Category Archives: Azure Networking

How to activate an SFTP service in Azure based on Container

A communication protocol that is commonly used for transferring files between different business realities is certainly SFTP (SSH File Transfer Protocol or Secure File Transfer Protocol). To date, Azure does not have a fully managed platform service that allows you to provide access over the SFTP protocol. Activating a virtual machine in Azure that hosts the SFTP service incurs activation costs and a significant management effort. This article provides a solution that you can use to deliver the SFTP service to Azure in an Azure environment., Azure Container Instances (ACI) and Azure File Shares.

The proposed solution is based on the following components::

  • Azure Container Instances (ACI), It is the easiest and quickest way in Azure to run containers on-demand in a managed serverless environment. All this is made possible without having to activate specific virtual machines and the necessary maintenance is almost negligible. The solution Azure Container Instances is eligible in scenarios that require isolated containers, without the need to adopt an orchestration system. The service Azure Container Instances costs depend on the number of vCPUs and memory GBs used by the container group.. For more details on costs please visit the Microsoft official page.
  • Azure File, the managed Azure service that allows you to access file shares in the cloud through the Server Message Block (SMB).

Figure 1 – Azure architecture

You will then be activated Linux-based docker container to deliver the SFTP service through Azure Container Instance (ACI). In order to have a persistent storage access from the container it will be made the mount of an Azure Files Shares. Files transferred via the SFTP service will therefore also be accessible via SMB protocol, managing the appropriate permissions, also stopping the execution of the container created.

To deploy this solution, you can use the referenced templates as a starting point in this Microsoft's document. These are two templates, where the first also involves creating a storage account, but of type V1.

Figure 2 – Deployment via custom template

In order to get a proper integration with existing Azure environments and to ensure a filtered access to the SFTP service you must deploy instances of containers inside an Azure virtual network. To do this, you need to enable a feature in preview, and as such has some limitations, between which does not support peering of virtual networks. In this scenario, if the SFTP service is required to be published to the internet, this will necessarily have to take place via Azure Firewall, as it is not supported directly assigning Public IP to Azure Container configured in Virtual Network. In order to improve the security postures of your Azure environment, it is also recommended that:

  • Take a micro-segmentation and granular perimeter definition approach in Azure network architecture. To do this, addition to the adoption of Azure Firewall, you need to plan for the use of the Network Security Groups (NSGs), the tool used to segregate network traffic internally with the Azure Virtual Network. Through deny and permit rules can be filtered communications between different subnets where different application workloads are attested.
  • Predicting the use of Virtual Network (VNet) service endpoints to increase the security level of the Storage Account, preventing unauthorized access. The vNet Service Endpoints allow you to isolate the Azure services, allowing access to them only by one or more subnets defined in the Virtual Network. This feature also ensures that all traffic generated from the VNet towards the Azure services will always remain within the Azure backbone network.

To complete this solution, you must also have a data protection strategy that is placed on the storage account through the SFTP service. Content transferred via SFTP service to Azure file shares can be backed up using the Azure Backup. Again, this is at the time of a feature in preview, so you can have a protection with a daily frequency.

To date, as an alternative to this solution, you can adopt third-party solutions available in the Azure marketplace to deliver the SFTP service. These are significantly more expensive solutions that typically require more effort to deploy and manage them.

Conclusions

Waiting for Microsoft to release a fully managed SFTP service in Azure, this solution enables this service quickly and easily, with reduced costs and without having to maintain and manage virtual machines. The adoption of this solution need integration with other Azure services platform to implement it effectively, without neglecting the safety aspect. At the time you may need to use services in preview, but not officially supported in a production environment.

[Video] – Architecting and Implementing Azure Networking

To implement hybrid clouds securely and functionally, an in-depth understanding of the various aspects of Azure networking is crucial. Recently I had the pleasure of participating in the Italian Cloud Conference where I held a session related to the Azure Networking. In this regard, I report the video of the session where 360-degree exploration of the key elements to be considered in order to build hybrid network architectures, taking advantage of the various services offered by Azure, in order to achieve the best integration with the on-premises environment, without ever neglecting security. Advanced hybrid network architecture scenarios were explored during the session, showing real-world examples, result of a’direct experience in the field.

Azure Networking: managing micro-perimeters with Azure Firewall Manager

Microsoft's public cloud introduces the new management service Azure Firewall Manager that allows you to centrally manage security policies and routing rules. With this solution, you can better govern the security perimeters of your cloud environments and help you protect your business ecosystem. This article lists the key features of the new service, highlighting the benefits that can be gained by using it.

