Tutorial / Cram Notes
Virtual networks (VNets) in Azure provide the foundation for secure network connectivity. They allow Azure resources like virtual machines (VMs) and applications to securely communicate with each other, the internet, and on-premises networks. To secure these networks, Azure provides several tools and features:
Network Security Groups (NSGs):
NSGs are used to filter network traffic to and from Azure resources in an Azure VNet. An NSG contains security rules that allow or deny inbound or outbound network traffic based on several parameters such as protocol, source and destination IP address, port, and direction (inbound or outbound).
Application Security Groups (ASGs):
ASGs help manage security rules based on applications or groups of virtual machines. This allows for a more granular control by grouping VMs with similar functions and applying security policies at the application level.
Azure Firewall:
A managed, cloud-based network security service that protects Azure VNets resources. Azure Firewall provides a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
Virtual Network (VNet) Peering:
VNet peering connects two VNets within the same or different Azure region. Traffic between peered VNets is private and secure. Network routing is done through the Microsoft backbone infrastructure, not through a public internet exchange.
VPN Gateway and ExpressRoute:
These services enable secure connectivity between Azure VNets and on-premises networks. A VPN gateway is used for encrypted traffic over a public connection, while ExpressRoute provides a private connection that does not go over the public internet.
Azure DDoS Protection:
This service provides enhanced DDoS mitigation features to defend against Distributed Denial of Service (DDoS) attacks.
Best Practices for VNet Security
- Apply the least privileges principle when setting up NSG rules. This means only allowing traffic that is necessary for the operation of the application or service, reducing the attack surface.
- Use subnetting to segregate different types of traffic. For instance, you could have different subnets for your Web servers, app servers, and database servers.
- Ensure data is encrypted during transmission by implementing encryption protocols such as HTTPS, SSL/TLS, or IPsec VPNs.
- Utilize Azure Network Watcher for monitoring and diagnosing conditions at a network scenario level. Use its capabilities like NSG flow logs, packet capture, and traffic analytics to gain visibility and troubleshoot connectivity issues.
Example Scenario: Multi-Tier Application Security
Consider a multi-tier application setup with a web tier, application tier, and data tier. Each tier is segregated into its own subnet within a VNet.
Web Tier Subnet:
| NSG Rule | Direction | Protocol | Source | Destination | Port | Action |
|---|---|---|---|---|---|---|
| Web-HTTP | Inbound | TCP | Any | Web Tier | 80 | Allow |
| Web-HTTPS | Inbound | TCP | Any | Web Tier | 443 | Allow |
| Deny-All | Inbound | Any | Any | Any | Any | Deny |
Application Tier Subnet:
| NSG Rule | Direction | Protocol | Source | Destination | Port | Action |
|---|---|---|---|---|---|---|
| App-WebAccess | Inbound | TCP | Web Tier | App Tier | Any | Allow |
| Deny-All | Inbound | Any | Any | Any | Any | Deny |
Data Tier Subnet:
| NSG Rule | Direction | Protocol | Source | Destination | Port | Action |
|---|---|---|---|---|---|---|
| Data-AppAccess | Inbound | TCP | App Tier | Data Tier | Any | Allow |
| Deny-All | Inbound | Any | Any | Any | Any | Deny |
For the web tier, only HTTP and HTTPS traffic is allowed into the subnet, while the other tiers have restrictions that only allow traffic from specific subnets or tiers.
Conclusion
Securing the connectivity of virtual networks in Azure is a critical task that requires a comprehensive understanding of network security features and best practices. The aforementioned tools and features, along with adherence to security fundamentals, create a robust defense against potential threats to network connectivity. By leveraging these capabilities, organizations can ensure the secure and efficient operation of their services on the Azure cloud, which is an essential skill set validated by the AZ-500 Azure Security Technologies certification.
Practice Test with Explanation
True or False: Azure Virtual Network (VNet) service endpoints extend your VNet private address space to Azure service resources.
- Answer: True
Azure service endpoints extend your virtual network private address space, and the identity of your VNet, to Azure services, providing a direct connection.
Which of the following services can be used to filter network traffic between subnets within an Azure Virtual Network?
- A) Network Security Groups (NSGs)
- B) Application Security Groups (ASGs)
- C) Azure Firewall
- D) Azure Route Tables
Answer: A, C
Both Network Security Groups (NSGs) and Azure Firewall can be used to filter network traffic between subnets within an Azure Virtual Network.
True or False: You can assign multiple Network Security Groups (NSGs) to a single network interface in Azure.
- Answer: False
You can only assign one NSG to a given network interface in Azure.
Which Azure feature provides on-premises connectivity to Azure VNets?
- A) Azure VPN Gateway
- B) Azure Load Balancer
- C) Azure Application Gateway
- D) Azure Traffic Manager
Answer: A
Azure VPN Gateway is used to connect on-premises networks to Azure virtual networks through site-to-site VPNs.
True or False: Azure Bastion provides secure RDP and SSH access to virtual machines without requiring public IP addresses.
- Answer: True
Azure Bastion provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over SSL without the need for a public IP on the VM.
