Overview of Azure Network Security
In this, we will learn and understand the various areas of network security such as Azure Networking, Network access control, Azure Firewall, Secure remote access, and cross-premises connectivity, Availability, etc. So, let’s know about them.
What is Network Security?
Network security refers to the process of protecting resources from unauthorized access or attack by applying controls to network traffic. However, the main aim is to ensure that only legitimate traffic has access. Azure includes a robust networking infrastructure for supporting your application and service connectivity requirements. Not to mention, Network connectivity can be possible between:
- Resources located in Azure
- On-premises and Azure-hosted resources
- To and from the internet and Azure.
Areas of Network Security
1. Azure Networking
- Azure needs virtual machines to connect to an Azure Virtual Network.
- However, a virtual network refers to a logical construct built on top of the physical Azure network fabric. Each virtual network has gone through isolation from all other virtual networks. This ensures that network traffic in your installations isn’t shared with other Azure users.
2. Network access control
- Network access control provides limiting connectivity to and from specific devices or subnets within a virtual network. However, the main aim of the network access control is to limit access for your virtual machines and services to approved users and devices.
- These access controls are based on decisions for allowing or denying connections to and from your virtual machine or service.
Types of network access control:
1. Network layer control
It is vital to have some level of network access control in any secure implementation. This procedure is used to limit virtual machine connectivity to only the systems that are required. This includes:
Network security rules (NSGs)
Network security rules are used for basic network-level access control (based on IP address and the TCP or UDP protocols). These are basic, stateful, packet filtering firewalls that enable you to control access based on a 5-tuple. However, NSGs include functionality for simplifying management and reduce the chances of configuration mistakes:
- Firstly, the augmented security rules simplify the NSG rule definition. And, it also allows you to create complex rules rather than creating multiple simple rules for achieving the same result.
- Secondly, service tags are Microsoft created labels that represent a group of IP addresses. Moreover, they update dynamically to include IP ranges that meet the conditions defining inclusion in the label.
- Lastly, application security groups allow you to deploy resources to application groups. Moreover, it controls access to those resources by creating rules that use those application groups.
Route control and forced tunneling
- You should know that the ability to control routing behavior on your virtual networks is critical. Moreover, if routing is configured incorrectly, applications and services hosted on your virtual machine might connect to unauthorized devices.
- This also includes systems owned and operated by potential attackers. However, Azure networking supports the ability to customize the routing behavior for network traffic on your virtual networks. And, this enables altering the default routing table entries in your virtual network.
- Control of routing behavior helps you in making sure about all traffic from a certain device or group of devices entering or leaving your virtual network through a specific location.
Virtual network security appliances
It is possible that you want to enable security at levels higher than the network while NSGs, UDRs, and forced tunneling are providing a level of security at the network and transport layers of the OSI model. However, the security requirements might include:
- Firstly, authentication and authorization before allowing access to your application
- Secondly, intrusion detection and intrusion response
- Thirdly, application layer inspection for high-level protocols and URL filtering
- Then, network level antivirus and Antimalware
- After that, anti-bot protection and Application access control
- Lastly, additional DDoS protection
Azure Firewall
Azure Firewall refers to a managed, cloud-based network security service for protecting your Azure Virtual Network resources. Moreover, it is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. Some of its features include:
- High availability
- Cloud scalability
- Application FQDN filtering rules
- Network traffic filtering rules
Secure remote access and cross-premises connectivity
Setting up, configuring, and managing Azure resources are done remotely. In addition, you might want to deploy hybrid IT solutions with having components on-premises as well as in Azure public cloud. However, these scenarios require secure remote access.
Scenarios for securing remote access
Connecting individual workstations to a virtual network
It is possible that you want to enable individual developers or operations personnel for managing virtual machines and services in Azure. But, the security policy you have does not grant RDP or SSH remote access to individual virtual machines. So, for this, you can use a point-to-site VPN connection. That is to say, a point-to-site VPN connection enables you to set up a private and secure connection between the user and the virtual network. And, when the VPN connection is established, the user can RDP or SSH over the VPN link into any virtual machine on the virtual network. A point-to-site VPN supports:
- Firstly, Secure Socket Tunneling Protocol (SSTP) is a proprietary SSL-based VPN protocol. However, an SSL VPN solution can penetrate firewalls, since most firewalls open TCP port 443, which TLS/SSL uses. SSTP is only supported on Windows devices. Moreover, Azure supports all versions of Windows that have SSTP (Windows 7 and later).
- Secondly, IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN can be used for connecting from Mac devices (OSX versions 10.11 and above).
Connecting your on-premises network to a virtual network with a VPN
This is for connecting your entire corporate network, or portions of it, to a virtual network. However, this is common in hybrid IT scenarios, where organizations extend their on-premises data center into Azure. But, in many cases, organizations host parts of service in Azure, and parts on-premises. These cross-premises connections also make the management of Azure located resources secure. And, it enables scenarios such as extending Active Directory domain controllers into Azure. For accomplishing this you can use a site-to-site VPN.
However, the difference between a site-to-site VPN and a point-to-site VPN is that the latter connect a single device to a virtual network. A site-to-site VPN connects an entire network to a virtual network.
Connecting your on-premises network to a virtual network with a dedicated WAN link
For enabling cross premises connectivity point-to-site and site-to-site VPN connections are effective. However, some organizations consider them to have the following drawbacks:
- Firstly, VPN connections move data over the internet. And, this exposes these connections for providing potential security issues involved with moving data over a public network. In addition, it does not provide a guarantee for reliability and availability for internet connections.
- Secondly, VPN connections to virtual networks might not have the bandwidth for some applications and purposes. As they max out at around 200 Mbps.
However, organizations that require the highest level of security and availability for their cross-premises connections typically use WAN links for connecting to remote sites. Azure provides the ability for using a dedicated WAN link that you can use for connecting on-premises networks to a virtual network.
Connecting virtual networks to each other
It can be possible for using many virtual networks in your deployments. Moreover, you might also want to simplify management or to increase security. For putting resources on different virtual networks, there might be times when you want resources on each of the networks to connect with one another.
- The first option is for services on one virtual network to connect to services on another virtual network, by “looping back” through the internet. In this, the connection starts on one virtual network, goes through the internet, and then comes back to the destination virtual network. This option reveals the connection to the security issues inherent in any internet-based communication.
- Another option might be creating a site-to-site VPN that connects between two virtual networks. This method uses the same IPSec tunnel mode protocol as the cross-premises site-to-site VPN connection.
Reference: Microsoft Documentation