Secure Networking

Plan and implement Network Security Groups (NSGs) and Application Security Groups (ASGs)

Network Security Groups (NSGs) filter traffic based on IP addresses, ports, and protocols.

Application Security Groups (ASGs) group resources together based on application requirements.

Inbound and outbound security rules can be created for each NSG.

NSGs can be associated with a virtual network, a subnet, or a network interface.

Allow and deny rules can be created, and rules can be prioritized.

NSGs can be used to restrict traffic to and from the internet.

ASGs can simplify the management of NSGs by applying rules to a group of resources.

Plan and implement user-defined routes (UDRs)

User-defined routes (UDRs) allow you to override Azure's default routing for network traffic.

UDRs can be created for virtual networks, subnets, and individual network interfaces.

UDRs can be used to route traffic through a virtual appliance or VPN connection.

UDRs can be created using Azure Portal, Azure CLI, or Azure PowerShell.

UDRs can be assigned to virtual machines or network interfaces.

When creating UDRs, it's important to consider the order of route tables, as well as the priority and weight of individual routes.

UDRs can be used in conjunction with Azure ExpressRoute to establish private connections between on-premises infrastructure and Azure.

Plan and implement VNET peering or VPN gateway

VNET peering enables connectivity between two virtual networks in the same region.

Peering can be configured between virtual networks in different subscriptions and between virtual networks in different Azure Active Directory tenants.

When peering virtual networks, traffic flows directly between them without passing through a gateway or over the public internet.

Peered virtual networks can communicate using their private IP addresses.

Azure VPN Gateway enables secure connectivity between on-premises infrastructure and Azure virtual networks.

VPN Gateway can be configured using either Policy-based VPN or Route-based VPN.

VPN Gateway can be used to establish site-to-site VPN connections or point-to-site VPN connections.

When using VPN Gateway, traffic is encrypted and travels over the public internet.

Plan and implement Virtual WAN, including secured virtual hub

Virtual WAN (Wide Area Network) is a networking service that simplifies large-scale connectivity and enables optimized routing of traffic.

Virtual WAN allows you to connect and manage multiple VPN and Azure ExpressRoute connections.

Virtual WAN supports hub-and-spoke topology, where hubs represent central locations and spokes represent remote locations.

Secured Virtual Hub is a hub in Virtual WAN that provides security and connectivity features for spokes.

Secured Virtual Hub can be configured with Firewall, Network Virtual Appliances, and Azure Firewall Manager to provide advanced network security features.

Secured Virtual Hub also supports automatic failover and global reachability for spokes.

Virtual WAN can be configured using Azure Portal, Azure PowerShell, or Azure CLI.

Virtual WAN can be monitored using Azure Monitor, and logs can be exported to Azure Log Analytics or third-party SIEM solutions.

Secure VPN connectivity, including point-to-site and site-to-site

Virtual Private Network (VPN) is a technology that provides secure connectivity between on-premises infrastructure and Azure virtual networks over the public internet.

VPN connections can be configured using Point-to-Site (P2S) or Site-to-Site (S2S) VPN.

P2S VPN enables clients to connect to Azure virtual networks from remote locations using VPN clients.

S2S VPN enables connectivity between on-premises infrastructure and Azure virtual networks using VPN gateways.

Azure VPN Gateway can be configured using either Policy-based VPN or Route-based VPN.

VPN Gateway supports P2S VPN connections and S2S VPN connections.

VPN Gateway can be configured with various types of VPN devices, such as Cisco ASA, Juniper, and Check Point.

VPN Gateway can be configured for high availability and can be monitored using Azure Monitor.

VPN Gateway can be integrated with Azure AD for user authentication and authorization.

Implement encryption over ExpressRoute

Azure ExpressRoute provides private, dedicated, high-throughput network connectivity between on-premises infrastructure and Azure datacenters.

ExpressRoute can be used to establish connections between on-premises infrastructure and Azure virtual networks or Azure services, such as Azure Storage or Azure SQL Database.

Encryption can be implemented over ExpressRoute to ensure data confidentiality and integrity.

ExpressRoute supports two types of encryption: IPsec encryption and MACsec encryption.

