In this session, attendees will learn about the network control plane in Azure and how to secure both Infrastructure-as-a-Service and Platform-as-a-Service components of Azure.

2. Scott Hoag
Principal Cloud Solutions Architect
Opsgility
@ciphertxt
https://psconfig.com
https://about.me/scotth

3. Cloud Security
Network Security

4. Cloud security is a shared responsibility
Securing and managing the cloud foundation
SHARED RESPONSIBILITYMICROSOFT’S COMMITMENT
Physical assets
Datacenter operations
Cloud infrastructure
Securing and managing your cloud resources
Virtual machines, networks
& services
Applications
Data
VARIES ACROSS IAAS, PAAS, SAAS

5. Protecting cloud workloads includes virtual
machines and more

6. Effective
workload
protection
strategies target
unique
requirements of
modern, hybrid
cloud
6

7. Key challenges for protecting workloads

8. Understand Cloud Data Types
Data at
Rest
Data in
Transit
Data in
Use
Data in
Production
Data not in
Production
information storage
objects, containers,
and types that exist
statically on
physical media, be
it magnetic or
optical disk.
When data is being
transferred between
components, locations or
programs, such as over
the network, across a
service bus (from on-
premises to cloud and
vice-versa
Information being acted
upon in some way by the
host or guest during a
process, such as real-
time database queries
running in active memory
(as opposed to a page file
sent out to disk),
Data in some form of
storage, e.g. Azure
SQL Database, and
compute processes
that need to access
that storage during
production
operations.
Data in some form of
storage, e.g. a Virtual
Hard Disk (VHD), but
that VHD is not in
production use. For
example, it may be
part of an upgrade
operation

9. Metadata and The Cloud
Cloud metadata as well as
standard file metadata
Tenant metadata may also include
the performance, configuration,
operations, and billing data that is
part of each cloud workload or
tenant account
Information can also include
security, log & performance
information

10. Network security

11. Security patterns for applications
& new announcements
Virtual Network integration for Azure
services
VNET Service Endpoints
Service Tags
Application Security Groups
DDoS Protection
Web Application Firewall
NSG Augmented Rules
NSG Data Plane Log Analytics
Virtual Appliances

12. Azure Networking Hyperscale
One of the largest networks in the world
Geographic Reach and
Internet Ecosystem
50+ Azure Regions
National Clouds
Backbone in 100+ iXP
8000+ sessions with ISPs
ExpressRoute in
48+ locations
Virtual
Networks
Security
Performance
Load
Balancing
Cross-
premises
connectivity
Software-
defined
WAN
Optical
networks
Long-haul
optical
network
Advanced
MPLS
services
Internet Exchange Provider

13. Moving workloads to Azure
On-Premises
✓ Same controls as on-premises
✓ Virtual Networks: Private isolation boundary
✓ Directly extend on-premises to Azure
Azure Virtual Network

14. Software-defined networking (SDN)
Physical
Transport
Plane
Control
Plane
App
Plane
Azure
Host (Switch)
Controller
Azure
Resource
Manager
Management
Plane
Control
Plane
Proprietary
Hardware
Appliance
Building secure applications with Scale and Agility
Commodity
Hardware
Tell & Program
Instead of Discover and react
Programmable, dynamic network
controls
Data Plane

15. Backend
Connectivity
ExpressRoute
VPN Gateways
Point-to-site for dev / test
VPN Gateways for secure site-to-site connectivity
ExpressRoute for private enterprise grade connectivity
Users
Internet
Public IP addresses
DDoS protection
ACLs for security
Load balancing
DNS services
Traffic management
Virtual Network
BackEndMid-tierFrontEnd

16. Security for Virtual
Network traffic

17. Security within Virtual Network
• Network Security Groups (NSGs) for Layer 3
and Layer 4 filtering
• Eases IP management for VNet firewall rules
• VIRTUAL_NETWORK tag includes IPs for:
• Virtual network
• All connected, peered networks
• On-premises
Azure Virtual Network
PEER

19. Security for Internet-
facing
applications

20. Securing Internet-facing applications

21. Azure DDoS Protection Standard
Basic Standard
➢ Automatic mitigation for attacks
➢ Advanced protection for your virtual networks

