The following 5 steps will help you get started:
Getting started with Network Security in Azure in 5 steps
04 jul, 2023
A framework for IT security provides the necessary guidance for organizations seeking to take a proactive stance in security. Network security is one of six layers that make up Microsoft's Zero Trust Framework. To secure a network according to 'Zero Trust,' connecting should be possible only if it is permitted. Martine Mourits, Consultant Azure & Integration, shows in five steps how to get started with Network Security Azure.
Network Security covers the process of protecting resources from unauthorized access or attacks from outside the organization. It is an ongoing process that begins with the design of the network.
These days, it is advisable to set up a network so that only legitimate traffic between components is possible. This is in line with the thinking of the Zero Trust Framework that we want to adopt. After all, one can no longer assume that only trusted devices want to connect to a network. So it must be ensured that connecting by definition is not possible - unless it is explicitly allowed. But how do you do that?
- 1
Network segmentation
By using one or more Virtual Networks (VNets) in Azure, what resides within those VNets can remain isolated from other networks. Within such a VNet, several subnets can be created, with a separate subnet for each purpose. This ensures that only the traffic needed for a specific purpose can be permitted, very selectively. One way this is also done is by applying Network Security Groups.
- 2
Network Security Groups
Network Security Groups, or NSGs, block or allow traffic based on a set of values specified in the NSG. These values are Port, Protocol, Source and Destination. The NSG already has a number of network rules in it by default, which can be extended to allow or block specific traffic.
- 3
Network Isolation
Network isolation can be interpreted as: "As much as possible, make the Azure services in use securely available within a private Virtual Network, without using the public Internet to do so." Microsoft offers a number of solutions for this, see below.
- 4
Routing traffic
When the VNet has been divided into several Subnets, each protected by a Network Security Group, it is time to create a Route Table containing User Defined Routes. This ensures that all traffic to the outside is routed through the Firewall. There the traffic is otherwise allowed or blocked, filtered, monitored, logged and alerts can be generated on it. In a User Defined Route (UDR), the use of Service Tags can be employed to exempt trusted traffic to Microsoft services from the mandatory route through the Firewall
- 5
Azure Firewall
Even if solid network isolation has been applied, access to the Internet will be needed regardless. The Firewall stands between one's own network and the Internet, and is meant to help keep out external threats. In addition to the usual capabilities offered by a Firewall (allow, block, filter, monitor, log, generate alerts), Azure Firewall also has the ability to determine what to do with traffic based on category. For example, one option is to block the News category. All websites on the Internet that deliver the news in any way (even if the news is searched through the search engine) are then blocked. This works extremely well and is a lot more efficient than having to block a large number of individual websites.
Microsoft's network isolation solutions:
a. Service Tags
Use Service Tags to connect - where possible - directly to Microsoft services over the Microsoft Backbone network. 'API Management', for example, can be added as a Service Tag to the Network Security Group. Then certain traffic to or from 'API Management', or even just 'ApiManagement.WestEurope', can be allowed without crossing the public Internet.
b. Service Endpoints
Equivalent to Service Tags in a Network Security Group, Service Endpoints in the subnet can be used to connect across the Microsoft backbone to certain Azure services.
c. Private Endpoint and Private Link
Private Endpoint and Private Link ensure that a public endpoint is made available as a Private Endpoint within a network, so that connecting to the linked service no longer takes place over the public Internet. The Private Endpoint uses an IP address from its own VNet.
d. VNet Integration
To allow a service or resource to securely connect to other components in a network without entering the public Internet, use is made of VNet Integration. For example, a Function App can be linked to a subnet and that way the App is integrated into the VNet. In the configuration of the service to be communicated with, for example the Storage Account, it can be specified that only traffic from the Function App subnet should reach the Storage Account. Thus, the App may access the relevant Storage Account, but nothing else.
Learn more
About Security and the Zero Trust Framework
Connect with us
Of course, there is much more to say about Azure Firewall - and Network Security in general. Want to learn more about how your organization is taking an active stance on IT security? Our experts are ready to help.