Azure Application security Group:

Azure Application Security Groups allows for configuring network security using an application-
centric approach within Network Security Groups (NSG). They work by assigning the network
interfaces of virtual machines, as members of the ASG. ASGs are then used within NSGs as either a
source or destination (instead of traditional source/destination IP’s) of a rule, and this provides
additional options and flexibility for controlling network flows of resources within a subnet.

Azure DDoS:
Two tiers (basic and standard) - basic is free for all the Vnet but standard is chargeable where it also
uses ML in the backed to analyse the traffic flow pattern and decide accordingly for mitigation
First a DDoS protection plan needs to be created from the azure market place and subscription, RG,
region is given at time of this creation
Go to protected resources -> select RG and then the azure Vnet under the RG to protect the
resources inside the Vnet

Create a plan -> link to vnet

Go to ddos -> metrics -> IP of web Vm, max DDos inbound,

Azure advisor and Azure Security centre and Azure Defender:

Azure advisor -> gives costing reduce tips as well as policy and also the security report
recommendations (its security report were given from Azure security centre only and will be same in
both advicer as well as the security centre)

Azure security center (free)

Continuously scans webapp, VM, DB Pass, also on prem (but agent needs to be installed)

Azure defender is paid version of Azure security centre vulnerability assessment, threat detection,
(Defender must be enabled and only paid per assigned resources) Just in time VM access – lock the
VM access and only open the connectivity when needed
 When you enable just-in-time VM access, you can select the ports on the VM to which
inbound traffic will be blocked. Security Center ensures "deny all inbound traffic" rules exist
for your selected ports in the network security group (NSG) and Azure Firewall rules. These
rules restrict access to your Azure VMs’ management ports and defend them from attack.
 When a user requests access to a VM, Security Center checks that the user has Azure role-
based access control (Azure RBAC) permissions for that VM. If the request is approved,
Security Center configures the NSGs and Azure Firewall to allow inbound traffic to the
selected ports from the relevant IP address (or range), for the amount of time that was
specified. After the time has expired, Security Center restores the NSGs to their previous
states. Connections that are already established are not interrupted.