The security model, defined Zero trust by Forrester Research analysts, and in contrast with the conventional models based on perimeter security, directs us to adopt an approach related to micro-segmentation and the definition of granular perimeters in the network architecture. To facilitate this approach, Microsoft has released this tool that, providing a single centralized control panel, , it is able to simplify the configuration and management of network security policy, often deployed across multiple instances of Azure Firewall.

Azure Firewall Manager at the moment is integrated with Azure Virtual WAN, the service that allows you to implement network architectures that are managed according to the hub and spoke model. Azure Firewall can now be enabled in Virtual WAN Hub networks, and when security and routing policies are associated by Azure Firewall Manager the Hub network is defined as a Secured Virtual Hub.

Figure 1 – Overview of Azure Firewall Manager

Adopting Azure Firewall Manager you can get the following benefits:

  • Centralized configurations and deployments: deploying and configuring multiple instances of Azure Firewall, in Virtual WAN Hub networks, can be done centrally. These Azure Firewall instances can reside in different Azure regions and on different subscriptions. In addition, you can organize a hierarchy of DevOps-optimized Azure Firewall policies, where Global firewall policies are managed by central IT and local policy firewalls are delegated to DevOps to promote better agility in processes.
  • Automated routing: comes the ability to easily route traffic in a centralized manner from the spoke networks to the Secure Virtual Hub, all without having to manipulate the User Defined Routes of spoke networks.
  • Integration with Partners Security as a Service (SECaaS) Third Party: to further enhance the security features it can be integrated with SECaaS partners, today Zscaler and iBoss, but soon it will be possible even with CheckPoint.

Figure 2 – Central security e route policy management

In detail the steps to adopt the solution are as follows:

  1. Creating the hub-and-spoke network architecture, using the Azure Virtual WAN service and activating an Azure Firewall instance in the Hub network. To do this, you can do by using two separate modes:
    1. Creating a new one Secured Virtual Hub by Azure Firewall Manager and adding virtual network connections;
    2. Transforming an existing Virtual WAN Hub, activating the Azure Firewall service on the Hub network.

Figure 3 – Start the process using Azure Firewall Manager

  1. Selecting security providers (Optional). This can be done either during the process of creating a Secure Virtual Hub or during the conversion of a Virtual WAN Hub in a Secure Virtual Hub.

Figure 4 – Choosing the Trusted Security Partner

  1. Creating a firewall policy and association with the Network Hub. This is only possible for Azure Firewall Policies, while for Security as a Service solutions policies (SECaaS) provided by partners, you need to use their management tools.
  1. Configuring routing settings on the Secured Hub to attract the traffic of the spoke networks and make it filtered according to the defined policies.

At the moment Azure Firewall Manager is supported only for managing Hub and Spoke architectures created through the Azure Virtual WAN service. Support for managing Azure Firewall instances enabled in Virtual Networks is expected in the first half of next year.

Conclusions

Azure Firewall Manager is a tool that is very useful for managing complex environments composed of different network architectures that adopt the Hub and Spoke model over Azure Virtual WAN. This additional management service despite the dawn, and destined to get rich soon with new features, is essential to manage more easily and effectively the Azure network architecture. At the moment the service is Public Preview, so are not guaranteed SLA (Service-Level Agreements) and it should not be used in production environments.

Azure Monitor: the news about network monitoring in Azure

Monitor Azure is a cloud-based solution that can collect different types of telemetry data, analyze them and take certain actions. Among the various features provides the ability to monitor the health of the networking, connectivity to applications and is able to provide detailed information on network performance. All this not only for cloud environments, but even in the presence of hybrid architectures. This article shows important changes that were recently announced by Microsoft to make the solution even more comprehensive.

Before focusing on the new features that have been introduced it is good to specify that Azure Monitor includes different specific solutions to monitor the Azure networking, including Network Performance Monitor (NPM), The suite includes the following features:

In addition to the tools included in the Network Performance Monitor (NPM) you can use Traffic Analytics, allowing you to have an overall visibility on network activities that are undertaken in the cloud environment. How this solution works is based on the principle that in Azure, to allow or deny network communication to Azure Virtual Networks-connected resources (vNet), it uses the Network Security Group (NSG), containing a list of access rules. The NSGs are applied to network interfaces connected to the virtual machines, or directly to the subnet (recommended). The platform uses NSG flow logs to maintain the visibility of inbound and outbound network traffic from the Network Security Group. Traffic Analytics is based on the analysis ofNSG flow logs and after an appropriate aggregation of data, inserting the necessary intelligence concerning security, topology and geographic map, can provide detailed information about the network traffic of your Azure cloud environment. The news that interests Traffic Analytics is that you can now process this data more frequently, at time intervals each time 10 minutes, against the 60 minutes previously possible.

