Network Security in Azure

Microsoft Azure has one of the world largest Software Define Network (SDN) fabrics stretches around the globe. It has its point of presence in 36 regions and expanding rapidly.
It usages its own infrastructure in order to make sure data will never leave Microsoft backbone network and encryption is put in place either in REST or in transit.

Network Security

Network and storage are the basic foundation block of any virtual environment. Azure provides complete isolated environment from tenant level, further isolated into subscription(Management prospective) and into virtual network, Subnet (Network Prospective). And, In terms of access, all its resources are tightly coupled with Azure Active Directory and different Role Based Access Control (RBAC) can be assigned to individual user's to meet/restrict access to the resources.

Azure Protection Circle


Azure Network Security Best Practices


Any network enabled device/application which requires IP address are kept inside the network in such a way so that they will able to retrieve Private IP address based on the Address Space defined within the Azure Network. They can be allocated Public IP automatically provided by Microsoft.  Allocating the network address space is like the traditional method used on-premises network. Azure reserve few initial IP of the given subnet for its management purpose. Fundamental principal remains same however implementation might be slightly different depending on the need.  

The following activities can be performed to Secure Azure Network Infrastructure.

  • Logically separation of Subnet
  • Network Security Group
  • Control Route Flow
  • Enable Force Tunnelling 
  • Use of Virtual Appliances 
  • Deploy DMZ’s for security zoning 
  • Avoid Exposure to the Internet with dedicated WAN links 
  • Optimize uptime and performance 
  • Use global load balancing 
  • Disable RDP Access to Azure VM machine 
  • Enable Azure Security Center 
  • Extend your data center to Azure

Logically Separation of Subnet


Dividing the larger network space into small chunk will provide larger flexibility on managing the network and provide higher degree of security. The private IP address spaces available are in the Class A (10.0.0.0/8), Class B (172.16.0.0/12) and Class C (192.168.0.0/16) ranges. By default, all subnet within the address space are open for communication within the network. Its highly recommend stopping this behaviour. It can be achieved by using the Network Security Group(NSG).

Network Security Group is a set of rules which allow or restrict any incoming or outgoing traffic to and from Azure Virtual network. We can apply NSG in subnet level and/or further restrict flow by associating it to the NIC associated to Azure Virtual machine.

Multiple rules can be inserted into the NSG. They all are evaluated based on the priority. Smallest value will get the high priority. 

Control Route Flow


When we populate resources in Azure, they started communicating with each other using the System Routes. Explicitly we do not require any further configuration even if we are running in the hybrid mode. System Routes defines, how IP traffic will be forwarded to the destination passing multiple unseen hops.

User Define Routes is used to eliminated such default system routes. It helps to provide better transparency to our routes. BGP Routes is enabled to propagate routes from on-premises network to the Azure.

Enable Force Tunneling




Comments

  1. Unknown7 June 2018 at 23:09

    Thanks for providing your blog! Very clear-cut information thanks keep update with us on more Azure Azure Online Training

    ReplyDelete
  2. aaronnssd16 November 2020 at 11:05

    Writing a blog post is really important for growth of your websites. Thanks for sharing amazing tips. we also provide Enterprise subscription management. for more information visit on our website.

    ReplyDelete

Post a Comment

Popular posts from this blog

Deploy Palo Alto in Azure

Image
There are many ways to deploy Palo Alto Firewall in Azure. Out of those options today I will discuss how Palo Alto can be configured to protect your Azure workload. This setup is suitable for Proof of Concept only. Planning-Includes Minimum Requirement - Without HA Logical Diagram:  Create Virtual Network Name: PAN-VNet Address Space: 10.0.0.0/16 Subnet Name: Management Subnet Address Space: 10.0.1.0/24 Subnet Name: Untrust Subnet Address Space: 10.0.2.0/24 Subnet Name: Trust Subnet Address Space: 10.0.3.0/24 Resource Group: PA-VNet    Subnet Spin Web Server Virtual Machine  Name: SecureWebServices Image: Windows Server 2016 Resource Group: Services Network: PAN-VNet Subnet: Trust Role: Web Server (IIS) Installed Change NSG rules of Web Server to accept request on port 80, if you wish to test the web request. However, later on, this behaviour will be controlled through firewall. Spin Palo Alto Firewall Virtual Machine Name: vmseries300 Im
Read more

Demystifying System and User Define Routes of Azure

Image
As Virtual Network is created, Azure automatically create its own route tables for that Virtual Network, so that all the packets which enters the virtual network can traverse within its address prefix and leave the subnet for its destination. These are known as the Default Routes . We can’t modify these routes; however, we can add our custom routes on top of default routes for the traffic leaving the subnet. These custome route is known as User Define Routes . In this case, we are modifying the default behaviour of packets routing but still the internal and external routing of packet is done by virtual network to ensure that our packets are never hijacked.  In another word, we are adding routes and requesting virtual network to routes traffic in the way we want. So far its not possible to route the traffic independently bypassing the Azure Virtual Network routing mechanism and for security reason I do not think this will ever be possible. Common Use Case of UDR:  Every bus
Read more

Azure Web App Vnet Integration - Hub and Spoke Scenario

Image
Integrating Web Apps with virtual network allows us to access the resources which is located within our private network space, however web apps will be still be accessible from internet. App Service Environment could be possible solution if you wish to make your Web App completely private. In this blog I will be discussing the 3 possible use cases. Integrate Web Apps with VNet and verify connectivity between Web App and a VM which is deployed within the same VNet.  Web App Integration in Hub and Spoke  Establish connectivity between On-Prem network and Azure Web App Use Case 1 - Simple We need to have the following things to meet the goal with use case 1. 1. Virtual Network - Ansible-vnet - Address Space -10.0.0.0/16 2. Provision a Gateway Subnet - Address Space - 10.0.1.0/24 3. Virtual Network Gateway - WebApp-GW : SKU - VpnGw1 4. Create Point to Site in WebApp-GW - Address Space : 172.16.201.0/24 5. Since, SKU - VpnGw1 is used, IKEv2 VPN should be unchecked. (
Read more