IPsec encryption is a network-layer encryption that encrypts the entire IP packet, including the header and payload.

MACsec encryption is a link-layer encryption that encrypts the Ethernet frame.

IPsec encryption can be used to encrypt traffic between on-premises infrastructure and Azure virtual networks.

MACsec encryption can be used to encrypt traffic between Azure ExpressRoute Direct circuits and Azure services.

Encryption over ExpressRoute can be implemented using Azure ExpressRoute Premium or ExpressRoute Global Reach.

Configure firewall settings on PaaS resources

Platform as a Service (PaaS) is a cloud computing model that provides a platform for developing, deploying, and managing applications without the need to manage the underlying infrastructure.

PaaS resources include services such as Azure App Service, Azure SQL Database, and Azure Storage.

PaaS resources can be secured using various Azure security features, such as Network Security Groups (NSGs) and Application Security Groups (ASGs).

NSGs can be used to allow or deny traffic to PaaS resources based on source and destination IP addresses, source and destination ports, and protocol.

ASGs can be used to group resources together based on common attributes, such as application name or location, and apply NSG rules to the group.

Azure Firewall can also be used to secure PaaS resources by providing centralized network security policy management and threat protection.

Azure Firewall can be deployed in either a standalone or high-availability configuration, and can be integrated with Azure Virtual Network or Azure ExpressRoute to provide secure connectivity.

Monitor network security by using Network Watcher, including NSG flow logging

Network Watcher is an Azure service that provides a set of tools to monitor and diagnose network issues in Azure.

Network Watcher can be used to monitor network security by providing visibility into network traffic and security policies.

Network Watcher provides various features to monitor and diagnose network issues, such as Topology, Connection Monitor, and Packet Capture.

NSG flow logging is a feature of Network Watcher that allows you to capture and log network traffic that flows through an NSG.

NSG flow logging can be used to monitor and analyze network traffic patterns, troubleshoot network issues, and identify security threats.

NSG flow logs can be stored in Azure Storage, Azure Event Hubs, or Azure Log Analytics.

NSG flow logs can be analyzed using Azure Log Analytics or third-party SIEM solutions.

Network Watcher can also be used to monitor and diagnose network performance issues, such as latency and packet loss, using features such as Connection Monitor and Network Performance Monitor.

Plan and implement security for private access to Azure resources

Plan and implement virtual network Service Endpoints

Azure Virtual Network Service Endpoints allow you to extend your virtual network private address space to Azure services over a private connection.

Service Endpoints provide secure connectivity to Azure services without exposing them to the public internet.

Service Endpoints enable traffic to flow directly from your virtual network to Azure services, bypassing the internet and improving security and performance.

Service Endpoints are available for various Azure services, such as Azure Storage, Azure SQL Database, and Azure Key Vault.

Service Endpoints can be configured using the Azure portal, Azure CLI, Azure PowerShell, or Azure Resource Manager templates.

When you create a Service Endpoint, a subnet is required to be associated with the Service Endpoint.

A Service Endpoint is accessed by using the IP address of the Azure service, which is resolved to the private IP address of the Service Endpoint.

Service Endpoints can be secured using Network Security Groups (NSGs) and Application Security Groups (ASGs).

You can configure Service Endpoints to allow traffic only from specific virtual networks or subnets, and deny traffic from all other sources.

Plan and implement Private Endpoints

Private Endpoints enable you to access Azure services over a private connection using a private IP address within your virtual network.

Private Endpoints allow you to access Azure services securely from your virtual network without exposing them to the public internet.

Private Endpoints can be used to connect to various Azure services, such as Azure Storage, Azure SQL Database, and Azure Key Vault.

Private Endpoints provide secure connectivity by using Azure Private Link technology, which establishes a private, dedicated connection between your virtual network and the Azure service.

Private Endpoints are created in the same virtual network as the resource that you want to access privately.

A Private Endpoint is assigned a private IP address from the IP address range of the subnet in which it is created.

A Private Endpoint can be associated with one or more network interfaces, which can be used to connect to the Azure service over the private connection.

Private Endpoints can be secured using Network Security Groups (NSGs) and Application Security Groups (ASGs).

You can configure Private Endpoints to allow traffic only from specific virtual networks or subnets, and deny traffic from all other sources.

