure Traini...
Edureka!
 
PPTX
Azure
Kiran Bavariya
 
PDF
Microsoft Azure - Introduction to microsoft's public cloud
Atanas Gergiminov
 
PPTX
Azure Networking (1).pptx
Razith2
 
PPTX
Introduction to Microsoft Azure
Guy Barrette
 
Azure Networking: Innovative Features and Multi-VNet Topologies
Marius Zaharia
 
Let's Talk About: Azure Monitor
Pedro Sousa
 
Understanding Azure AD
New Horizons Ireland
 
Microsoft azure
Mohammad Ilyas Malik
 
Azure Arc Overview from Microsoft
David J Rosenthal
 
Understanding Azure Networking Services
InCycleSoftware
 
Az 104 session 2 implement and manage azure webapps and container
AzureEzy1
 
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
WinWire Technologies Inc
 
Microsoft Azure Technical Overview
gjuljo
 
Let's Talk About: Azure Networking
Pedro Sousa
 
Microsoft Azure Fundamentals
Adwait Ullal
 
Azure Service Endpoints vs. Private Links
Matthias Güntert
 
Azure security and Compliance
Karina Matos
 
Microsoft Azure cloud services
Najeeb Khan
 
Azure Site Recovery - BC/DR - Migrations & assessments in 60 minutes!
Johan Biere
 
Microsoft Azure Overview | Cloud Computing Tutorial with Azure | Azure Traini...
Edureka!
 
Azure
Kiran Bavariya
 
Microsoft Azure - Introduction to microsoft's public cloud
Atanas Gergiminov
 
Azure Networking (1).pptx
Razith2
 
Introduction to Microsoft Azure
Guy Barrette
 

Similar to CCI2018 - Azure Network - Security Best Practices (20)

PPTX
Securing your cloud perimeter with azure network security brk3185
jtaylor707
 
PDF
Azure F5 Solutions
MarketingArrowECS_CZ
 
PDF
Global Azure Bootcamp 2018 - Azure Network Security
Scott Hoag
 
PDF
Protección y acceso a tu información y aplicaciones en Azure y O365 – Barracuda
Plain Concepts
 
PPTX
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
PPTX
CCI2019 - Architecting and Implementing Azure Networking
walk2talk srl
 
PDF
Microsoft Azure Security Overview
Alert Logic
 
PDF
366864108 azure-security
ober64
 
PPTX
Azure Stack - Azure Nights User Group
Michael Frank
 
PPTX
Self service it with v realizeautomation and nsx
solarisyougood
 
PPTX
Advanced Application Protection with Azure WAF
Udaiappa Ramachandran
 
PPTX
Trust No-One Architecture For Services And Data
Aidan Finn
 
PPTX
ciplaasfqewfefewtwegndkvndsgjbsdz-dfafd.pptx
kreshenka
 
PPTX
Brk30176 enterprise class networking in azure
Abou CONDE
 
PPTX
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Thuan Ng
 
PPTX
Introduction to Azure Virtual WAN Presentation
Knoldus Inc.
 
PPTX
Microsoft Azure News - Oct 2016
Daniel Toomey
 
PPTX
Connect your datacenter to Microsoft Azure
K.Mohamed Faizal
 
PPTX
10052016115136.pptx
dixitgangaiah
 
PDF
Interop ITX: Moving applications: From Legacy to Cloud-to-Cloud
Susan Wu
 
Securing your cloud perimeter with azure network security brk3185
jtaylor707
 
Azure F5 Solutions
MarketingArrowECS_CZ
 
Global Azure Bootcamp 2018 - Azure Network Security
Scott Hoag
 
Protección y acceso a tu información y aplicaciones en Azure y O365 – Barracuda
Plain Concepts
 
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
CCI2019 - Architecting and Implementing Azure Networking
walk2talk srl
 
Microsoft Azure Security Overview
Alert Logic
 
366864108 azure-security
ober64
 
Azure Stack - Azure Nights User Group
Michael Frank
 
Self service it with v realizeautomation and nsx
solarisyougood
 
Advanced Application Protection with Azure WAF
Udaiappa Ramachandran
 
Trust No-One Architecture For Services And Data
Aidan Finn
 
ciplaasfqewfefewtwegndkvndsgjbsdz-dfafd.pptx
kreshenka
 
Brk30176 enterprise class networking in azure
Abou CONDE
 
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Thuan Ng
 
Introduction to Azure Virtual WAN Presentation
Knoldus Inc.
 