Figure 1 – Traffic Analytics Processing Frequency

Azure Monitor for Networks

For greater visibility into network activities in the cloud Microsoft released Azure Monitor for Networks that introduces a useful visual view on the health of all network resources in your environment, enriched by their metrics. Everything is available without the need to make any specific configuration.

Figure 2 – Overview of Azure Monitor for Networks

In the top pane, you can set up search parameters to quickly identify the resources of interest, while on the right there is a panel showing any critical alerts.

Selecting individual components gives you more detail.

Figure 3 – VPN connection status details

In particular, currently only for Application Gateways, a very useful view of the Dependency, which helps you pinpoint component configuration and track error conditions more quickly. This representation shows the relationships between the front-end IPs, the listeners, the rules and the backend pool of Application Gateway. Colors make it easy to identify problematic health states on resources.

The view also lists key metrics for Application Gateways.

Figure 4 – List of Application Gateways

Figure 5 - Dependency view of a specific Application Gateway

The graph also allows easy access to the various component configurations. In order to identify connectivity issues and start troubleshooting operations, you have the option, right-clicking on the single virtual machine, of access directly to VM Insight and to Connection troubleshoot.

Figure 6 – Access resources to do machine troubleshooting

Conclusions

The new solution Network Insights present in Azure Monitor allows you to have a comprehensive view of network resources in a simple and intuitive way. The solution is particularly useful in the presence of complex environments and the console of Dependency view is a help also to document the implementations of the Application Gateway. It is currently a feature in preview and as such will surely be enriched in the short term with further news, allowing you to have a more complete and intuitive monitor of the network architecture in Azure.

Azure Networking: the new way to privately access services in Azure

The need to be able to access data and services in Azure in a totally private and secure way, in particular from on-premises environment, it's definitely very much felt and more and more widespread. For this reason, Microsoft has announced the availability of Azure Private Link, this simplifies the network architecture by establishing a private connection to services in Azure, without the need for exposure to Internet. This article describes the characteristics of this type of connectivity and how you can enable it.

Thanks to Azure Private Link you can bring Azure services to a virtual network and map them with a private endpoint. In this way, all traffic is routed through the private endpoint, keeping it on the Microsoft global network. The data does not pass ever on the Internet, this reduces exposure to threats and helps to meet the compliance standards.

Figure 1 - Overview of Azure Private Link

The concept that underlies Azure Private Link is already partly known under the Azure networking and invokes the Virtual Network Service Endpoints. Before the introduction of Azure Private Link the only available way to increase the level of security when accessing Azure services, such as Azure Storage and SQL Azure Database, was given by the VNet Service Endpoints. The difference is substantial, as using VNet Service Endpoints traffic remains in the Microsoft backbone network, allowing access to PaaS resources only from its own VNet, but the PaaS endpoint is still accessed via the public IP of the service. Consequently, the operating principle of the VNet Service Endpoints does not extend to on-premises world even in the presence of connectivity with Azure (VPN or ExpressRoute). In fact, to provide access from on-premises systems you must continue to use the firewall rules to limit the connectivity only to your public IP.

Thanks to Azure Private Link you can instead access the PaaS resources via a private IP address of your VNet, which it is potentially also accessible from:

  • On-premises systems via Azure ExpressRoute private peering andor Azure VPN gateways.
  • Systems on VNet in peering.

All traffic resides within the Microsoft network and you do not need to configure access through public IPs of the PaaS Service.

Figure 2 – Access from on-premises and peered networks

Azure Private Link greatly simplifies the way you can access Azure services (Azure PaaS, Azure, Microsoft partners and private services) as they support cross configurations for Azure Active Directory (Azure AD) tenants.

Figure 3 – Private Link cross Azure Active Directory (Azure AD) tenants

Activating Azure Private link it's simple and requires a limited number of Azure networking-side configurations. Connectivity occurs based on a call approval flow and when a PaaS resource is mapped to a private endpoint, route table and Network Security Groups configuration is not required (NSG).

From Private link center you can create new services and manage the configuration or configure existing services to take advantage of Private link.

