🪴 Quartz 4.0

02 - Secure network connectivity on Azure

6 min read

Secure network connectivity on Azure

linking:: AZ-900, Azure-Security

Defense in depth

Protect information and prevent it from being stolen by those who aren’t authorized to access it. A defense-in-depth strategy uses a series of mechanisms to slow the advance of an attack that aims at acquiring unauthorized access to data.

  • The physical security layer is the first line of defense to protect computing hardware in the datacenter.
  • The identity and access layer controls access to infrastructure and change control.
  • The perimeter layer uses distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.
  • The network layer limits communication between resources through segmentation and access controls.
  • The compute layer secures access to virtual machines.
  • The application layer helps ensure that applications are secure and free of security vulnerabilities.
  • The data layer controls access to business and customer data that you need to protect.

Confidentiality

The principle of least privilege means restricting access to information only to individuals explicitly granted access, at only the level that they need to perform their work. This information includes protection of user passwords, email content, and access levels to applications and underlying infrastructure.

Integrity

Prevent unauthorized changes to information:

  • At rest: when it’s stored.
  • In transit: when it’s being transferred from one place to another, including from a local computer to the cloud.

A common approach used in data transmission is for the sender to create a unique fingerprint of the data by using a one-way hashing algorithm. The hash is sent to the receiver along with the data. The receiver recalculates the data’s hash and compares it to the original to ensure that the data wasn’t lost or modified in transit.

Availability

Ensure that services are functioning and can be accessed only by authorized users. Denial-of-service attacks are designed to degrade the availability of a system, affecting its users.

Azure Firewall

Azure Firewall is a stateful firewall. A stateful firewall analyzes the complete context of a network connection, not just an individual packet of network traffic. Azure Firewall features high availability and unrestricted cloud scalability.

Azure Firewall provides a central location to create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static (unchanging) public IP address for your virtual network resources, which enables outside firewalls to identify traffic coming from your virtual network. The service is integrated with Azure Monitor to enable logging and analytics.

Azure Firewall provides many features, including:

  • Built-in high availability.
  • Unrestricted cloud scalability.
  • Inbound and outbound filtering rules.
  • Inbound Destination Network Address Translation (DNAT) support.
  • Azure Monitor logging.

With Azure Firewall, you can configure:

  • Application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet.
  • Network rules that define source address, protocol, destination port, and destination address.
  • Network Address Translation (NAT) rules that define destination IP addresses and ports to translate inbound requests.

Azure DDoS Protection

Basic

  • The Basic service tier is automatically enabled for free as part of your Azure subscription.
  • Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft’s online services use. The Basic service tier ensures that Azure infrastructure itself is not affected during a large-scale DDoS attack.
  • The Azure global network is used to distribute and mitigate attack traffic across Azure regions.

Standard

  • The Standard service tier provides additional mitigation capabilities that are tuned specifically to Azure Virtual Network resources. DDoS Protection Standard is relatively easy to enable and requires no changes to your applications.
  • The Standard tier provides always-on traffic monitoring and real-time mitigation of common network-level attacks. It provides the same defenses that Microsoft’s online services use.
  • Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. Policies are applied to public IP addresses, which are associated with resources deployed in virtual networks such as Azure Load Balancer and Application Gateway.
  • The Azure global network is used to distribute and mitigate attack traffic across Azure regions.

The Standard service tier can help prevent:

  • Volumetric attacks: The goal of this attack is to flood the network layer with a substantial amount of seemingly legitimate traffic.
  • Protocol attacks: These attacks render a target inaccessible by exploiting a weakness in the layer 3 and layer 4 protocol stack.
  • Resource-layer (application-layer) attacks (only with web application firewall): These attacks target web application packets to disrupt the transmission of data between hosts. You need a web application firewall (WAF) to protect against L7 attacks. DDoS Protection Standard protects the WAF from volumetric and protocol attacks.

Network Security Groups

A network security group enables you to filter network traffic to and from Azure resources within an Azure virtual network. You can think of NSGs like an internal firewall. An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.

Rules

  • Name: A unique name for the NSG.
  • Priority: A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers.
  • Source or Destination: A single IP address or IP address range, service tag, or application security group.
  • Protocol: TCP, UDP, or Any
  • Direction: Whether the rule applies to inbound or outbound traffic.
  • Port Range: A single port or range of ports.
  • Action: Allow or Deny

Combine Azure services to create a complete network security solution

Secure the perimeter layer

  • Use Azure DDoS Protection to filter large-scale attacks before they can cause a denial of service for users.
  • Use perimeter firewalls with Azure Firewall to identify and alert on malicious attacks against your network.

Secure the network layer

  • Limit communication between resources by segmenting your network and configuring access controls.
  • Deny by default.
  • Restrict inbound internet access and limit outbound where appropriate.
  • Implement secure connectivity to on-premises networks.

Combine services

  • Network security groups and Azure Firewall Azure Firewall complements the functionality of network security groups. Together, they provide better defense-in-depth network security. Network security groups provide distributed network-layer traffic filtering to limit traffic to resources within virtual networks in each subscription. Azure Firewall is a fully stateful, centralized network firewall as a service. It provides network-level and application-level protection across different subscriptions and virtual networks.

  • Azure Application Gateway web application firewall and Azure Firewall Web application firewall (WAF) is a feature of Azure Application Gateway that provides your web applications with centralized, inbound protection against common exploits and vulnerabilities. Azure Firewall provides:

    • Inbound protection for non-HTTP/S protocols (for example, RDP, SSH, and FTP).
    • Outbound network-level protection for all ports and protocols.
    • Application-level protection for outbound HTTP/S.

Graph View