Private Endpoints can be configured using the Azure portal, Azure CLI, Azure PowerShell, or Azure Resource Manager templates.

Plan and implement Private Link services

Private Link services enable you to expose your own services as a private endpoint within your virtual network.

Private Link services allow you to provide your customers or users with secure and private access to your services, without exposing them to the public internet.

Private Link services use Azure Private Link technology to establish a private, dedicated connection between the user's virtual network and the service.

Private Link services can be used to provide secure access to various services, such as web applications, APIs, and databases.

Private Link services can be created using the Azure portal, Azure CLI, Azure PowerShell, or Azure Resource Manager templates.

When you create a Private Link service, you define a service name, IP configuration, and resource group.

After creating a Private Link service, you can configure the service to allow access only from specific virtual networks or subnets, and deny traffic from all other sources.

You can also configure Private Link services to use Network Security Groups (NSGs) and Application Security Groups (ASGs) to further secure access to the service.

Private Link services can be associated with Azure Load Balancer, Azure Application Gateway, or Azure Traffic Manager to provide high availability and scalability.

Private Link services can be monitored using Azure Monitor and Network Watcher, which provide visibility into traffic patterns, performance, and security.

Plan and implement network integration for Azure App Service and Azure Functions

Azure App Service and Azure Functions can be integrated with virtual networks to securely access resources within the virtual network.

Network integration for App Service and Functions can be achieved using either VNet Integration or Regional VNet Integration.

VNet Integration enables App Service or Functions to access resources within a virtual network through a point-to-site VPN connection or an ExpressRoute circuit.

Regional VNet Integration allows you to access resources within a specific region of your virtual network.

VNet Integration and Regional VNet Integration can be configured using the Azure portal, Azure CLI, Azure PowerShell, or Azure Resource Manager templates.

When you integrate App Service or Functions with a virtual network, you need to specify the virtual network and subnet that you want to use.

After integration, App Service or Functions can access resources within the virtual network using their private IP addresses.

App Service and Functions can also be configured to use Service Endpoints or Private Endpoints to securely access Azure services over a private connection within the virtual network.

Network Security Groups (NSGs) and Application Security Groups (ASGs) can be used to secure traffic between App Service or Functions and resources within the virtual network.

You can also monitor network traffic between App Service or Functions and the virtual network using Network Watcher and NSG flow logging.

Plan and implement network security configurations for an App Service Environment (ASE)

An App Service Environment (ASE) is a fully isolated and dedicated environment for running App Service apps at scale.

ASEs can be configured to integrate with virtual networks and to enforce network security configurations to protect the apps running in the environment.

Network security configurations for ASEs can include configuring Network Security Groups (NSGs), Service Endpoints, Private Endpoints, and Virtual Network Service Endpoints (VNET-SE) for resources within the virtual network.

NSGs can be used to filter inbound and outbound traffic for the ASE and to control access to resources within the virtual network.

Service Endpoints and Private Endpoints can be used to allow secure and private access to Azure services and to on-premises resources over a private connection.

VNET-SE can be used to allow access to services hosted within the ASE, such as databases or APIs, over a private connection within the virtual network.

Network security configurations for ASEs can be managed using the Azure portal, Azure PowerShell, or Azure CLI.

After configuring network security for an ASE, you can monitor traffic between the ASE and the virtual network using NSG flow logging and Network Watcher.

Additionally, ASEs can be configured with Web Application Firewall (WAF) to provide an additional layer of security for web applications running in the environment. WAF can be configured to block common web application attacks, such as SQL injection and cross-site scripting (XSS).

Plan and implement network security configurations for an Azure SQL Managed Instance

Azure SQL Managed Instance is a fully managed platform-as-a-service (PaaS) offering for running SQL Server workloads in the cloud.

To secure the network for an Azure SQL Managed Instance, you can implement network security configurations, such as configuring Virtual Network Service Endpoints (VNET-SE), Service Endpoints, Private Endpoints, and Firewall rules.

VNET-SE can be used to allow access to the Azure SQL Managed Instance over a private connection within the virtual network.

Service Endpoints and Private Endpoints can be used to allow secure and private access to Azure SQL Managed Instance over a private connection, bypassing the public internet.

