
close
close
Upcoming FREE Conference on Identity Management and Privileged Access Management
In this post, I will explain several techniques that you can use to secure and protect Azure virtual networks.
If you’re reading this, then you’re not stupid and I don’t need to explain the importance of a firewall to you. We take it for granted that virtual machines in the cloud should have some level of firewall security. Azure offers us several ways that we can do this, which I will cover in this article. These same techniques are also important to the developer side of Azure, Platform-as-a-Service or PaaS, because many platforms use virtual networks for privacy or communications, such as Service Fabric or Azure Service Environment (ASE, where the Isolated App Service Tier is hosted).
Azure offers free Layer-4 security in the form of Network Security Groups or NSGs. Using an NSG, you can allow or deny TCP, UDP, or wildcard protocols into or out of a virtual network. An NSG contains default inbound rules and outbound rules, which block everything from outside the virtual network from coming in and allow everything outbound. You can create additional prioritized (or stacked) rules to take more control over network security.
An Azure Network Security Group or NSG [Image Credit: Aidan Finn]
Azure provides DDoS protection at the virtual network layer. By default, every virtual network gets Basic tier protection. Recently, Microsoft made Standard tier DDoS protection generally available, extending protection with:
If you deploy a web service, such as an Azure App Service or some HTTP/HTTPS service on a virtual network (virtual machines, Service Fabric, App Service Environment), then you can place the Web Application Gateway (WAG) in front of the web application. The WAG offers Layer-7 load balancing, with application-aware scale-out and high-availability. If you deploy the Medium or higher sizes of the WAG, then you have the option, at additional cost, of enabling the Web Application Firewall (WAF). The WAF adds Layer-7 security based on the open source OWASP rule set. With this extra layer of security, you get protection against things, such as SQL Injections or malformed HTTP requests.
Microsoft has a pretty good pitch on things like load balancing and firewalls. Its line is that the built-in solutions will be good for a certain percentage of customers/services. However, specialized partners will always offer more and should be considered when you need more than Microsoft can offer.
Several third-party network security solutions can be found in the Azure Marketplace. These solutions deploy as Linux virtual machines with an additional software cost. In some Azure offers (ways of purchasing Azure) you can pay-per-minute for the additional software. However, if you plan to use the firewalls 24*7*365, a bring-your-own-license (BYOL) option might be more cost-effective in the long run. You pay for the virtual machine on a per-minute basis but you buy the software up front. Some names you’ll find in the Marketplace include Check Point, Barracuda, Sophos, Watchguard, Sonicwall, and more.
Azure Reference Architecture Using Firewalls [Image Credit: Microsoft]
Micro-segmentation allows the firewall to inspect all packets both at Layer-4 and Layer-7 (in the case of application-aware appliances).
Typically, if one has the budget and need for a third-party firewall, then there will also be a budget and need for high-availability. Instead of deploying just a single appliance, one will deploy a cluster of them for scale-out and high-availability.
A cluster of firewall appliances will be presented through shared IP addresses:
This can be accomplished by using Azure load balancers:
Note: Always check with the vendor of the firewall appliance for recommended Azure architectures.
Third Party Firewall Scanning Inbound and Outbound Traffic [Image Credit: Microsoft]
The last line of defense is the firewall of the guest OS, which many people forget is there. One gotcha is when you deploy a Windows Server + SQL Server image from the Azure Marketplace and it blocks inbound TCP 1433 traffic (SQL Server client-server communications) by default. The guest OS firewall provides depth in defense and should be left enabled and managed.
More in Microsoft Azure
Microsoft's Azure OpenAI Service Gets New ChatGPT Integration in Preview
Mar 9, 2023 | Rabia Noureen
Microsoft's New Azure Operator Nexus Solution Now Available in Public Preview
Mar 2, 2023 | Rabia Noureen
Microsoft Introduces Fully-Managed Azure Load Testing Service for Developers
Feb 2, 2023 | Rabia Noureen
Azure Native New Relic Service Provides Full Stack Observability To Boost Digital Transformation
Jan 25, 2023 | Rabia Noureen
Most popular on petri