Networking on Azure

Dr. Fatma SIALA KALLEL

2023/2024
1
Networking

• All aspects of networking in Azure

• Deals with resources’ network connections, firewalls,

etc.

• Might sound boring and not very important, but…

2
 Networking is the
foundation of cloud
security

3
 Cloud Architecture

A Word of Caution:

NEVER VM
Weather API
VM
Catalog App

leave a VM open to
the internet this way - Directly accessible from the internet
- Can be RDPed from anywhere
We will learn later on what should be done
4
 Cloud Architecture

Two main threats:

- Brute force attacks on port 3389 (RDP)
- No line of defense in front of the VM
web server
VM VM
Weather API Catalog App

- Directly accessible from the internet

- Can be RDPed from anywhere
5
Networking

• We’ll talk about 4 networking-related cloud

services:

VNets

SubNets

Load Balancer

Application
Gateway
Virtual Networks

• A network in which you can deploy cloud resources

• Many cloud resources are deployed within Vnets

• VMs, App Services, DBs, etc.

• “Virtual” as in “based on physical network and

logically

separated from other virtual networks”

7
Virtual Networks

• Resources in VNet can communicate with each other by

default
VNet 1 VNet 2

… but not
with
VM resources
VM in other
VM
VNets

VM
Virtual Networks

• Think of it as your organization’s private

network

• In AWS it’s called VPC – Virtual Private Cloud

• Other organizations’

VNets cannot

communicate with your

9

VNet
VNet Pricing

• VNets are free

• Limit of 50 VNets per subscription across all

regions

10
Characteristics of VNets

• Scoped to a single Region

• Cannot span multiple

Regions

• Scoped to a single Subscription

• Can be connected via Peering

• Segmented using Subnets

11
• Protected using NSG (on
Subnets)
the
Security and VNets

• The most important thing to think about when designing

network:

How to limit access to the

resources in the VNet so
that risk is minimized

12
Addresses of VNets

• Each VNet has its own address range

• Or IP Range

• By default – 65,536 addresses

• Can be customized

• All network devices must be in this address

range
13

• Expressed using CIDR

Notation
CIDR Notation

• Classless Inter-Domain Routing

• A method for representing an IP Range

• Composed of an address in the range and a number

between 0 and 32

• The number indicates the number of bits that are allocated to

the address. The smaller the number – the larger the

range
14
CIDR Notation Example 1

8 bits
24 bits allocated allofcoartreadnge
to address

109.186.149.240 /24
8 bits 8 bits 8 bits 8 bits

109.186.149.000 – 109.186.149.255
Bits refresher: 256 Addresses
00000000 = 0
11111111=255 15
CIDR Notation Example 2

16 bits 16 bits
allocated to allocated
address for range

109.186.149.240 /16
8 bits 8 bits 8 bits 8 bits

109.186.000.000 – 109.186.255.255
Bits refresher: 65,536 Addresses
00000000 = 0
11111111=255 16

Probably way too big…

CIDR Notation

• Azure usually shows the actual

range

17
Subnet

• A logical segment in the VNet

• Shares a subset of the VNet’s IP Range

• Used as a logical group of resources in the VNet

• Is a must. Resources must be placed in a Subnet,

cannot

be placed directly in the VNet

18
Subnet

• Resources in a subnet can talk to resources in other

subnets in
the VNet 1

same
VNet* Subnet
Frontend
*By VM
default, VM
can be
customized
Subnet
19
Backend
VM
Subnet Pricing

• Subnets are free

• Limit of 3,000 Subnets per

VNet

20
Network Security Group

• Usually called NSG

• A gatekeeper for Subnets

• Defines who can connect in and out of

subnet

• Think of it as a mini-firewall

• Should be a standard part of Subnet

21
• Is
creation
free
How NSG Works?

• Looks at 5 tuples:

• Source (=Where did the connection come from)

• Source Port (=The port the source is using)

• Destination (=Where does the connection request

goes)

• Destination Port (=To which port does it want to

22
connect)

• Protocol (=TCP, UDP, Both)

How NSG Works?

• Based on these 5 tuples the connection is either allowed or

denied

• This is called Security Rule

• Each rule is assigned a number

• The lower the number – the higher the priority of the

rule
23
NSG and VMs

• An NSG is automatically created and attached to every

newly-created VM’s network interface

• By default – open RDP (on Windows) or SSH (on Linux)

port to anyone

• MUST be handled first thing after creation

24
Network Peering

• Sometimes, to increase security, we want to place

some resources in a completely different VNet

• Not just Subnet!

• Examples:
• Separate systems
• System layers
• Sensitive 25

databases
Network Peering

• Main reasoning:

• Not to place non- NSG

public Open Port 80
VNet 1

resources in a
VNet
VM
that has public Front End

access

26
VM
Database
Network Peering

• So…

NSG
Open Port 80
VNet 2 VNet 1

VM VM
Database Front End

27
Network Peering

• But…

28
Network Peering

• Allows two VNets to connect to each

other

• From the user’s point of view it’s a single

VNet

• Make sure address spaces are not

overlapped!

• Use NSG for protection

29
• Can work across
Regions
Network Peering

• Not
free

30
Network Peering

NSG
Open Port 80
VNet 2 VNet 1

Peering
VM VM
Database Front End
NSG
Open Port 1433

31
 Cloud Architecture

VNet VNet

NSG NSG

AKS App Service VM Peering VM

Cart App Inventory App Weather API Catalog App

NSG

ACR
Cart Docker

32
 Cloud Architecture
Attack Surface
VNet VNet

NSG NSG

AKS App Service VM Peering VM

Cart App Inventory App Weather API Catalog App

NSG

ACR
Cart Docker

33
Secure VM Access

• The larger the attack surface – the greater the risk

• We want to minimize it as much as possible

• Leaving public IPs open is always a risk we want to

avoid

• Not directly related to the app design but important

nonetheless
34
Secure VM Access

• What can
be done?

JIT Access

VPN

Jump Box

35

Bastion
JIT Access

• Just In Time Access

• Opens the port for access on demand, and automatically

closes it

• Rest of the time – it’s closed

• Can be configured from the VM’s page in the portal

• Requires Security Center License Upgrade

36
VPN

• A secure tunnel to the VNet

• Can be configured so that no one else can connect to the

VNet

• Requires VPN software and license (not part of Azure)

37
Jump Box

• Place another VM in the VNet

• Allow access ONLY to this VNet

• When need to access one of the other VMs – connect to this

one and connect from it to the relevant VM

• Only one port is open (still kind of a problem…)

38
• Cost: The additional VM (the Jump
Box)
 Cloud Architecture

VNet VNet

NSG NSG

AKS App Service VM Peering VM VM

Cart App Inventory App Weather API Jump Box Catalog App

NSG

ACR
Cart Docker

39
Bastion

• A web-based connection to the

VM

• No open port is required

• Simple and secure

• Cost: ~140$ / month

49
Service Endpoint

• A lot of managed services expose public IP

• ie. Azure SQL Server, App Services, Storage and more

• Sometimes these resources are accessed only from

resources in the cloud

• ie. Database in the backend

41
• Might pose a security
risk
Service Endpoint

• Service Endpoint solves this security risk

• Creates a route from the VNet to the managed

service

• The traffic never leaves Azure backbone

• Although the resource still has a public IP

• Access from the internet can be blocked

42

• Is
free!
Service Endpoint

• How it’s done:

• Enable Service Endpoint on the Subnet from which you

want to access the resource

• On the resource, set the subnet as the source of traffic

• Voila!
43
Without Service Endpoint

The Internet

NSG
VNet

App Service VM 44
Backend App Front End
 With Service
Endpoint
Note:
1. Traffic leaves the VNet
2. There is a public IP on the
The Internet PaaS
service (App Service)
3. Can’t be used from on-
prem network
• Almost…

NSG
VNet

App Service VM 45
Backend App Front End
Service Endpoint

• Resources support
Service
Endpoint:
• Storage • Service Bus
• SQL Database
• Event Hub
• Synapse Analytics
• App
• PostgreSQL Service
• MySQL • Cognitive
• Cosmos DB Services
• KeyVault 46
Thank you