Figure 4 - Starting Configuration from Private link center

Figure 5 - Creating an Azure Storage Account to make it privately accessible

Figure 6 - Classical parameters for the creation of an storage account

Figure 7 - Private endpoint configuration

Figure 8 - Private endpoint connection present in the created storage accounts

At this point the storage account will be available in totally private way. To test the connectivity access a virtual machine was created and verified through "Connection troubleshoot":

Figure 9 – Test performed by "Connection troubleshoot" that demonstrates private connectivity

To connect with each other more Azure Virtual Network are typically used VNet peering, that require there are no overlaps in VNets address spaces. If this condition occurs it is possible to adopt the Azure Private Link as an alternative way to privately connect applications that reside in different VNets with an overlapping address space.

Figure 10 – Azure Private Link in the presence of overlapping address space

Azure Private Link features allow you to have specific access only to explicitly mapped resources. In the event of a security incident within your VNet, this mechanism eliminates the threat of extracting data from other resources using the same endpoint.

Figure 11 - Targeted access only to explicitly mapped resources

The Azure Private Link also opens new scenarios for exposure of service in Azure provided by the service provider. In order to allow access to the services provided to its customers, one of these methods was typically carried out in one of these ways.:

  • They made themselves directly accessible via Public IPs.
  • To make them private, VNet peerings were created, but with scalability issues and potential IP conflicts.

Figure 12 - How Azure Private Links changing scenarios "Consumer Service" - "Service Provider".

The new possibilities that are offered in these scenarios, requiring a totally private access to the service provided, is the following:

  • Service Provider: set up an Azure Standard Load Balancer, creates a Azure Private Link and allows access to the Service Consumer coming from a different VNet, subscription, or Azure Active Directory tenant (AD).
  • Service consumer: create a Private Endpoint in the specific VNet and request access to the service.

Figure 13 – Azure Private Link workflow in “Service Consumer”-“Service Provider” scenario

For more details please visit the Microsoft's official documentation.

Conclusions

This new method allows you to privately consume Azure-delivered solutions within your network infrastructure. This is an important change that you should definitely consider when designing network architectures in Azure, particularly for hybrid scenarios. At the moment the service is in preview, therefore not yet usable for production environments and available for a limited set of Azure services. In the coming months, however, Microsoft has announced that it will also make this feature available to other Azure services and partners, allowing you to have a private connectivity experience, key to having more adoption and dissemination of these services.

Azure Networking: what's new in Azure Firewall

Azure Firewall is the firewall-as-a-service solution exists in the Microsoft public cloud, that allows you to secure the resources in Azure Virtual Networks and to govern its network flows. This service has been officially released from several months and, as is often the case with cloud services, there are rapid evolutions, to improve the service and increase the feature set. This article lists the top news that recently affected Azure Firewall.

Public IP addresses associated with Azure Firewall

While initially, only one public IP address could be associated with Azure Firewall, now you can associate up to 100 public IP addresses. This opens up new configuration and operation scenarios:

  • In DNAT configurations you have the option to use the same port on different public IP addresses.
  • For SNAT outbound connections will be available a larger number of ports, reducing the ability to finish the doors available.

Currently the source Public IP address of Azure Firewall used for the connections is chosen randomly. This should be considered when you need specific permissions for traffic from Azure Firewall. Microsoft still has a roadmap of SNAT configurations by specifying the Public IP address to use. The steps to deploy Azure Firewall with multiple public IP addresses, using PowerShell commands, you can consult in this document.

Figure 1 – Assign multiple public IPs to Azure Firewall from the Azure portal

Availability Zones

In order to increase the availability levels of Azure Firewall, you can, during the creation phase,  plan to use the Availability Zones. Selecting two or more Availability Zones will allow you to get an uptime percentage of the 99.99 %. Full details about Service Level Agreements (SLA) of Azure Firewall are contained in this document. The adoption of this deployment methodology does not involve any additional costs, but you need to contemplate an increase in the costs of inbound and outbound data transfer from Availability Zones, available in this document. Compared to the cost of the Azure Firewall, these do not have a particularly significant impact. I personally think that if you adopt an architecture of the networking where Azure Azure Firewall is the core component for the security of the environment, it becomes very useful to use the Availability Zones to ensure a high level of availability of mission-critical applications protected by this service.