Microsoft Azure News - Oct 2016
Daniel Toomey
 
Connect your datacenter to Microsoft Azure
K.Mohamed Faizal
 
10052016115136.pptx
dixitgangaiah
 
Interop ITX: Moving applications: From Legacy to Cloud-to-Cloud
Susan Wu
 
Ad

More from walk2talk srl (20)

PPTX
CCI 2019 - SQL Injection - Black Hat Vs White Hat
walk2talk srl
 
PPTX
CCI 2019 - Exploiting Custom Vision SDK in Python to create an efficient imag...
walk2talk srl
 
PPTX
CCI 2019 - Come ottimizzare i propri workload su Azure
walk2talk srl
 
PPTX
CCI 2019 - Exchange 2019 da 0 ad HA in 1 ora
walk2talk srl
 
PPTX
CCI 2019 - PowerApps for Enterprise Developers
walk2talk srl
 
PPTX
CCI 2019 - Architettare componenti in SPFx, esperienze sul campo
walk2talk srl
 
PPTX
CCI 2019 - Step by step come attivare un servizio voce in MS Teams
walk2talk srl
 
PPTX
CCI 2019 - Strumenti Azure per l'Anomaly Detection in ambito Industria 4.0
walk2talk srl
 
PPTX
CCI2019 - I've got the Power! I've got the Shell!
walk2talk srl
 
PDF
CCI2019 - Sistema di controllo del traffico con architettura Big Data
walk2talk srl
 
PPTX
CCI2019 - Governance di una Conversational AI
walk2talk srl
 
PPTX
CCI2019 - SQL Server ed Azure: Disaster Recovery per tutti
walk2talk srl
 
PPTX
CCI2019 - Reagire agli eventi generati dalla propria infrastruttura con Azure...
walk2talk srl
 
PPTX
CCI2019 - What's new in Remote Desktop Services on Windows Server 2019 and Azure
walk2talk srl
 
PPTX
CCI2019 - Teams Direct Routing e servizi fonia avanzati
walk2talk srl
 
PDF
CCI2019 - Microservizi: Idee per un'architettura con al centro l'utente
walk2talk srl
 
PPTX
CCI2019i - Implementare Azure Multi-Factor Authentication Lettere dal Fronte
walk2talk srl
 
PPTX
CCI2019 - Monitorare SQL Server Senza Andare in Bancarotta
walk2talk srl
 
PPTX
CCI2019 - Teams e lo Shadow IT
walk2talk srl
 
PPTX
CCI2018 - La "moderna" Sicurezza informatica & Microsoft
walk2talk srl
 
CCI 2019 - SQL Injection - Black Hat Vs White Hat
walk2talk srl
 
CCI 2019 - Exploiting Custom Vision SDK in Python to create an efficient imag...
walk2talk srl
 
CCI 2019 - Come ottimizzare i propri workload su Azure
walk2talk srl
 
CCI 2019 - Exchange 2019 da 0 ad HA in 1 ora
walk2talk srl
 
CCI 2019 - PowerApps for Enterprise Developers
walk2talk srl
 
CCI 2019 - Architettare componenti in SPFx, esperienze sul campo
walk2talk srl
 
CCI 2019 - Step by step come attivare un servizio voce in MS Teams
walk2talk srl
 
CCI 2019 - Strumenti Azure per l'Anomaly Detection in ambito Industria 4.0
walk2talk srl
 
CCI2019 - I've got the Power! I've got the Shell!
walk2talk srl
 
CCI2019 - Sistema di controllo del traffico con architettura Big Data
walk2talk srl
 
CCI2019 - Governance di una Conversational AI
walk2talk srl
 
CCI2019 - SQL Server ed Azure: Disaster Recovery per tutti
walk2talk srl
 
CCI2019 - Reagire agli eventi generati dalla propria infrastruttura con Azure...
walk2talk srl
 
CCI2019 - What's new in Remote Desktop Services on Windows Server 2019 and Azure
walk2talk srl
 
CCI2019 - Teams Direct Routing e servizi fonia avanzati
walk2talk srl
 
CCI2019 - Microservizi: Idee per un'architettura con al centro l'utente
walk2talk srl
 
CCI2019i - Implementare Azure Multi-Factor Authentication Lettere dal Fronte
walk2talk srl
 
CCI2019 - Monitorare SQL Server Senza Andare in Bancarotta
walk2talk srl
 
CCI2019 - Teams e lo Shadow IT
walk2talk srl
 
CCI2018 - La "moderna" Sicurezza informatica & Microsoft
walk2talk srl
 
Ad

Recently uploaded (20)

PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PDF
RAT Builders - How to Catch Them All [DeepSec 2024]
malmoeb
 
PPTX
The Future of AI & Machine Learning.pptx
pritsen4700
 
PDF
introduction to computer hardware and sofeware
chauhanshraddha2007
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PDF
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
PPTX
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
PDF
Per Axbom: The spectacular lies of maps
Nexer Digital
 
PPTX
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
PPTX
AVL ( audio, visuals or led ), technology.
Rajeshwri Panchal
 
PPTX
Agentic AI in Healthcare Driving the Next Wave of Digital Transformation
danielle hunter
 
PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PDF
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PDF
Market Insight : ETH Dominance Returns
CIFDAQ
 
PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
RAT Builders - How to Catch Them All [DeepSec 2024]
malmoeb
 
The Future of AI & Machine Learning.pptx
pritsen4700
 
introduction to computer hardware and sofeware
chauhanshraddha2007
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
Per Axbom: The spectacular lies of maps
Nexer Digital
 
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
AVL ( audio, visuals or led ), technology.
Rajeshwri Panchal
 
Agentic AI in Healthcare Driving the Next Wave of Digital Transformation
danielle hunter
 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
Market Insight : ETH Dominance Returns
CIFDAQ
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 

CCI2018 - Azure Network - Security Best Practices

  • 3. Who am I? Francesco Molfese [email protected] LinkedIn: https://www.linkedin.com/in/francescomolfese/ Twitter: @FrancescoMolf • Senior Consultant presso Progel S.p.A. • Microsoft MVP Cloud Datacenter Management • Microsoft Certified Trainer (MCT) • Community Lead dello User Group Italiano di System Center e Operations Management Suite (http://www.ugisystemcenter.org)
  • 4. Azure Network - Security Best Practices Francesco Molfese
  • 5. Agenda • Network security challenges in the cloud • Azure Networking: which network security offering to use when • Understand Azure network security best practice
  • 6. Azure Networking and Protection
  • 7. What we get asked by customers around resource protection How do I control network and application access to resources? How do I embrace a zero trust network security model? How do I enable DDOS protection for my application? How do I protect my application from malicious intent? How do I do segmentation and isolation to protect resources?
  • 8. Azure Networking Services CDN Front Door Traffic Manager Application Gateway Load Balancer Virtual Network Virtual WAN ExpressRoute VPN DNS Network Watcher ExpressRoute Monitor Azure Monitor Virtual Network TAP DDoS Protection Firewall Network Security Groups Web Application Firewall Virtual Network Endpoints
  • 9. Virtual Networks Your virtual private network in the cloud • Private isolated logical network • Supports Network ACLs and IP Management • User defined routing for network virtual appliances • Extends on-premises network to the cloud • Provides secure connectivity to Azure services
  • 10. Hub-spoke network topology in Azure Typical uses for this architecture include: • Workloads deployed in different environments (dev, testing, and production) that require shared services (DNS, IDS, NTP, or AD DS). • Workloads that do not require connectivity to each other, but require access to shared services. • Enterprises that require central control over security aspects, such as a firewall in the hub as a DMZ, and segregated management for the workloads in each spoke.
  • 11. Hub-spoke benefits • Cost savings by centralizing services that can be shared by multiple workloads, such as network virtual appliances (NVAs) and DNS servers, in a single location. • Overcome subscriptions limits by peering VNets from different subscriptions to the central hub. • Separation of concerns between central IT (SecOps, InfraOps) and workloads (DevOps).
  • 12. Hub & spoke architecture: native security services
  • 13. Multiple protection services to enable rich controls • App Gateway with Web Application Firewall (WAF): Web Application Protection • Network & Application Security Groups (NSG): Internal VNET segmentation • Service endpoints: Secure access to public PaaS resources • Azure Firewall: Full VNET egress and ingress (non-http/s) protection • DDoS protection for Public IPs
  • 14. Application Access Patterns Access private traffic -Networksecurity groups (NSGs) -Application security groups (ASGs) -User-Definedroutes (UDRs) Access to/from Internet -DDoSprotection -Web Application Firewall -Azure Firewall -NetworkVirtual Appliances Access to Azure PaaS services 1 3 2 ServiceEndpoints Backend Connectivity ExpressRoute VPN Gateways Users Internet Your Virtual Network BackEndMid-tierFrontEnd
