Learning Path 4: Secure network connectivity

on Azure
Azure 900 Test Preparation

Learning Objectives
 Identify the layers that make up a defense in depth strategy.
 Explain how Azure Firewall enables you to control what traffic is allowed on
the network.
 Configure network security groups to filter network traffic to and from Azure
resources within a Microsoft Azure virtual network.
 Explain how Azure DDoS Protection helps protect your Azure resources from
DDoS attacks.

Defense in Depth - to protect information and prevent if from being stolen from unauthorized
users

Layered Strategy - removed reliance on single layer & provides telemetry data to act upon

Physical Security - datacenter protection

Identity & Access - access to infrastructure and change control (SSO & MFA)
Perimeter - uses DDos (distributed denial of service), firewalls
Network - limits communications between resources - deny by default
 Compute - access to virtual machines, keep updated with patches
Application - application vulnerabilities, secrets stored safely
Data - access to business data

Security Posture - ability to protect from and respond to security threats

Confidentiality - Principal of least privilege

Integrity - prevent unauthorized changes to information at rest and in transit

Availability - services are functioning and an only accessed by authorized users

Azure Firewall

A managed, cloud-based network security service

Protects resources on Azure virtual networks

Important Features
o Stateful - complete context of network transaction
o Central location (interface) to create policies, view logs
o Integrated with Azure Monitor (including logging)
o Inbound and outbound rules
o DNAT support (Destination Network Address Translation)
o Standard Azure-ness
 High availability
 Scalability

Configurability
o Application Rules - define fully qualified domain names that can be accessed from a
subnet
 o Network Rules - define source address, protocol, destination port and destination
address
o Network Address Translation (NAT) rules - think IP Addresses and Ports

Azure Application Gateway also has a firewalled called web application firewall (WAF)
Azure Front Door (WAF)
Azure Content Delivery Network (also WAF)

Azure DDoS Protection

DDoS - Distributed Denial of Service

Attacks that attempt to overwhelm and exhaust app resourecs
Makes app slow or unresponsive
Target publicly reachable sites

Features
o Discards DDoS traffic at network edge
o Reduces illegitimate traffic => lower operating costs

Tiers
o Basic - free
o Standard - Additional featured tuned to azure VM resources
Volumetric Attacks
Protocol Attacks
Resource Layer

Network Security Groups

 Enables filtering of network traffic to/from resources within an azure virtual network
(Internal Firewall)
 Can use security rules for inbound/outbound based on IP/Port/protocol
 NSGs have priority number to rank priority

Exercise

Combine Services to Create a Complete Network Security Solution

Secure the Perimeter with Azure DDoS Protection and Azure Firewall

Secure the network layer by limiting network activity

Two ways to combine services

 (1) Network Security Groups and Azure Firewall
(2) Azure Application Gateway WAF and Azure Firewall

So basically, use Azure Firewall and then either security groups (NSGs) or application level firewall
(WAF)

Knowledge Check