Firewall rules can be used to control traffic to and from the Azure SQL Managed Instance. You can configure the firewall to allow access from specific IP addresses or ranges and block all other traffic.

Network security configurations for Azure SQL Managed Instance can be managed using the Azure portal, Azure PowerShell, or Azure CLI.

After configuring network security for Azure SQL Managed Instance, you can monitor traffic using the Azure SQL Analytics feature or the Azure Monitor logs.

You can also use Azure Active Directory (Azure AD) authentication to authenticate users and applications accessing the Azure SQL Managed Instance, which adds an additional layer of security.

Plan and implement security for public access to Azure resources

Plan and implement TLS to applications, including Azure App Service and API Management

Transport Layer Security (TLS) is a protocol used to provide secure communication between applications over a network.

To secure applications hosted in Azure, you can implement TLS to encrypt communication between the application and clients.

Azure App Service and API Management both support TLS encryption for incoming requests and outgoing responses.

You can configure App Service and API Management to require TLS for all incoming requests or for specific endpoints, using custom domain names or the default azurewebsites.net or *.azure-api.net domain names.

To enable TLS for App Service, you can configure SSL certificates for custom domain names or use the default SSL certificate provided by Azure.

To enable TLS for API Management, you can upload SSL certificates for custom domain names or use the default SSL certificate provided by Azure.

You can also configure TLS termination on Azure Application Gateway or Azure Front Door, which can be used to offload the encryption and decryption of TLS traffic and improve performance.

When implementing TLS, it's important to use strong encryption protocols, such as TLS 1.2 or later, and to keep SSL certificates up-to-date to prevent security vulnerabilities.

You can monitor TLS configuration and compliance using Azure Security Center, which can detect misconfigurations and vulnerabilities related to TLS.

Plan, implement, and manage an Azure Firewall, including Azure Firewall Manager and firewall policies

Azure Firewall is a fully managed, cloud-based network security service that provides network traffic filtering and protection against threats.

Azure Firewall allows you to create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.

To implement Azure Firewall, you can create a firewall instance in a virtual network and configure firewall rules to allow or deny traffic based on source, destination, port, and protocol.

You can also use Azure Firewall Manager to centrally manage multiple firewall instances and to create and apply firewall policies across subscriptions and virtual networks.

Firewall policies are used to define and enforce network security and application-level policies across multiple Azure Firewall instances. You can create a policy to define rules for specific applications, ports, protocols, and IP addresses.

Firewall policies can be created using Azure Policy or Azure Firewall Manager, and can be applied to multiple firewall instances in different regions and subscriptions.

You can also configure Azure Firewall to integrate with Azure Monitor to monitor firewall activity and generate alerts for potential security threats or policy violations.

Azure Firewall supports various features such as Application Rules, Network Rules, NAT Rules, TLS Inspection, DNS Proxy, and Forced Tunneling.

Azure Firewall can be integrated with Azure Security Center for additional threat intelligence and security recommendations.

Plan and implement an Azure Application Gateway

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications.

Application Gateway provides features such as SSL termination, cookie-based session affinity, URL path-based routing, Web Application Firewall (WAF), and autoscaling.

To implement Application Gateway, you need to create an instance of it and then configure it to route traffic to one or more backend servers or pools of servers.

Application Gateway can route traffic based on various factors such as HTTP headers, URL paths, query strings, or host headers.

You can also configure Application Gateway to perform SSL offloading, which allows it to terminate SSL/TLS connections and decrypt traffic before forwarding it to the backend servers.

Application Gateway can also be configured with a Web Application Firewall (WAF) to protect web applications from common web vulnerabilities such as SQL injection, cross-site scripting (XSS), and others.

Application Gateway supports autoscaling, which allows you to dynamically adjust the number of instances based on traffic load. You can configure autoscaling based on metrics such as CPU usage, memory usage, or requests per second.

You can also configure Application Gateway with a custom domain name, which enables you to use your own SSL certificate and improve branding.

Application Gateway can be integrated with Azure Monitor to monitor its performance, track requests and responses, and generate alerts for specific conditions or errors.

