In this session, attendees will learn about the network control plane in Azure and how to secure both Infrastructure-as-a-Service and Platform-as-a-Service components of Azure.
4. Cloud security is a shared responsibility
Securing and managing the cloud foundation
SHARED RESPONSIBILITYMICROSOFT’S COMMITMENT
Physical assets
Datacenter operations
Cloud infrastructure
Securing and managing your cloud resources
Virtual machines, networks
& services
Applications
Data
VARIES ACROSS IAAS, PAAS, SAAS
8. Understand Cloud Data Types
Data at
Rest
Data in
Transit
Data in
Use
Data in
Production
Data not in
Production
information storage
objects, containers,
and types that exist
statically on
physical media, be
it magnetic or
optical disk.
When data is being
transferred between
components, locations or
programs, such as over
the network, across a
service bus (from on-
premises to cloud and
vice-versa
Information being acted
upon in some way by the
host or guest during a
process, such as real-
time database queries
running in active memory
(as opposed to a page file
sent out to disk),
Data in some form of
storage, e.g. Azure
SQL Database, and
compute processes
that need to access
that storage during
production
operations.
Data in some form of
storage, e.g. a Virtual
Hard Disk (VHD), but
that VHD is not in
production use. For
example, it may be
part of an upgrade
operation
9. Metadata and The Cloud
Cloud metadata as well as
standard file metadata
Tenant metadata may also include
the performance, configuration,
operations, and billing data that is
part of each cloud workload or
tenant account
Information can also include
security, log & performance
information
11. Security patterns for applications
& new announcements
Virtual Network integration for Azure
services
VNET Service Endpoints
Service Tags
Application Security Groups
DDoS Protection
Web Application Firewall
NSG Augmented Rules
NSG Data Plane Log Analytics
Virtual Appliances
12. Azure Networking Hyperscale
One of the largest networks in the world
Geographic Reach and
Internet Ecosystem
50+ Azure Regions
National Clouds
Backbone in 100+ iXP
8000+ sessions with ISPs
ExpressRoute in
48+ locations
Virtual
Networks
Security
Performance
Load
Balancing
Cross-
premises
connectivity
Software-
defined
WAN
Optical
networks
Long-haul
optical
network
Advanced
MPLS
services
Internet Exchange Provider
13. Moving workloads to Azure
On-Premises
✓ Same controls as on-premises
✓ Virtual Networks: Private isolation boundary
✓ Directly extend on-premises to Azure
Azure Virtual Network
15. Backend
Connectivity
ExpressRoute
VPN Gateways
Point-to-site for dev / test
VPN Gateways for secure site-to-site connectivity
ExpressRoute for private enterprise grade connectivity
Users
Internet
Public IP addresses
DDoS protection
ACLs for security
Load balancing
DNS services
Traffic management
Virtual Network
BackEndMid-tierFrontEnd
17. Security within Virtual Network
• Network Security Groups (NSGs) for Layer 3
and Layer 4 filtering
• Eases IP management for VNet firewall rules
• VIRTUAL_NETWORK tag includes IPs for:
• Virtual network
• All connected, peered networks
• On-premises
Azure Virtual Network
PEER
26. Accessing Azure services
Azure service IP addresses are
public IPs
Firewalls open to “Internet”
IPs reachable from anywhere.
Malicious insiders may exploit!
Azure Services
Public IPs
Firewall: Allow
“Internet” outbound
NSG: Allow “Internet” outbound
Access from
Anywhere!
On-premises
Virtual Network
Malicious Insider
Private connectivity for services: Critical for network security
27. ✓ Services in your VNet, managed by
Azure!
✓ Private IPs for service resources
✓ On-premises through Site-to-Site or ER
private peering
Deploy Azure services into VNet
DEPLOY
Azure Portal :
Service workflow
ASE Subnet
Virtual Network
ILB
On-premises
Firewall- Outbound:
Allow Azure VNet
HDI Subnet
NSG
NSG
ILB
Azure
Services
HDInsight App Service Env Batch APIM RedisCache AD DS
28. VNet Service Endpoints
Directly extends your VNet to the service
Secure your critical Azure resources to only your VNet
Traffic remains on the Microsoft backbone
In Preview : Azure Storage, Azure SQL Database, SQL DW
Allow VNet A
AccountA
Azure Storage
Vnet A
29. Service Endpoints : Configuration
Simple-click setup on an Azure
subnet
No NAT or GW devices!
Network admins can set
independently
32. VNet Service Endpoints : Deep-Dive
Private IP: 10.0.0.6
Public IP1
Subnet 1
Azure Storage
Source: VM private IP (10.0.0.6)
Storage Diagnostics
SrcIP: 10.0.0.6,
AcctA:GetBlob
SrcIP: 10.0.0.6,
AcctB:PutBlob
Endpoints:
• Carry VNet identity to the service
• Source IPs switch to private VNet IPs
Service IPs and DNS entries remain as-
is today
Enable service endpoint once. Secure
resources as and when you want.
VNet1
34. Service Tags in NSGs
Restrict network access to just the
Azure services you use.
Maintenance of IP addresses for
each tag provided by Azure
Support for global and regional
tags (varies by service)
Network Security Group (NSG)
Actio
n
Name Source Destination Port
Allow AllowStorage VirtualNetwork Storage Any
Allow AllowSQL VirtualNetwork Sql.EastUS Any
Deny DenyAllOutBound Any Any Any
Azure Services
Internet
Allow only Azure
service traffic
Deny Internet
outbound
Preview: Azure Storage, SQL, TrafficManager
35. Service Endpoints:
Filter service traffic with appliances
Subnet 1 NVA Subnet
Allow NVA Subnet
SERVICE ENDPOINT
Route: 0/0->NVA
Filter: Allow
myacct*.blob.core.win
dows.net
36. Stitching Azure services together
SERVICE ENDPOINT
DEPLOY
HDI Subnet
Allow HDI subnet Internet
HDI Service
Allow only
Azure storage
traffic
37. Services in a Virtual Network
Azure Storage
Azure SQL Database
Azure SQL Data Warehouse
SQL DB Managed Instance
Azure Active Directory Domain Services for ARM
Azure Batch for ARM
Azure App Service V2
Azure API Management
Azure Batch for ASM VNets
HDInsight
Azure App Service V1
RedisCache
Deploy into Virtual Network VNet Service Endpoints
38. Network Security Takeaways
Azure capabilities enable you to:
Build more secure, dynamic workloads
Better management of security controls
Better integration of your VNets with Azure services