Figure 2 - Configuration of Availability Zones in the process of creating Azure Firewall

In the presence of Azure Firewall created without the use of Availability Zones, you do not have the possibility of carrying out a conversion to the use of the same. The only currently available method involves the creation of a new Azure Firewall migrating existing configurations. Backups in JSON format of the Azure Firewall configuration can be made using the following PowerShell commands:

$AzureFirewallId = (Get-AzFirewall -Name "AzureFirewallName" -ResourceGroupName "Network-RG").id

$BackupFileName = ".AzureFirewallBackup.json"

Export-AzResourceGroup -ResourceGroupName "Network-RG" -Resource $AzureFirewallId -SkipAllParameterization -Path $BackupFileName

With the availability of the JSON file you need to edit it to contemplate the Availability Zones:

{

"apiVersion": "2019-04-01",

"type": "Microsoft.Network/azureFirewalls",

"name": "[variables('FirewallName')]",

"location": "[variables('RegionName')]",

"zones": [

"1",

"2",

"3"

],

"properties": {

"ipConfigurations": [

{

After the change is complete, you can deploy the new Azure Firewall, using suitably modified JSON file, using the following command:

New-AzResourceGroupDeployment -name "RestoreFirewallAvZones" -ResourceGroupName "Network-RG" -TemplateFile ".AzureFirewallBackup.json"

Centralized management with third party solutions

Azure Firewall exposes publicly REST APIs that can be used by third-party vendors to provide solutions that allow a centralized management of Azure Firewall, Network Security Groups (NSGs), and network virtual appliances (NVAs). At the moment these are the vendors that offer such solutions: Barracuda with Cloud Security Guardian, AlgoSec with CloudFlow and Tufin with Orca.

Just-in-time (JIT) VM access for Azure Firewall

When a user requests access to a VM with a Just-in-time policy (JIT), the Security Center first checks whether the user actually has Role-Based Access Control permissions (RBAC) required to make the request for access. If so the request is approved, and the Security Center is able to automatically configure not only the NSG, but also the necessary rules in Azure Firewall side to allow incoming traffic.

Application rules with SQL FQDN

In application rule of Azure Firewall the ability to specify the SQL FQDN was introduced. This makes it possible to control access from the virtual network to specific instances of SQL Server. Through SQL FQDN you can filter traffic:

  • From Virtual Network to a Azure SQL database or a SQL Azure Data Warehouse.
  • From the on-premises environment to a SQL Azure Managed Instances or SQL IaaS running on Virtual Network.
  • From spoke-to-spoke to Azure SQL Managed Instances or SQL IaaS running on Virtual Network.

Figure 3 - Creating Application Rule with SQL FQDN

FQDN Tag for Azure HDInsight (HDI)

Azure HDInsight clusters present on its Virtual Network have different dependencies on other Azure services (for example Azure Storage), with which an outgoing network traffic is necessary to operate in the correct way. With the introduction of the FQDN tags for HDInsight you can configure Azure Firewall to restrict outbound access for HDI clusters. For more details please visit the Microsoft's official documentation.

Automation to handle the backup

Having a strategy to restore the configuration of the service in a short time is critical because this service is the government center of your Azure networking environment and contains several rules to comprehensively manage the network traffic. The service currently does not have an integrated feature to make full backup periodically. In this article you can find a mechanism designed to make the scheduled backup of the configuration of this component using the Azure Automation service.

Conclusions

Azure Firewall is a solution that is increasingly being used in network architectures of Azure, for the advantages over firewall solutions by third party vendors and thanks to a constant enrichment of features offered. All these new features make Azure Firewall a more comprehensive solution, totally integrated in the platform, that allows you to secure the resources on Azure Virtual Networks with high flexibility.

Azure Firewall: automation to manage your backups

Azure Firewall is the firewall-as-a-service solution exists in the Microsoft public cloud, that allows you to secure the resources in Azure Virtual Networks and to govern its network flows. This article provides a mechanism designed to make the scheduled backup of this component configuration using Azure Automation.

Azure Firewall is a solution that is increasingly being used in Azure architectures, for the advantages over firewall solutions by third party vendors and thanks to a constant enrichment of features offered. From the moment it is adopted, this service becomes the government center of your Azure networking environment and will contain different rules to comprehensively manage the network traffic. It is therefore essential to have a strategy that allows you to restore the configuration of the service quickly. The service currently does not have an integrated feature to make full backup periodically. For this reason I made a runbook in Azure Automation that backup the Azure Firewall configuration on a Azure blob storage account.

In the following paragraphs there is the procedure for enabling periodic configuration backup using this methodology.

Prerequisites

If you do not have an Azure Automation Account is necessary to proceed with its creation:

Figure 1 – Creating Azure Automation Account

It is also necessary to have a blob storage account on which the Azure Firewall backups will be saved.

Figure 2 — Create blob storage account

In the firewall account storage settings must be enabled the exception "Allow trusted Microsoft services to access this storage account".

On the storage account you can also consider creating policies that enable you to prevent the deletion of backups.