Azure Application Gateway can also be deployed with Azure Firewall or Azure Front Door for additional security and functionality.

Plan and implement an Azure Front Door, including Content Delivery Network (CDN)

Azure Front Door is a global, cloud-based content delivery network (CDN) and application delivery platform that provides secure and scalable routing of user traffic to your applications and services.

Azure Front Door uses anycast protocol, which enables traffic to be routed to the nearest Front Door point of presence (POP) and ensures low-latency and high-performance delivery of content.

Azure Front Door supports various traffic routing methods such as weighted round-robin, performance-based routing, geographic routing, and URL-based routing.

Azure Front Door also provides security features such as SSL/TLS termination, DDoS protection, and web application firewall (WAF).

You can use Azure Front Door to improve the performance and availability of your applications by caching content at edge locations and reducing the load on the origin servers.

Azure Front Door can also be integrated with Azure CDN to further improve the delivery of static and dynamic content, such as images, videos, and large files.

To implement Azure Front Door, you need to create a Front Door instance and configure it with one or more backend pools of resources, such as web applications or APIs.

You can also configure Azure Front Door with health probes to ensure that it routes traffic only to healthy backend resources.

Azure Front Door can be integrated with Azure Monitor to monitor its performance and generate alerts for specific conditions or errors.

Azure Front Door provides a unified control plane to manage traffic and security policies across multiple applications and regions.

Plan and implement a Web Application Firewall (WAF)

A Web Application Firewall (WAF) is a security solution that monitors and filters HTTP traffic between a web application and the Internet to protect against various types of attacks, such as SQL injection, cross-site scripting (XSS), and remote file inclusion (RFI).

Azure provides two types of WAF solutions: Azure Web Application Firewall (WAF) and Azure Front Door WAF.

Azure Web Application Firewall (WAF) is a layer-7 WAF that can be deployed as a standalone solution or as an add-on to Azure Application Gateway or Azure Front Door.

Azure Web Application Firewall (WAF) is based on the open-source ModSecurity engine and provides a set of pre-configured rules and policies that can be customized to meet the specific security requirements of your web applications.

Azure Front Door WAF is a network-level WAF that is integrated with Azure Front Door and provides similar security features as Azure Web Application Firewall (WAF).

To implement Azure Web Application Firewall (WAF), you need to create a WAF policy and associate it with a WAF-enabled resource, such as Azure Application Gateway or Azure Front Door.

A WAF policy is a collection of rules and settings that define how the WAF inspects and filters HTTP traffic.

Azure Web Application Firewall (WAF) provides various monitoring and reporting features, such as Azure Monitor, Azure Log Analytics, and Azure Security Center, that can be used to monitor the WAF's performance, generate alerts, and investigate security incidents.

Azure Web Application Firewall (WAF) also provides integration with Azure Security Center to provide advanced threat protection and security recommendations for your web applications.

Recommend when to use Azure DDoS Protection Standard

Azure DDoS Protection Standard is a managed DDoS protection service that provides defense against DDoS attacks for Azure resources. It is recommended to use Azure DDoS Protection Standard if you are hosting mission-critical or high-availability workloads on Azure and want to protect them from DDoS attacks that can cause service downtime or performance degradation.

Azure DDoS Protection Standard is suitable for a wide range of Azure resources, such as Virtual Machines, Virtual Machine Scale Sets, Load Balancers, Application Gateways, and Azure Kubernetes Service (AKS) clusters.

Azure DDoS Protection Standard is particularly recommended for internet-facing workloads that are exposed to the public Internet and are at a higher risk of being targeted by DDoS attacks.

Azure DDoS Protection Standard provides various features that help protect your resources against DDoS attacks, such as traffic monitoring, traffic analytics, and traffic scrubbing. It also provides automatic mitigation of DDoS attacks without any manual intervention.

Azure DDoS Protection Standard is a cost-effective solution compared to traditional on-premises DDoS protection solutions that require significant upfront investment and ongoing maintenance costs.

Azure DDoS Protection Standard provides integration with Azure Monitor and Azure Security Center to provide comprehensive monitoring and security insights into your protected resources.

Azure DDoS Protection Standard provides a Service Level Agreement (SLA) of 99.99% for protection against DDoS attacks.