![Azure Firewall Manager
Central network security policy and route management
for globally distributed, software-defined perimeters
Central deployment and configuration
Automated routing
Advanced security with 3rd party SECaaS
[Roadmap] Split routing
PREVIEW
3rd party
SecSaaS
3rd party
Sec SaaS](https://image.slidesharecdn.com/securingyourcloudperimeterwithazurenetworksecuritybrk3185-210714152424/85/Securing-your-cloud-perimeter-with-azure-network-security-brk3185-10-320.jpg)
Securing your cloud perimeter with azure network security brk3185
- 2. Securing your cloud perimeter with Azure Network Security
- 3. Zero Trust Architecture Devices Security Policy Enforcement Identities Visibility and Analytics Automation Data Apps Infrastructure Network 1 2 3 https://www.Microsoft.com/en- us/security/
- 4. Zero Trust Networking Maturity Model Security Enforcement ty and Analytics utomation Data Apps Infrastructure Network Network
- 5. Segment Prevent lateral movement and data exfiltration Protect Secure network with threat intelligence Deploy securely across DevOps process Azure Network Security Connect Embrace distributed connectivity
- 6. Achieving Zero Trust with Azure Networking Cloud-Native Network Security Services Networking Partner Solutions Defense-in-Depth + Software Defined Network (SDN) Virtual Networks Network Security Groups User Defined Routes Load Balancer Azure Firewall Azure DDoS Protection Azure Web Application Firewall Azure PrivateLink
- 7. Photo of main entrance at the Orange County Convention Center.
- 8. Network Segmentation Web Application Firewall Virtual Network Network Security Group Azure Firewall Subscription
- 9. Multi-level Segmentation Network Security Group Subscriptions Virtual Network Azure Firewall Application Security Group or FQDN or Service Tag Kubernetes Services Container Networking Interface Web Application Firewall Private Link Vnet Peering Virtual WAN VPN Gateway
- 10. Azure Firewall Manager Central network security policy and route management for globally distributed, software-defined perimeters Central deployment and configuration Automated routing Advanced security with 3rd party SECaaS [Roadmap] Split routing PREVIEW 3rd party SecSaaS 3rd party Sec SaaS
- 12. Internet Corpnet Customer VNet Subnet 10.3.0.0/25 Cloud Native Firewall Central VNet Gateway VNet CSEO Infra L3 – L7 Connectivity Policies VNet Peering VNet Peering Subnet 10.1.0.0/27 Spoke 1 VNet Subnet 10.2.0.0/27 Spoke 2 Public Azure Source Destination Ports/Protocols LAB Internet HTTP - 80, HTTPS - 443 , KMS - 1688 Internet LAB Not available Source Destination Ports/Protocols LAB Azure Public HTTP - 80, HTTPS - 443 , KMS - 1688 Azure Public LAB Not available Source Destination Ports/Protocols LAB "CorpNet" HTTPS-443,HTTP-80, RDP, SSH, WinRM,445,ICMP "CorpNet" LAB HTTPS-443,HTTP-80, RDP, SSH, WinRM,445,ICMP Microsoft Core Services Engineering Labs @ Microsoft Goals Migrate 100’s of labs to Cloud Network Segmentation (From Corpnet and each other) Enable engineering agility and time to market Solution: Leverage cloud native Scalable Infrastructure Central Edge Controls Learnings : Scalability Improved Performance Improved (lack of Force Tunnel)
- 13. Photo of main entrance at the Orange County Convention Center.
- 14. Azure Web Application Firewall BRK3171 | 11/08 (9:15 - 10 AM) | Using Azure Web Application Firewall to protect your web applications and web APIs Azure Global WAF (Front Door) Azure Regional WAF (Application Gateway) Uniform policy WAF policy PaaS, IaaS, AKS, serverless and on-premises backends OWASP rules Bot management Custom rules Microsoft threat intelligence • Protect apps against automated attacks • Manage good/bad bots with Azure BotManager RuleSet Site and URI path specific WAF policies Customize WAF policies at regional WAF for finer grained protection at each host/listener or URI path level Geo filtering on regional WAF Enhanced custom rule matching criterion PREVIEW Unified WAF policy Protect your apps at network edge or in Azure regions
- 15. Cloud scale DDoS protection for Azure Azure DDoS Protection Standard Azure Spoke VNET Central VNET Azure Firewall Spoke VNET Azure WAF Azure DDoS Public Internet Inbound Inbound / Outbound Internet Public IP 1 Public IP 2 DDoS Protection Standard Adaptive Tuning Engine Web Application 1 Web Application 2 Azure global network 1 2 Adaptive tuning 3 Attack analytics and metrics 4 DDoS Rapid Response (DRR) 5 SLA guarantee and cost protection
- 16. New Partner WAF-as-a-Service Offerings in Azure • Advanced Security Stack with Bot Manager, Analytics & Threat Detection • Application Specific Rule Sets with positive / negative rules and auto policy generation Leverages the scale & reach of Azure Defended against DDoS attacks by Azure DDoS Protection Standard Consumption based pricing model & available on Azure Marketplace • Web application security, simplified • All the advanced WAF functionality with the ease of SaaS – deployed in minutes
- 17. Photo of main entrance at the Orange County Convention Center.