What is Azure DDoS Protection Standard primarily used for?
- A) Filtering network traffic between subnets
- B) Providing a direct connection to Azure services
- C) Protecting Azure resources from Distributed Denial of Service attacks
- D) Managing route tables for subnets in a VNet
Answer: C
Azure DDoS Protection Standard is designed to protect Azure resources from the impact of Distributed Denial of Service (DDoS) attacks.
Which of these is NOT a feature of Azure Network Watcher?
- A) Packet capture
- B) VPN diagnostics
- C) Load balancing
- D) Security Group View
Answer: C
Azure Network Watcher provides tools for monitoring, diagnosing, and gaining insights into network performance and issues, not for load balancing.
True or False: User-Defined Routes (UDRs) can be used to override Azure’s default routing.
- Answer: True
User-Defined Routes (UDRs) are custom route tables that give you the control to define how packets should be routed within a VNet, and can be used to override Azure’s default system routes.
True or False: ExpressRoute enables you to connect your on-premises infrastructure to Azure over a dedicated private connection facilitated by a connectivity provider.
- Answer: True
Azure ExpressRoute allows you to extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider.
Which of the following statements about Azure Front Door Service is true?
- A) It is primarily a private network peering service.
- B) It offers a global, scalable entry-point that uses the Microsoft global edge network to create fast, secure, and widely scalable web applications.
- C) It replaces the functionality of Azure VPN Gateway.
- D) It manages the distribution of network traffic based on pricing.
Answer: B
Azure Front Door Service provides a scalable and secure entry point for fast delivery of your global web applications leveraging the Microsoft global edge network.
True or False: Azure Application Gateway provides Web Application Firewall (WAF) functionality.
- Answer: True
Azure Application Gateway offers a Web Application Firewall (WAF) that provides centralized protection of your web applications from common exploits and vulnerabilities.
To secure communications between Azure resources, which of the following features should be implemented?
- A) Service tags
- B) Just-In-Time VM Access
- C) Azure Private Link
- D) Bastion Host
Answer: C
Azure Private Link enables you to access Azure services (such as Azure SQL Database, Azure Storage, and Azure Cosmos DB) and your own services privately and securely within your VNet and on-premises network.
Interview Questions
What is Azure Virtual Network Security?
Azure Virtual Network Security is the protection of the Azure virtual network environment, including subnets, from external attacks.
What is a network security group (NSG)?
A network security group (NSG) is a security group that controls traffic flow in and out of a virtual network subnet.
How can you create a network security group (NSG) in Azure?
You can create a network security group (NSG) in Azure using the Azure portal, Azure PowerShell, Azure CLI, or Azure Resource Manager templates.
What is traffic filtering?
Traffic filtering is the process of controlling network traffic using network security groups (NSGs) to block or allow traffic based on source, destination, and port.
How can you filter network traffic in Azure?
You can filter network traffic in Azure by creating network security groups (NSGs) and configuring rules to allow or block traffic.
What is virtual network peering?
Virtual network peering is the process of connecting two virtual networks in Azure to allow communication between them.
How can you enable virtual network peering?
You can enable virtual network peering in Azure by creating a peering connection between two virtual networks in the same region.
What is Azure Bastion?
Azure Bastion is a service that provides secure and seamless RDP/SSH connectivity to virtual machines directly from the Azure portal.
How can you set up Azure Bastion?
You can set up Azure Bastion by creating an Azure Bastion resource and assigning it to the virtual network where your virtual machines are located.
What are application security groups (ASGs)?
Application security groups (ASGs) are used to simplify network security management by allowing you to group virtual machines and apply network security policies to them as a group.
How can you create an application security group (ASG)?
You can create an application security group (ASG) in Azure using the Azure portal, Azure PowerShell, Azure CLI, or Azure Resource Manager templates.
What are some best practices for securing virtual networks in Azure?
Some best practices for securing virtual networks in Azure include using network security groups (NSGs) to control traffic, implementing virtual network peering for communication between virtual networks, using Azure Bastion for remote connectivity, and regularly reviewing and updating network security policies.
How can you manage network security in Azure?
You can manage network security in Azure using the Azure portal, Azure PowerShell, Azure CLI, or Azure Resource Manager templates to create and configure network security groups (NSGs), peering connections, and application security groups (ASGs).
How can you monitor network traffic in Azure?
You can monitor network traffic in Azure using Azure Monitor and Azure Network Watcher to gain visibility into network traffic and troubleshoot network issues.
What are some common network security threats in Azure?
Common network security threats in Azure include DDoS attacks, network scanning and port scanning, phishing attacks, and malware attacks.
When securing virtual networks, using NSGs is crucial. They allow you to control inbound and outbound traffic.
Can someone explain the role of ASGs in securing virtual networks?
Do ASGs replace NSGs or do they work together?
I appreciate this blog post!
Is it better to use Azure Firewall or NSGs for VNet security?
Thanks for this informative post!
When configuring VPN Gateway, don’t forget to select the right SKU, performance might differ drastically.
Is using DDoS protection necessary for small businesses?