In the modern era of cloud computing, the tendency is to move more frequently workloads in the public cloud and to use hybrid cloud. Security is often perceived as an inhibitor element for the use of cloud environments. Can you extend the datacenter to the cloud while maintaining a high level of network security? How to ensure safe access to services in the cloud and with which tools? One of the main reasons to use Azure, for your own applications and services, is the possibility to take advantage of a rich set of functionality and security tools integrated in the platform. This article will be a overview of network security services in Azure, reporting guidelines and useful tips to best utilize the potential of the platform, in order to structure the network in Azure respecting all security principles.
In field Azure Networking are available different services for enabling connectivity to distinct environments, according to different modes, to activate the protection of the network and to configure the application delivery. All these services are integrated with monitor systems offered by Azure, going to create a complete ecosystem for the provision of network services.
Figure 1 – Azure Networking Services
In order to configure the network protection for Azure we find the following services, available natively in the platform.
Network Security Group (NSG)
Network Security Groups (NSGs) are the main tool to control network traffic in Azure. Through the rules of deny and permit you can filter communications between different workloads on an Azure virtual network. Furthermore, you can apply filters on communications with systems that reside
on-premises, connected to the Azure VNet, or for communications to and from Internet. Network Security Groups (NSGs) can be applied on a specific subnet of a Azure VNet or directly on the individual network adapters of Azure virtual machines. The advice is to apply them if possible directly on the subnet, to have a comprehensive and more flexible control of ACLs. The NSGs can contain rules with Service Tags, that allow you to group with predefined categories of IP addresses, including those assigned to specific Azure services (ex. AzureMonitor, Appservice, Storage, etc.).
The rules of the Network Security Groups can also be referenced Application Security Groups (ASGs). These are groups that contain network adapters of virtual machines on Azure. ASGs allow you to group multiple servers with mnemonic names, useful in particular for dynamic workloads. The Application Security Groups also enable you no longer have to manage in the rules of NSGs IP addresses of Azure virtual machines , as long as these IPs are related to VMs attested on the same VNet.
Figure 2 -Example of a NSG rule that contains a Service Tag and ASG
Figure 3 - Graphical display of network traffic segregation via NSG
Service Endpoints
Through the Virtual Network (VNet) service endpoints, you can increase the level of security for Azure Services, preventing unauthorized access. The vNet Service Endpoints allow you to isolate the Azure services, allowing access to them only by one or more subnets defined in the Virtual Network. This feature also ensures that all traffic generated from the VNet towards the Azure services will always remain within the Azure backbone network. For the supported services and get more details about this you can see the Microsoft documentation.
Figure 4 – Summary of Sevice Endpoints
Azure Firewall
The Azure Firewall is a firewall, fully integrated into the Microsoft public cloud, of type stateful, which makes it possible to centrally control, through policy enforcement, network communication streams, all cross subscriptions and cross virtual networks. Azure Firewall also allows you to filter traffic between the virtual networks of Azure and on-premises networks, interacting with connectivity that is through the Azure VPN Gateway and with Express Route Gateway. For more details about it you can see the article Introduction to Azure Firewall.
Figure 5 – Placement of Azure Firewall
Web Application Firewall
The application delivery may be made using the Azure Application Gateway, a service managed by the Azure platform, with inherent features of high availability and scalability. The Application Gateway is a application load balancer (OSI layer 7) for web traffic, that allows you to govern HTTP and HTTPS applications traffic (URL path, host based, round robin, session affinity, redirection). The Application Gateway is able to centrally manage certificates for application publishing, using SSL and SSL offload policy when necessary. The Application Gateway may have assigned a private IP address or a public IP address, if the application must be republished in Internet. In particular, in the latter case, it is recommended to turn on Web Application Firewall (WAF), that provides application protection, based on rules OWASP core rule sets. The WAF protects the application from vulnerabilities and against common attacks, such as X-Site Scripting and SQL Injection attacks.
Figure 6 – Overview of Application Gateway with WAF
DDoS protection
In Azure, DDoS protection is available in two different tiers: Basic oppure Standard.
The protection Basic is enabled by default in the Azure platform, which constantly monitors traffic and applies mitigations to the most common network attacks in real time. This tier provides the same level of protection adopted and tested by Microsoft's online services and is active for Azure Public IP addresses (Pv4 and IPv6). No configuration is required for the Basic tier.
Typology Azure DDoS Protection Standard provides additional mitigation features over the Basic tier, that are specifically optimized for resources located in Azure virtual networks. The protection policies are self-configured and are optimized by carrying out specific monitoring of network traffic and applying machine learning algorithms, that allow you to profile your application in the most appropriate and flexible way by studying the traffic generated. When the thresholds set in the DDoS policy are exceeded, the DDoS mitigation process is automatically started, which is suspended when it falls below the established traffic thresholds. These policies are applied to all public IP of Azure (IPv4) associated with resources present in the virtual network, like: virtual machines, Azure Load Balancer, Azure Application Gateway, Azure Firewall, VPN Gateway and Azure Service Fabric instances.
For more details about it you can see the article Protection from DDoS attacks in Azure.
Synergies and recommendations for the use of the various protection services
In order to obtain an effective network security and direct you in the use of the various components, are reported the main recommendations which is recommended to consider:
- Network Security Groups (NSGs) and the Azure Firewall are complementary and using them together you get a high degree of defense. The NSGs is recommended to use them to filter traffic between the resources that reside within a VNet, while the Azure Firewall is useful for providing network and application protection between different Virtual Networks.
- To increase the security of Azure PaaS services is advised to use the Service endpoints, which can be used in conjunction with Azure Firewall to consolidate and centralize access logs. To do this, you can enable the service endpoint in the Azure Firewall subnet, disabling the subnet present in the Spoke VNet.
- Azure Firewall provides network protection Layer 3 for all ports and protocols, it also guarantees a level of application protection (Layer 7) for outbound HTTP/S traffic. For this reason, if you wish to make a secure application publishing (HTTP/S in inbound) you should use the Web Application Firewall present in the Application Gateway, then placing it alongside Azure Firewall.
- Azure Firewall can also be supported by third-party WAF / DDoS solutions.
All these protection services, suitably configured in a Hub-Spoke network architecture allow you to perform a segregation of network traffic, achieving a high level of control and security.
Figure 7 – Security services in a Hub-and-Spoke architecture
Conclusions
Azure provides a wide range of services that allow you to achieve high levels of security, acting on different fronts. The security model that you decide to take, you can resize it and adapt flexibly, depending on the type of application workloads to be protected. A winning strategy can be obtained by applying a mix-and-match of different network security services, to get a protection on more layers.