DEV Community

Eng Soon Cheah
Eng Soon Cheah

Posted on • Edited on

Secure the network

Network Security Groups

  • VMs created with the Azure Resource Manager deployment model can connect directly to the internet by using a public IP address that is assigned directly to the VMs
  • VMs created with the Azure classic deployment model communicate with internet resources through the cloud service that is assigned the public IP address, known as the VIP address
  • VMs that reside inside the cloud service share that VIP address and establish communications with internet resources by using endpoints
  • Network Security Groups help provide advanced security protection for the VMs that you create by using either deployment method
  • NSGs contain rules that specify whether traffic is approved or denied
  • Each rule consists of the following properties:
    • Name
    • Direction
    • Priority
    • Access
    • Source IP address prefix
    • Source port range
    • Destination IP address prefix
    • Destination port range
    • Protocol
  • There are predefined default rules for inbound and outbound traffic
  • You can also create custom rules
  • You can design NSGs to isolate virtual networks in security zones, like the model used in on-premises infrastructure
  • You also can assign NSGs to individual computers in the Azure classic deployment model to control a VM’s incoming and outgoing traffic 
  • In an Azure Resource Manager deployment, you can assign NSGs to a NIC
  • You create NSGs as resources in a resource group, but you can share them with other resource groups that exist in your subscription

Deploy network virtual appliances

  • A UDR is a custom route in Azure that overrides Azure's default system routes or adds routes to a subnet's route table
  • UDRs and NSGs provide layer 3 and layer 4 (of the OSI model) security
  • Network virtual appliances (NVAs) provide layer 7 (application-layer) security
  • You can deploy an NVA to a perimeter network in many different architectures Alt text of image

Configure forced tunneling for VPNs

  • Forced tunneling lets you redirect or "force" all internet-bound traffic back to your on-premises location via a Site-to-Site VPN tunnel for inspection and auditing
  • Without forced tunneling, internet-bound traffic from your VMs in Azure always traverses from Azure network infrastructure directly out to the internet, without allowing you to inspect or audit the traffic Alt text of image

Azure Firewall features

  • Azure Firewall is a managed, cloud-based network security service that helps protect your Azure Virtual Network resources
  • It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability
  • You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks
  • Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network Alt text of image

Create firewall rules
Some of the key features of Azure Firewall include:

  • Built-in high availability
  • Unrestricted cloud scalability
  • Application fully qualified domain names (FQDN) filtering rules 
  • Network traffic filtering rules 
  • FQDN tags
  • Outbound SNAT support
  • Inbound Destination Network Address Translation (DNAT) support
  • Azure Monitor logging

Configure admin access on the network
Several methods are available to help secure access to Windows and Linux VMs running in Azure, including:

  • SSH
    • With a Secure Shell (SSH) key pair, you can create VMs in Azure that use SSH keys for authentication, eliminating the need for passwords to sign in
  • Connect to the VM
    • Create an SSH connection with the VM by using the public IP address
  • Clean up
    • When you no longer need the resource group, VM, and related resources, use the Remove-AzResourceGroup cmdlet to remove them
  • RDP
    • Remote Desktop Protocol (RDP) enables you to access the desktop of a role running in Azure
  • We recommend using Privileged Access Workstations (PAWs) and VPN when administering VMs in Azure
  • PAWs provide a dedicated operating system for sensitive tasks, with additional protection from internet attacks and threat vectors Alt text of image

Configure Azure DDoS protection

  • The goal of a DoS attack is to prevent access to services or systems
  • Botnets are collections of internet-connected systems that an individual controls and uses without their owners’ knowledge
  • A Distributed DoS (DDoS) is a collection of attack types aimed at disrupting the availability of a target
  • DDoS involves many systems sending traffic to targets as part of a botnet
  • Azure DDoS Protection, combined with application design best practices, provides defense against DDoS attacks 
  • DDoS Protection provides the following service tiers:
    • Basic: Automatically enabled as part of the Azure platform
    • Standard: Provides additional mitigation capabilities over the Basic service tier that are tuned specifically to Azure Virtual Network resources
  • DDoS Protection Standard can mitigate the following types of attacks:
    • Volumetric attacks
    • Protocol attacks
    • Resource (application) layer attacks Alt text of image

Top comments (0)