Networking in Azure

Network Security Groups

• In short NSG
• Attached to subnets or network interface card (NIC)
• Each NSG can be linked to multiple resources
• NSGs are stateful
• NSGs properties include
  • Name
  • Priority
  • Source or destination
  • Protocol
  • Direction
  • Port range
  • Action

What NSG does?

• Filter traffic: NSGs allow or deny inbound and outbound traffic
• Contain rules: Rules are ordered based on a number from 100 (processed first) to 4096 (processed last)

NSG problem and solution

Problem with NSGs:

• Can become complex: Can contain lots of rules, the more rules we need the more complex the design
• Can be difficult to maintain: If we add more resources, we may need to update several network security groups

Solution

• Use service tags: Represent services like Azure load balancer or API management and locations like internet
• Use the default security rules: Default security allow and deny common traffic
• Application security groups: Application security groups allow us define a service made up of resources like virtual machines

Application Security Groups

• Allows us to reference a group of resources
• Used as a source or destination in network security groups
• Network security groups are still required
• Working with application security groups
  • Create the application security group
  • Link the group to resources
  • Use the group when working with network security groups

Azure Firewall

• Azure managed stateful firewall service
• Protects access to virtual networks
• Highly available
• Features include
  • Threat intelligence
  • Outbound and inbound NAT support
  • Integration with Azure Monitor
  • Network traffic filtering rules
  • Unrestricted scalability

Links:

• https://www.barracuda.com/glossary/azure-firewall

Azure DDoS protection

• DDoS mitigation for networks and applications
• Always-on monitoring
• Application layer protection
• Integration with Azure monitor
• Features offered
  • Multi-layered protection
  • Attack analytics
  • Scale and elasticity
  • Protection against unplanned costs

DDoS protection service tier

• Basic tier:
  • Active traffic monitoring and always on detection
  • Availability Guarantee
  • Backed by an SLA
  • Free
• Standard tier:
  • Everything offered by the basic tier
  • Real time Metrics
  • Post attack reports
  • Access to DDoS experts during an active attack
  • Security information and event management (SIEM) integration
  • Monthly fee and usage based

User defined routes

• Default system routes are enabled by default
• System routes allow routing between subnet and to the internet
• User defined routes allow us to override Azure’s default system routes
• Often used when we want traffic to be filtered through a virtual appliance