Module 3 -
Securing Network Connectivity

Defense in Depth DefenseInDepth

Azure Firewall

NSG Network Security Groups (NSG)

Shared Security SharedSecurity

Azure DDoS Protection

Choosing Solution

Application Security Group (ASG)

Integrity - The prevention of unauthorized changes to information at rest or in transit. Commonly applied using a hash key

Availability - Ensure services are available to authorized users. Denial of service attacks are a prevalent cause of loss of availability to users.

Confidentiality - The Principle of least privilege restricts access to information only to individuals explicitly granted access. This information includes protection of user passwords, remote access certificates, and email content

As computing environments move from customer-controlled datacenters to cloud datacenters, the responsibility of security also shifts. Security is now a concern shared by both cloud providers and customers.

uses a static public IP address for your virtual network resources, which allows outside firewalls to identify traffic originating from your virtual network

create, enforce, and log, application and network connectivity policies across subscriptions, and virtual networks, centrally

Built-in high availability.

Unrestricted cloud scalability.

Inbound and outbound filtering rules.

Azure Monitor logging.

Tiers

Standard Protection

Volumetric attacks. The attack's goal is to flood the network layer with a substantial amount of seemingly legitimate traffic.

Protocol attacks. These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack.

Resource (application) layer attacks. These attacks target web application packets to disrupt the transmission of data between hosts.

Basic

Standard

automatically enabled as part of the Azure platform

Always-on traffic monitoring and real-time mitigation of common network-level attacks

Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms

Policies are applied to public IP addresses which are associated with resources deployed in virtual networks, such as Azure Load Balancer and Application Gateway.

can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.

When you create a network security group, Azure creates a series of default rules to provide a baseline level of security. You cannot remove the default rules, but you can override them by creating new rules with higher priorities.

enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups.

allows you to reuse your security policy at scale without manual maintenance of explicit IP addresses. The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic.

Networking Layer

Combining Services

Perimeter Layer

Use Azure DDoS Protection to filter large-scale attacks before they can cause a denial of service for end users

Use perimeter firewalls with Azure Firewall to identify and alert on malicious attacks against your network.

Restrict inbound internet access and limit outbound where appropriate.

Implement secure connectivity to on-premises networks.

Deny by default.

Limit communication between resources through segmenting your network and configuring access controls.

Network security groups and Azure Firewall

Application Gateway WAF and Azure Firewall.