Configuring modules on Azure Automation

Azure Automation supports the ability to use the moduleAzure Powershell Az in runbooks. The module AZ is currently not automatically imported into Automation Accounts. For this reason it is necessary procedures with its configuration as described by this Microsoft's document, in particular by following the procedure given below.

Figure 3 – Start process of adding modules

 

Figure 4 - Selection of the necessary modules and starting the import process

These are the modules required for this automation:

Figure 5 – Required modules

Import and publish of runbook

The next step is to create the Runbook in Azure Automation:

Figure 6 – Creation of Runbook

You can find the code of the runbook in this GitHub page. Once you have created the runbook is appropriate to proceed with its publication.

Figure 7 - Publication of the Runbook.

Runbook schedule

As last step you should schedule the periodic execution of the runbook.

Figure 8 - Creation of schedule

 

Figure 9 - Adding the scheduling to the runbook

 

Figure 10 - Configuration of parameters required by the runbook

Backups in JSON format of the Azure Firewall configuration is automatically saved in the storage accounts indicated and are retained for the number of days expressed in the parameter "RetentionDays".

Figure 11 - Azure Firewall Backups inside the container

Restoring your configuration

In case you need to restore the Azure Firewall configuration is sufficient to deploy the JSON file in the specific resource group, using the following command:

New-AzResourceGroupDeployment -name “RestoreAzureFirewall” -ResourceGroupName “AFW-RGNamexxx” -TemplateFile “.xxx-afwxxxxx.json”

 

Conclusions

Thanks to the adoption of this automation is possible to backup Azure Firewall configuration on a Azure blob storage account. All this is particularly useful and strategic in case of wrong modification of the rules, or if there is a partial or total cancellation of Azure Firewall configuration, which can be accidental or carried out by unauthorized persons.

How to remote access virtual machines in Azure

Being able to access via RDP (Remote Desktop Protocol) or via SSH (Secure SHel) to virtual machines present in Azure is a basic requirement for system administrators. Direct exposure of these protocols on Intenet is definitely a practice to be avoided as a high risk security. This article shows the different methodologies that can be taken to gain remote access to systems present in Azure and the characteristics of each of it.

Recently Microsoft has released a security update rated critical and directed to resolution of the vulnerability CVE-2019-0708 identified on the Remote Desktop service for different operating systems. The vulnerability allows code execution via RDP protocol allowing you to take full control of the remote system. This vulnerability is taken as an example to highlight how is actually risky to publish on Internet these access protocols. For this reason you should consider adopting one of the solutions below for even more security.

Figure 1 – RDP/SSH attack

VPN access

To have an easy administrative access to the Azure Virtual Network you can enable a Point-to-Site VPN (P2S). Through the P2S VPN can establish connectivity from one location to the Azure environment, easily and securely. When the VPN connection is established you will have the ability to remotely access to systems in Azure. For more information on VPN P2S I invite you to read the article Azure Networking: Point-to-Site VPN access and what's new. Adopting this methodology you should take into consideration the maximum number of connections for each Azure VPN Gateway.

Figure 2 - Protocols available for P2S VPN

Just-in-Time VM Access

It is a feature available in Azure Security Center Standard Tier, allowing you to apply the necessary configurations to the Network Security Groups (NSG) and more recently to Azure Firewall to allow administrative access to systems, properly filtered for source IP and for a certain period of time. Just-in-Time VM Access allows to perform the configurations needed to access remotely to systems quickly, targeted and only for a very specific time period. Without the use of this feature you would need to manually create the appropriate rules within the NSG or Azure Firewall (NAT Rule), and remember to remove them when no longer needed.

Figure 3 - Request access via Just-in-Time VM Access

Jumpbox

A scenario that is used in some situations is the presence of a virtual machine (Jumpbox) accessible remotely and dislocated in a suitably isolated subnet, that is used to access several other systems in communication with that subnet. In a network architecture that reflects the hub-and-spoke topology, typically this system is positioned in the hub network, but it is recommended to apply filters to make sure that this system is only accessible from certain public IP addresses, without exposing it directly on the Internet. In this scenario you should take into consideration that you will have a maximum of two remote connections simultaneously for single JumpBox.

Figure 4 - Positioning of the JumpBox in a hub-spoke architecture

Azure Bastion

It is a PaaS service, recently announced by Microsoft in preview, offering a safe and reliable SSH and RDP access to virtual machines, directly through the Azure portal. The provisioning of Azure Bastion service is carried out within a Virtual Network of Azure and it supports access to all the virtual machines on it attested, without exposing the public IP addresses.

Figure 5 - Azure Bastion Architecture

For more details on this please read the article Azure Bastion: a new security model created by Silvio Di Benedetto.

