Module 3 -
Securing Network Connectivity
Defense in Depth 
Azure Firewall
Network Security Groups (NSG)
Shared Security
Azure DDoS Protection
Choosing Solution
Application Security Group (ASG)
Integrity - The prevention of unauthorized changes to information at rest or in transit. Commonly applied using a hash key
Availability - Ensure services are available to authorized users. Denial of service attacks are a prevalent cause of loss of availability to users.
Confidentiality - The Principle of least privilege restricts access to information only to individuals explicitly granted access. This information includes protection of user passwords, remote access certificates, and email content
As computing environments move from customer-controlled datacenters to cloud datacenters, the responsibility of security also shifts. Security is now a concern shared by both cloud providers and customers.
uses a static public IP address for your virtual network resources, which allows outside firewalls to identify traffic originating from your virtual network
create, enforce, and log, application and network connectivity policies across subscriptions, and virtual networks, centrally
Built-in high availability.
Unrestricted cloud scalability.
Inbound and outbound filtering rules.
Azure Monitor logging.
Tiers
Standard Protection
Volumetric attacks. The attack's goal is to flood the network layer with a substantial amount of seemingly legitimate traffic.
Protocol attacks. These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack.
Resource (application) layer attacks. These attacks target web application packets to disrupt the transmission of data between hosts.
Basic
Standard
automatically enabled as part of the Azure platform
Always-on traffic monitoring and real-time mitigation of common network-level attacks
Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms
Policies are applied to public IP addresses which are associated with resources deployed in virtual networks, such as Azure Load Balancer and Application Gateway.
can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.
When you create a network security group, Azure creates a series of default rules to provide a baseline level of security. You cannot remove the default rules, but you can override them by creating new rules with higher priorities.
enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups.
allows you to reuse your security policy at scale without manual maintenance of explicit IP addresses. The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic.
Networking Layer
Combining Services
Perimeter Layer
Use Azure DDoS Protection to filter large-scale attacks before they can cause a denial of service for end users
Use perimeter firewalls with Azure Firewall to identify and alert on malicious attacks against your network.
Restrict inbound internet access and limit outbound where appropriate.
Implement secure connectivity to on-premises networks.
Deny by default.
Limit communication between resources through segmenting your network and configuring access controls.
Network security groups and Azure Firewall
Application Gateway WAF and Azure Firewall.