Network security in Azure

by | Jun 6, 2020 | Blog

Azure virtual networks provide key networking capabilities:

  1. Isolation and segmentation
  2. Internet communications
  3. Communicate between Azure resources
  4. Communicate with on-premises resources
    1. point to site vpn
    2. site to site vpn
    3. express route
  5. Route network traffic
  6. Filter network traffic
  7. Connect virtual networks
    1. virtual network peering

 

Azure offers three primary ways to set up virtual networking:

  • Azure virtual networks can connect resources such as virtual machines and virtual machine scale sets within the same region
  • Azure VPN gateways can enable communication with on-premises clients or networks over the public Internet, or connect virtual networks in different Azure regions.
  • Azure ExpressRoute creates private, high-bandwidth connections to Azure datacenters that achieve the highest levels of reliability and security.

Network security Groups

Network security groups filter network traffic to and from Azure resources. Can be assigned to:

  1. A machine
  2. A subnet

Each subnet and network interface can have one network security group applied to it. Network security groups support TCP, UDP, and ICMP, and operate at Layer 4 of the OSI model.

Service tags: Microsoft creats tags (as aliases) for: VirtualNetwork, AzureLoadBalancer, Internet, Storage, SQL, etc.

Application security groups let you configure network security for resources used by specific applications. You can group virtual machines logically, no matter what their IP address or subnet assignment. (all sql allow port 1433 inbound)

PaaS

By default, Azure services are all designed for direct internet access. All Azure resources have public IP addresses, including PaaS services such as Azure SQL Database and Azure Storage. Because these services are exposed to the internet, anyone can potentially access your Azure services.

Service endpoints can connect certain PaaS Services directly to your private address space in Azure, so they act like they’re on the same virtual network.

Azure service endpoints are available for many services, such as:

Azure Storage
Azure SQL Database
Azure Cosmos DB
Azure Key Vault
Azure Service Bus
Azure Data Lake

Network Watcher

  1. Monitoring
    1. topology!
    2. Connection check that two components can communicate if you want them to.
    3. Network Performance Monitor tool enables you to track and alert on latency and packet drops over time.
  2. Diagnostic
    1. IP flow verify tells you if packets are allowed or denied for a specific virtual machine.
    2. Next hop traceroute
    3. Security group view
    4. Packet capture
    5. Connection troubleshoot
    6. VPN troubleshoot