Azure Bastion is a paid service, to get cost details you can access the page Azure Bastion pricing.

At the time you should take into account that Azure Bastion and Just-in-Time VM Access can not be used to access the same systems.

SSL Gateway

A very valid solution in terms of security is an implementation of a Remote Desktop Services environment in Azure, which includes the use of Remote Desktop Gateway role, specially designed to be directly exposed to the Internet (TCP port 443). With this component you can encapsulate RDP traffic in an HTTP over TLS / SSL tunnel. The Remote Desktop Gateway also supports Multi-Factor Authentication that allows to further increase the level of security for remote access to resources. A similar solution is also available in Citrix environment. In this area you will need to consider, in addition to the costs associated with Azure components, also the license costs.

Figure 6 - Possible Remote Desktop Services architecture in Azure environment

Conclusions

There are several possibilities for providing a secure remote access to virtual machines in the Azure environment. The new Azure Bastion service is a safe and simple method, but that needs to be expanded with more features, the most important are certainly support for Virtual Networks in peering and for multi-factor authentication. These features probably will be available when the solution will be globally available. Waiting to use Azure Bastion in a production environment you can use the other methods listed, thus avoiding having to expose unprotected systems to the Internet.

Azure Networking: all you should know about the new Application Gateway

The Application Gateway is the offer for application delivery controller as-a-service present in Azure that enables customers to make the application republishing, with integrated layer-7 load balancing, Security and Web Application Firewall (WAF). Microsoft recently announced the availability of a fully revised version of Azure Application Gateway and its Web Application Firewall module (WAF). This article lists the improvements and additional features that are present in the new SKUs, calls respectively Standard_v2 and WAF_v2.

Enhancements and new features

The following section shows the areas where the new Azure Application Gateway version has made improvements and additional features.

Figure 1 - Diagram with the new features of SKU V2

Scalability

The new version of Azure Application Gateway allows you to automatically perform a scale-up or a scale-down of the number of instances to use, based on traffic detected towards the applications republished. In this way the size of the Application Gateway will always be suitable to support the necessary traffic and will not be more appropriate sizing this component to maximum capacity to sustain moments with traffic spikes. Consequently, with this feature you can get significant cost savings in scenarios where there are workloads that do not have a homogeneous flow, but subject to change.

Zone redundancy

In the new SKU it is possible to do the deployment of the Application Gateway in different areas of availability (availability zone) so as not to be subject to disruptions in the event of problems related to the single zone of Azure. This method of deployment allows increasing the resilience of published applications.

Public Static IP Assignment

The Virtual IP Address assigned to the Application Gateway can be static, thus ensuring a constant IP address assignment for the lifetime of the component. This feature is particularly useful for managing rules on Azure external firewall systems and for web publishing scenarios of Azure Web App.

Header Rewrite

Header Rewrite functionality allows you to easily manage the publications of applications as it is allowed to add, remove or modify HTTP request and response headers, directly from the Application Gateway and without needing to change the code of the application.

Performance

The adoption of the new Application Gateway SKU allows a significant improvement in performance during the provisioning and during the configuration update activities. In addition, it shows an improvement in performance, up to 5 times higher than the previous SKU, in SSL offloading scenarios.

The recommendation

For all new implementations is raccomanded to consider the adoption of the new Azure Application Gateway SKU, while for those who are making application publications by Application Gateway V1, it is recommended that you migrate the SKU V2 quickly, for the following reasons:

  • New features and improvements: Migrating to new SKU you can benefit from the improvements and new features listed above.
  • Cost: view the new pricing policy adopted for the SKU V2, based on consumption and no longer on the size and the number of instances, this may be generally more convenient than SKU V1. For more information on the costs of the new Azure Application Gateway version, you can see the relative costs page.
  • Platform support: soon Microsoft will disable the ability to create new Application Gateway V1. In addition, in the future, Microsoft will release additional new features, but most of these will be released exclusively for the SKU V2.

As migration occurs to the SKU V2

Currently the Azure platform does not provide an automatic procedure to migrate from V1 to V2 SKU, but it is necessary to proceed with a side-by-side migration. To proceed with this activity is necessary a suitable preliminary analysis to verify the presence of all the necessary requirements. The migration of existing configuration can be done through Special scripts of support, but may still be required manual activities. Completed the configuration of all settings to the new Azure Application Gateway V2 you need to redirect the flow of traffic coming from client to the new Application Delivery Service.

