Skip to content

Instantly share code, notes, and snippets.

@IPvPho

IPvPho/Securing Network Connectivity on Azure.md

Last active September 18, 2021 12:32
Show Gist options
  • Save IPvPho/2bc0de029a9277011df7c60f006b42a8 to your computer and use it in GitHub Desktop.
Save IPvPho/2bc0de029a9277011df7c60f006b42a8 to your computer and use it in GitHub Desktop.
Download ZIP
Securing Network Connectivity on Azure
Raw
Securing Network Connectivity on Azure.md

Secure Network Connectivity on Azure

Network Security Groups

  • Enables you to filter network traffic to and from Azure resources within an Azure Virtual Network.
  • Similar to an internal firewall.
  • Can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by Source and Destination IP address, port, and protocol.

How Do I Specify NSG Rules?

  1. Name: A Unique name for the NSG.>

  2. Priority: A number between 100 - 4096. Rules are processed in priority order, with lower numbers processed before higher numbers.

  3. Source or Destination: A single IP or range of IPs, service tag, or application security group.

  4. Protocol: TCP, UDP, or Any.

  5. Direction: Whether the rule applies to inbound or outbound traffic.

  6. Port Range: A single port or range of ports.

  7. Action: Allow or Deny.

Combining Azure Services to Create a Complete Network Security Solution

Secure the Perimeter Layer

  • The Perimeter Layer is about protecting your org's resources form network-based attacks.
  • Identifying these attacks, alerting the appropriate security teams, and eliminating their impact are important to keeping your network secure.
  • How to secure:
    • Use Azure DDoS Protection to filter large-scale attacks before they can cause a denial of service for users.
    • Use perimeter firewalls with Azure Firewall to identify and alert on malicious attacks against your network.

Secure the Network Layer

  • At this layer, the focus is on limiting network connectivity across all of your resources to allow only what's required.
  • Segment your resources and use network-level controls to restrict communication to only what is needed.
  • By restricting connectivity, you reduce the risk of lateral movement throughout your network from an attack.
  • Use NSGs to create rules that define allowed inbound and outbound communication at this layer.

Recommended Practices:

  1. Limit communication between resources by segmenting your network and configuring access controls.
  2. Deny by default.
  3. Restrict inbound internet access and limit outbound where appropriate.
  4. Implement secure connectivity to on-premise networks.

Combine Services

  • You can combine Azure Networking and Security services to manage your network security and provide layered protection.

Network Security Groups and Azure Firewall

  • Azure Firewall complements the functionality of NSGs. Together they provide better defense-in-depth network security.
  • NSGs provide distributed network-layer traffic filtering to limit traffic to resources within virtual networks in each subscription.
  • Azure Firewall is a fully stateful, centralized network firewall as a service. It provides network-level and application-level protection across different subscriptions and virtual networks.

Azure Application Gateway Web Application Firewall and Azure Firewall

  • Web Application Firewall (WAF) is a feature of Azure Application Gateway that provides your web applications with centralized, inbound protection against common exploits and vulnerabilities.

Azure Firewall provides:

  • Inbound protection for non-HTTP/S protocols (for example, RDP, SSH, and FTP).
  • Outbound network-level protection for all ports and protocols.
  • Application-level protection for outbound HTTP/S.

Combining them provides more layers of protection.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment