Basic security capabilities in Azure

  5 minute read  

https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/

Azure network security groups

https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/2-describe-azure-network-security-groups

  • Network Security Group (NSG)
  • Assigned to a subnet or NIC
  • Allow or deny traffic to/from a subnet or NIC
  • A subnet or NIC can be associated with 0 or 1 NSG
  • An NSG can be associated with multiple subnets or NIC
  • NSG rules are evaluated top down (based on priority) using five information points
    • source
    • source port
    • destination
    • destination port
    • protocol

Inbound and outbound rules

  • An NSG has inbound and outbound rule sets
  • Azure assigns three base rules which cannot be removed can be overridden by using higher priority rules

Inbound

PrioritySourceSource portsDestinationDestination portsProtocolAccessExplainer
65000VirtualNetwork0-65535VirtualNetwork0-65535AnyAllowAllow all traffic from the VNET
65001AzureLoadBalancer0-655350.0.0.0/00-65535AnyAllowAll all traffic from Azure Load balancer
655000.0.0.0/00-655350.0.0.0/00-65535AnyDenyDeny all other traffic

Outbound

PrioritySourceSource portsDestinationDestination portsProtocolAccessExplainer
65000VirtualNetwork0-65535VirtualNetwork0-65535AnyAllowAllow all traffic to the VNET
650010.0.0.0/00-65535Internet0-65535AnyAllowAll all traffic to the Internet
655000.0.0.0/00-655350.0.0.0/00-65535AnyDenyDeny all other traffic
  • Name: each rule requires a unique name
  • Priority: a number between 100-4096 with lowest numbered rules being processed first and processing stops when a rule is matched
  • Source/destination: an IP address or range, a service tag or an application security group
  • Protocol: TCP, UDP, ICMP or ANY
  • Direction: inbound or outbound
  • Port: a single port or a range
  • Action: allow or deny

Azure DDoS protection

https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/3-describe-azure-ddos-protection

Distributed Denial of Service (DDoS)

DDoS attacks

  • Goal is to overwhelm the target service
  • Typically the public endpoint is a target as it’s easily accessible on the Internet
  • Most frequent attacks are
    • Volumetric:
      • Flood the network with seemingly legitimate traffic overwhelming the bandwidth
      • Measured in bits per second.
    • Protocol:
      • Overwhelm a service with false protocol requests to exploit layer 3 (network) and 4 (transport) protocols.
      • Measured in packets per second.
    • Resource/application:
      • Target web application packets.

Azure DDoS protection

  • Analyzes network traffic and discards anything that looks like an attack
  • Attack traffic is blocked but legitimate traffic can continue
  • Uses Azure’s scale to ensure protection in all regions
  • Protections is based on two tiers
    • Basic:
      • Automatically enabled at no extra cost
      • Always-on
    • Standard:
      • Extra mitigation capabilities
      • Requires not application changes
      • Tuned using dedicated traffic monitoring and ML algorithms
      • Policies are applied to public IPs attached to Azure resources such as load balancers and app gateways
      • Fixed monthly cost for 100 resources with extra costs for additional resources

Azure firewall

https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/4-describe-what-azure-firewall

  • Managed service
  • Protects the VNet
  • Can be applied per VNet but best practice is to use hub-spoke and have one single firewall where other VNets route traffic through
    • Allow central management
    • Routes on-premises and Azure traffic for easier control of all VNets

Key features

  • Built-in high availability and availability zones:
    • No need to configure HA yourself
    • Spanning availability zones means resiliency against data center failure
  • Network and application level filtering:
    • Use IP, port and protocol to support FQDN filtering for outbound HTTP/S traffic
  • Outbound SNAT and inbound DNAT for Internet resources:
    • SNAT = source network address translation
    • Outbound
    • Translates the private IP of the network resource to an Azure public IP to identify and allow traffic originating from the VNet to the Internet DNAT = destination network address translation
    • Inbound
    • Translates the public IP address to the private IP address of the Azure resource
  • Multiple public IP addresses:
    • Can be associated with an Azure firewall
  • Threat intelligence:
    • Filtering to alert about and deny traffic to/from known malicious IP addresses and domains
    • A black list of know malicious network resources on the Internet
  • Integration with Azure monitor:
    • Enables collecting, analyzing and acting of telemetry from Azure Firewall logs

Azure bastion

https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/5-describe-what-azure-bastion

  • Managed service
  • By default to access a Vm using RDP or SSH is via the Internet - a significant risk that should be avoided
  • Bastion uses an HTML5 browser to connect to the VM securely over TLS
  • No public IP access required
  • No client installed/configured on the user workstation; just an modern browser that supports HTML5
  • Provides access to all VMs within the VNet and peered VNets from where it is hosted

Web application firewall (WAF)

https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/6-describe-what-web-application-firewall

  • Where Azure firewall protects network attacks the WAF protects specifically against web application attacks
  • Common attacks are SQL injection and cross-site scripting
  • Protection just in the application code is hard to deploy, manage and keep up to date
  • The WAF provides centralized protection for multiple web applications in one place
  • Can be deployed alongside:
    • Azure Application Gateway
    • Azure Front Door
    • Azure Content Delivery Network (CDN)

Way Azure encrypts data

https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/7-describe-ways-azure-encrypts-data

  • Typically data is a companies most prized asset
  • A layered approach to security means encryption is often the last line of defense

Encryption on Azure

  • Azure storage service encryption:
    • Protects data at rest
    • Encrypts data on
      • Azure-managed disks
      • Azure Blob storage
      • Azure Files
      • Azure Queue storage
  • Azure disk encryption:
    • Protects Windows and Linux IaaS OS and managed disks
    • Uses BitLocker for Windows
    • Uses dm-crypt for Linux
  • Transparent data encryption (TDE):
    • Protects Azure SQL Database and Azure Data Warehouse
    • Real-time encryption and decryption of the following at rest
      • Databases
      • Associated backups
      • Transaction logs

Azure key vault

  • Managed service

  • Stores application secrets

  • Secures access (TLS), permission control and access logging

  • Secrets:

    • Stores tokens, passwords, certificates, API keys and other secrets

  • Keys:

    • Store and control encryption keys

  • Certificates:

    • Provision, manage and deploy public and private SSL/TLS certificates

  • Secrets backed by hardware security modules (HSM):

    • Secrets and keys protected by software or by FIPS 140-2 level 2 validated HSMs
Last modified July 21, 2024: update (e2ae86c)