  • 15. Application Gateway and web application protection Layer 7 load balancer for web applications
  • 16. Application Gateway Web application protection • Protects your application against prevalent X- Site Scripting and SQL Injection attacks • Blocks threats based on top 10 OWASP (Open Web Application Security Project) signatures • Integrated with Azure Security Center • Real-time logging with Azure Monitor App Gateway L7 LB WAF • Platform managed built in high availability and scalability • Layer 7 load balancing URL path, host based, round robin, session affinity, redirection • Centralized SSL management SSL offload and SSL policy • Public or ILB public internal or hybrid • Rich diagnostics Azure monitor, Log analytics Web Application Firewall (WAF)
  • 17. Network Security Groups & Application Security Groups
  • 18. Network and Application Security Groups Network Security Groups • Protects your workloads with distributed ACLs • Simplified configuration with augmented security rules • Enforced at every host, applied on multiple subnets Application Security Groups • Micro-segmentation for dynamic workloads • Named monikers for groups of VMs • Removes management of IP addresses Service Tags • Named monikers for Azure service IPs • Many Services tagged including AzureCloud Logging and troubleshooting • NSG flow logs for traffic monitoring • Integrated with Network Watcher • JIT access policies with Azure Security Center
  • 19. Monitoring VMs App Servers Database Servers Log Servers Web Servers Domain Servers Quarantine VMs Domain Clients Network Security Group (NSG) Action Name Source Destination Port Deny QurantineVMs Any QurantineVMs Any Allow AllowInternetToWebServers Internet WebServers 80,443(HTTP) Allow AllowWebToApp WebServers AppServers 443 (HTTPS) Allow AllowAppToDb AppServers DatabaseServers 1443 (MSSQL) Allow AllowAppToLogServers AppServers LogServers 8089 Allow AllowOnPrem 10.10.0.0/16 192.168.10.0/24 MonitoingVMs 80 (HTTP) Deny DenyAllInbound Any Any Any Network security for your VNet traffic
  • 22. Service Endpoints Policies • Prevent unauthorized access to Azure services • Restrict Virtual Network access to specific Azure services • Granular access control over service endpoints VNet 1 Account A SERVICE ENDPOINT Account B, … Allow Account A SERVICE ENDPOINT POLICY Enhanced VNet security for Azure services
  • 23. Azure services available on Service Endpoints • Azure Storage • Azure SQL Database • Azure CosmosDB • Azure Keyvault • Azure Database services for PostgreSQL • Azure Database services for mySQL • Azure SQL Datawarehouse (Preview) • Azure Event Hubs (Preview) • Azure Service Bus (Preview)
  • 26. Azure Firewall Central governance of all traffic flows • Built-in high availability and auto scale • Network and application traffic filtering • Centralized policy across VNets and subscriptions Complete VNET protection • Filter Outbound, Inbound, Spoke-Spoke & Hybrid Connections traffic (VPN and ExpressRoute) Centralized logging • Archive logs to a storage account, stream events to your Event Hub, or send them to Log Analytics or Security Integration and Event Management (SIEM) system of choice Cloud native stateful Firewall as a service Spoke VNets On-Premises
  • 27. Azure Firewall features (GA) • Application rules • FQDN Filtering • FQDN Tags (e.g. Azure Backup, App Service Environment) • Default infrastructure rule collection • Fully stateful network rules • NAT support • Default Source Network Address Translation (SNAT) • Destination Network Address Translation (DNAT) • Monitoring • Azure Monitor Logging • Azure Monitor Metrics • Support for inbound and hybrid connections • Network watcher integration Coming soon: Azure Security Center Integration (JIT)
  • 28. FQDN tags in Azure Firewall • An FQDN tag represents a group of fully qualified domain names (FQDNs) associated with well known Microsoft services • FQDN tags can be used in application rules to allow the required outbound network traffic through your firewall • Supported tags: • Windows Update • Windows Diagnostics • Microsoft Active Protection Service (MAPS) • App Service Environment • Azure Backup • Some tags may require additional configuration. For example, ASE has customer-specific Storage and SQL endpoints, which must be enabled using Service endpoints
  • 29. Inbound traffic filtering recommendation • Application Gateway WAF is the preferred service for inbound application level HTTP/S protection • Use Azure Firewall inbound network level protection for non-HTTP/S protocols (e.g. SSH, RDP, FTP) • Destination Network Address Translation (DNAT) • Inbound traffic filtering is enabled by mapping of your firewall public IP and port to a private IP and port • Known issues • DNAT doesn’t work for port 80 and 22. These can be specified as 80, 22 as the translated ports. For example, you can map public ip:81 to private ip:80. We are working to fix this soon.