- 18. Clouds Business SaaS Consumer SaaS Azure Networking Connectivity Transforming your network approach Azure
- 19. Azure Virtual WAN Region 2 Region 1 Region 3 Datacenter Point-to-site VPN ExpressRoute VNet VNet VNet Corp HQ Branch Branch Branch Branch VNet • ExpressRoute Integration • Point to site VPN Integration • Path selection from branch GA PREVIEW • Hub/Any-to-any connectivity • Azure Firewall integration Provides optimized and automated branch connectivity to, and through Azure
- 20. On-premises VNet Azure Firewall VNet Other PaaS Consumer SaaS Business SaaS HQ/Branch Datacenter Virtual WAN Direct Internet Breakout for O365 Secure Internet access via Azure, based on IPs/FQDNs/Tags PaaS User-aware Internet access via 3rd Party Azure Firewall Manager Multiple Secured Virtuals Secured vHub Azure Firewall Manager Extend your Security Edge to Azure PREVIEW
- 21. 21 Securing your cloud transformation ©2019 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Microsoft Azure Firewall Manager and Zscaler Internet Access Azure Region 1 Azure Region n “The Zscaler and Microsoft joint solution ensures best-in-class internet/web security and low-latency performance to empower enterprise users and applications to securely access any internet destination." Dhawal Sharma Sr. Director Product Management, Zscaler
- 25. Microsoft Core Service Engineering Quantum Computing Private Network Need: Quickly create an isolated network for collaboration between Microsoft employees embedded at Universities around the world. Solution: Azure Virtual WAN Azure Firewall Azure VPN Full Deployment in less than a Day Azure 3rd Party Site1 University S1 University S2 University S3 Azure Virtual WAN Azure Firewall 3rd Party Site1 Remote User University S1 University S2 VNET VNET VNET VNET VNET 3rd Party Site1 University S3 3rd Party Site1 Remote User VPN Appliance HUB
- 26. Azure Private Link Highly secure and private connectivity solution for Azure Platform Private endpoint Storage 10.0.0.5 SQL DW SQL Private Link Service Deny Internet Deny Internet ER Gateway On-premises Private Link Customer owned services Azure PaaS services Marketplace services Virtual Network (10.0.0.0/16) ER Private Peering Private access from Virtual Network resources, peered networks and on-premise networks In-built Data Exfiltration Protection Predictable private IP addresses for PaaS resources Unified experience across PaaS, Customer Owned and marketplace Services BRK3168 | 11/07 (9:15 - 10 AM) | Delivering services privately in your VNet with Azure Private Link
- 27. Azure Bastion Secure and seamless RDP and SSH access to your virtual machines using zero trust GA RDP/SSH to your workload using HTML5 standards- based web-browser, directly in Azure Portal Resources can be accessed without public IP addresses Supported Azure resources include VMs, VM Scale Sets, Dev-Test Labs No agent required Azure Portal Remote Protocol (RDP, SSH, et al) SSL 443, Internet AzureBastionSubnet Port: 3389/22 “AzureBastionSubnet” Target VM Subnet(s) Private IP Azure VM Azure VM Azure VM Customer’s Virtual Network SSL Azure Bastion
- 29. How it all works together Azure Hub VNET Public Internet Express Route VPN Gateway & Virtual WAN On-Premises Data Center, Branch Offices, Mobile Workers Azure Firewall Azure Regional WAF Azure DDoS Inbound Inbound / Outbound Azure Global WAF Private Link PaaS Services IaaS/PaaS Spoke VNET App on IaaS App on PaaS = Network Service Group + Private Link PRIVATE PaaS IaaS/PaaS Spoke VNET App on IaaS App on PaaS = Public PaaS Services Network Service Group Service Endpoints + PUBLIC PaaS
- 30. Key takeaways
- 31. Please evaluate this session Your feedback is important to us! https://aka.ms/ignite.mobileapp https://myignite.techcommunity.microsoft.com/evaluations
- 32. Find this session in Microsoft Tech Community