Network Protection

• Important to secure your network from attacks and unauthorized access
• Use a layered approach
  • not enough to just focus on securing the network perimeter or the network security between services inside a network.
  • helps reduce your risk of exposure through network-based attacks
  • secure your internet-facing resource, internal resources, and communication between on-premises networks
  • Combine multiple Azure networking and security services
    • E.g. use Azure Firewall to protect inbound and outbound traffic to the Internet, and Network Security Groups to limit traffic to resources inside your virtual networks.

Internet protection

• Perimeter of the network
• Focused on limiting and eliminating attacks from the internet.
• Only allow inbound and outbound communication where necessary
  • ensure they are restricted to only the ports and protocols required
    • You can use Azure Security Center for this.

Firewall

• Service that grants server access based on the originating IP address of each request.
• Helps you to provide inbound protection at the perimeter
• You create firewall rule
  • Firewall rule = Ranges of IP addresses to allow access the server.
  • Often includes specific network protocol and port information.

Azure Firewall

• Managed, highly available & scalable, network-level, firewall as a service
• Inbound protection for mainly non-HTTP/S protocols.
  • E.g. Remote Desktop Protocol (RDP), Secure Shell (SSH), and File Transfer Protocol (FTP).
• Outbound protection for all ports and protocols
  • Also application-level protection for outbound HTTP/S.

Azure Application Gateway

• Load balancer that includes a Web Application Firewall (WAF)
  • Provides protection from common, known vulnerabilities in websites.
• Designed to protect HTTP traffic.

Network virtual appliances (NVAs)

• Ideal options for non-HTTP services or advanced configurations
• Similar to hardware firewall appliances.

Distributed Denial of Service (DDoS) Protection

• Any resource exposed on the internet is at risk of being attacked by a denial of service attack.
• 📝 Attacks attempt to overwhelm a network resource
  • sends so many requests that the resource becomes slow or unresponsive.
• 💡 Combine Azure DDoS Protection with application design best practices.

Azure DDoS Protection

• Brings DDoS mitigation capacity to every Azure region
• 📝 Protects your Azure applications by monitoring traffic at the Azure network edge before it can impact your service’s availability.
• 📝 You are notified using Azure Monitor metrics within a few minutes of attack detection.

Service tiers

Basic

• Automatically enabled as part of the Azure platform.
• Always-on traffic monitoring and real-time mitigation of common network-level
• Used by Microsoft’s online services use.

Standard

• Tuned specifically to Microsoft Azure Virtual Network resources
• Requires no application changes.
• Dedicated traffic monitoring and machine learning algorithms.
• Policies are applied to public IP addresses associated with resources deployed in virtual networks
  • e.g. Azure Load Balancer and Application Gateway.
• Mitigates:
  • Volumetric attacks: The attackers goal is to flood the network layer with a substantial amount of seemingly legitimate traffic.
  • Protocol attacks: Render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack.
  • Resource (application) layer attacks: Target web application packets to disrupt the transmission of data between hosts.

Traffic inside your virtual network

• Allows you to limit communication between resources to only what is required.

Virtual network security

Network Security Groups (NSGs)

• 📝 Provide a list of allowed and denied communication to and from network interfaces and subnets.
  • Used for communication between virtual machines
• Filter network traffic to and from Azure resources in an Azure virtual network.
  • by source and destination IP address, port, and protocol
• Can contain multiple inbound and outbound security rules

Service endpoints

• You can restrict access of services to service endpoints.
  • Allows you to remove public internet access to your services
• Service access become limited to your virtual network.

Network integration

• Integrate on-premises networks <=> services in Azure
• Different ways: VPN, ExpressRoute

Virtual private network (VPN)

• Establish secure communication channels between networks.
• Connects Azure Virtual Network to an on-premises VPN device
• Provide secure communication in-between.

Azure ExpressRoute

• Use to provide a dedicated, private connection between your network and Azure
• Lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider.
• Very secure as it sends traffic over the private circuit instead of over the public internet.
  • You can send this traffic through appliances for further traffic inspection.