Conclusions

The introduction of the new features described above makes the offer of application delivery controller as-a-service available in Azure platform even more complete and functional, to the point of being highly competitive with other vendor solutions, long established on the market. To be constantly updated with the rapid evolution of the cloud is recommended to determine as soon as possible the transition to the new Application Gateway version in order to benefit from the advantages mentioned above.

Azure Networking: Point-to-Site VPN access and what's new

Among the different possibilities to establish a hybrid connectivity with the Azure cloud exist VPN Point-to-Site (P2S). Through the VPN P2S you can enable connectivity from one location to the Azure environment, easily and securely. It is a useful solution to allow communication from remote locations to the Virtual Network of Azure, mostly used for test and development purposes. Can be activated alternatively to Site-to-Site VPN if you must provide connectivity to Azure for a very limited number of systems. This article describes the features of this connectivity and displays the latest news about.

To establish hybrid connectivity with Azure we can use different methodologies, each of which has different characteristics and may be eligible for specific scenarios, providing different levels of performance and reliability.

Figure 1 – Options to enable hybrid connectivity with Azure

The Point-to-Site VPN definitely provide a more limited set of features compared to other hybrid connectivity options and are appropriate in specific cases, where only a limited number of places should be connected to the Azure environment. The P2S connection is established by starting directly from the remote system and in the solution are not expected native systems to activate it in an automatic way.

Figure 2 – Comparison of hybrid connectivity options

Protocols used by the P2S VPN

The Point-to-site VPNs can be configured to use the following protocols:

  • OpenVPN®: is a protocol recently added in Azure, but already widely used by different solutions, that enriches this type of connectivity. This is an SSL/TLS based VPN Protocol, that due to its characteristics more easily traverses firewalls. In addition, it is compatible with different platforms: Android, IOS (version 11.0 and above), Windows, Linux and Mac devices (OSX version 10.13 and later).
  • Secure Socket Tunneling Protocol (SSTP): This is a Microsoft proprietary VPN protocol based on SSL and it can easily cross firewalls, but has the limitation that can only be used by Windows systems. In particular, Azure supports all versions of Windows that include SSTP (Windows 7 and newer).
  • IKEv2: This is an IPsec VPN solution that can be used by different client platforms, but in order to function it requires that in the firewall are permitted specific communications. IKEv2 is supported on Windows 10 and Windows Server 2016, but in order to use it you need to install specific updates and set certain registry keys. Previous versions of the OS are not supported and can only use SSTP, orOpenVPN®.

Figure 3 – OpenVPN Protocols® and IKEv2 compared

The Point-to-Site VPN require the presence of a VPN gateway on the active virtual network of Azure and depending on the SKU vary the maximum number of possible connections. It should also be taken into account that the VPN Gateway Basic does not support IKEv2 and OpenVPN protocols.

Figure 4 – Gateway SKU in comparison for VPNs P2S

Coexistence between the P2S VPN and S2S VPN for the same virtual network is possible only in the presence of VPN gateway RouteBased.

Supported client authentications

Point-to-site VPN access provides the ability to use the following authentication methods:

  • Azure native authentication using certificates. With this mode, the authentication takes place via a client certificate present on the device that needs to connect. Client certificates are generated by a trusted root certificate and must be installed on each system to connect. The root certificate can be issued by an Enterprise solution, or you can generate a self-signed certificate. The client certificate validation process is performed by the VPN gateway while attempting to connect the P2S VPN. The root certificate must be loaded into the Azure environment and is required for the validation process.
  • Authentication using Active Directory (AD) Domain Server. Thanks to this type of authentication users can authenticate using domain credentials. This methodology requires a RADIUS server integrated with AD. RADIUS system can be deployed on-premises or in the VNet of Azure. Using this mechanism, during the authentication process, the Azure VPN Gateway communicates with the RADIUS system, therefore it is essential to provide this communication flow. If the RADIUS server is deployed on-premises, must therefore be a connectivity through S2S VPN with on-premises systems. The RADIUS server can use certificates issued by an internal Certification Authority as an alternative to certificates issued by Azure, with the advantage that it is not necessary to manage Azure upload root certificates and certificate revocation. Another important aspect is that the RADIUS server can be integrated with third-party authentication mechanisms, thus opening the possibility of also use multifactor authentication for P2S VPN access. At the moment the OpenVPN® Protocol is not supported with RADIUS authentication.

Conclusions

Point-to-Site VPNs (P2S) can be very useful to provide connectivity to the Azure Virtual Networks in very specific scenarios. Thanks to the introduction of the support to OpenVPN® protocol it is possible to activate more easily and from different devices (Windows, Mac and Linux), without neglecting safety aspects.