  • 30. Azure Firewall for hybrid links Traffic filtering between Azure VNETs and on-premises networks • Works with either Azure VPN Gateway or Express Route Gateway No support for traffic routing from on- premises to internet • This is a key roadmap feature for Azure Firewall in a Virtual WAN Hub
  • 31. Hybrid links filtering: recommended configuration • UDR on the spoke subnet pointing to Azure Firewall private IP as default gateway • BGP route propagation must be Disabled on this route table • UDR on the hub gateway subnet pointing to Azure Firewall as next hop to spoke networks • Pointing to Azure Firewall as the default gateway is not supported on gateway subnets • No UDR on Azure Firewall subnet (it learns routes from BGP) • Allow spokes to use VPN/ER gateway in the hub • Set AllowGatewayTransit when peering VNet-Hub to VNet-Spoke • Set UseRemoteGateways when peering VNet-Spoke to VNet-Hub
  • 33. Azure Firewall synergies and recommendations Application Gateway WAF • Provides inbound protection for web applications (L7) • Azure Firewall provides network level protection(L3) for all ports and protocols and application level protection (L7) for outbound HTTP/S. Azure Firewall should be deployed alongside Azure WAF • Azure Firewall can be combined with 3rd party WAF/DDoS solutions Network Security Groups (NSG) • NSG and Azure Firewall are complementary, with both you have defense and in-depth • NSGs provides host based, distributed network layer traffic filtering to limit traffic to resources within virtual networks • Azure Firewall is a fully stateful centralized network firewall as-a-service, providing network and application level protection across virtual networks and subscriptions Service endpoints • Recommended for secure access to Azure PaaS services • Can be leveraged with Azure Firewall for central logging for all traffic by enabling service endpoints in the Azure Firewall subnet and disabling it on the connected spoke VNETs
  • 35. DDoS Attack Trends Attack Frequency Attack Size Attack Vectors 58% Vs. 2017 1.7 Tbps Peak 4X > 50Gbps 56% Multi-vector • Continued growth in frequency, size, sophistication, and impact • Often utilized as ‘cyber smoke screen’ to mask infiltration attacks 400 Gbps (NTP amp) 650 Gbps (Mirai) 1.7 Tbps (Memcached) 2+ Tbps (???) Attack Downtime 35% Businesses impacted
  • 37. Azure DDoS Protection Standard DDoS Attack Analytics Mitigation Reports • Near real time attack data snapshot • Stats include attack vectors, protocols, traffic, top sources & ASNs and more • Summary report at the end of the attack Mitigation Flow Logs • Near real time sampled flow logs with details of action taken during attack mitigation • Logs include Source & Destination IP with Port and Action taken DDoS Rapid Response (DRR) • Access to Rapid Response team during an active attack for specialized support • Mitigation policy customizations for anticipated events Recommendations in Azure Security Center to protect Virtual Networks against DDoS attacks Support for Azure Firewall, IPv6 Virtual Networks & VPN Gateway as protected resources
  • 38. Recap Azure network security best practice
  • 39. Key Takeaways • Pick network security offerings based on application access patterns • Layer security by mix-and-match based on your requirements • Scale the security model, as your workloads scale
  • 40. Protection services enabling zero trust Centralized outbound and inbound (non-HTTP/S) network and application (L3-L7) filtering Distributed inbound & outbound network (L3- L4) traffic filtering on VM, Container or subnet Restrict access to Azure service resources (PaaS) to only your Virtual Network Centralized inbound web application protection from common exploits and vulnerabilities Azure FirewallDDoS protection Web Application Firewall Network Security Groups Service Endpoints DDOS protection tuned to your application traffic patterns Prevent SQL injection, stop cross site scripting and an array of other types of attacks using cloud native approach Better central governance of all traffic flows, full devops integration using cloud native high availability with autoscale Full granular distributed end node control at VM/subnet for all network traffic flows Extend your Virtual Network controls to lock down Azure service resources (PaaS) access SegmentationApplication protection
  • 41. Q & A
  • 42. Let the past go and step off into the future

Editor's Notes

  • #2: Hyperfish intro We are really excited to bring you something great
  • #4: Founded 2015 Co-Founders Brian Cook & Chris Johnson Brian was the founder and CEO of Workflow company Nintex, Chris Johnson was a Group Product Management in Office 365 & SharePoint Joining them were
  • #19: 18
  • #21: Service Tags
  • #25: Service Tags
  • #27: 26
  • #33: Service Tags