22. Improved Auditing & Metrics

23. Network Virtual Appliances
Integrated with Azure Marketplace
Consistency between on premises &
Azure
Audit/filter traffic to/from VNet
Re-direct traffic flow with custom routes

24. Security for access to Azure
services

25. Infrastructure Services
Platform Services

26. Accessing Azure services
Azure service IP addresses are
public IPs
Firewalls open to “Internet”
IPs reachable from anywhere.
Malicious insiders may exploit!
Azure Services
Public IPs
Firewall: Allow
“Internet” outbound
NSG: Allow “Internet” outbound
Access from
Anywhere!
On-premises
Virtual Network
Malicious Insider
Private connectivity for services: Critical for network security

27. ✓ Services in your VNet, managed by
Azure!
✓ Private IPs for service resources
✓ On-premises through Site-to-Site or ER
private peering
Deploy Azure services into VNet
DEPLOY
Azure Portal :
Service workflow
ASE Subnet
Virtual Network
ILB
On-premises
Firewall- Outbound:
Allow Azure VNet
HDI Subnet
NSG
NSG
ILB
Azure
Services
HDInsight App Service Env Batch APIM RedisCache AD DS

28. VNet Service Endpoints
Directly extends your VNet to the service
Secure your critical Azure resources to only your VNet
Traffic remains on the Microsoft backbone
In Preview : Azure Storage, Azure SQL Database, SQL DW
Allow VNet A
AccountA
Azure Storage
Vnet A

29. Service Endpoints : Configuration
Simple-click setup on an Azure
subnet
No NAT or GW devices!
Network admins can set
independently

30. Securing Azure resources to VNets

31. Service Endpoints: Routes
VNet-to-Service traffic always stays
on the Microsoft network backbone
Effective routes: Shows as a “Default
route”
On-premises

32. VNet Service Endpoints : Deep-Dive
Private IP: 10.0.0.6
Public IP1
Subnet 1
Azure Storage
Source: VM private IP (10.0.0.6)
Storage Diagnostics
SrcIP: 10.0.0.6,
AcctA:GetBlob
SrcIP: 10.0.0.6,
AcctB:PutBlob
Endpoints:
• Carry VNet identity to the service
• Source IPs switch to private VNet IPs
Service IPs and DNS entries remain as-
is today
Enable service endpoint once. Secure
resources as and when you want.
VNet1

33. Access from on-premises
On-premises
Allow VNet A
Allow Onprem:
NATIPs
AccountAVNetA
ExpressRoute Public Peering
or the Internet
Internet

34. Service Tags in NSGs
Restrict network access to just the
Azure services you use.
Maintenance of IP addresses for
each tag provided by Azure
Support for global and regional
tags (varies by service)
Network Security Group (NSG)
Actio
n
Name Source Destination Port
Allow AllowStorage VirtualNetwork Storage Any
Allow AllowSQL VirtualNetwork Sql.EastUS Any
Deny DenyAllOutBound Any Any Any
Azure Services
Internet
Allow only Azure
service traffic
Deny Internet
outbound
Preview: Azure Storage, SQL, TrafficManager

35. Service Endpoints:
Filter service traffic with appliances
Subnet 1 NVA Subnet
Allow NVA Subnet
SERVICE ENDPOINT
Route: 0/0->NVA
Filter: Allow
myacct*.blob.core.win
dows.net

36. Stitching Azure services together
SERVICE ENDPOINT
DEPLOY
HDI Subnet
Allow HDI subnet Internet
HDI Service
Allow only
Azure storage
traffic

37. Services in a Virtual Network
Azure Storage
Azure SQL Database
Azure SQL Data Warehouse
SQL DB Managed Instance
Azure Active Directory Domain Services for ARM
Azure Batch for ARM
Azure App Service V2
Azure API Management
Azure Batch for ASM VNets
HDInsight
Azure App Service V1
RedisCache
Deploy into Virtual Network VNet Service Endpoints

38. Network Security Takeaways
Azure capabilities enable you to:
Build more secure, dynamic workloads
Better management of security controls
Better integration of your VNets with Azure services

39. Cloud Security
Network Security

40. #jaxcloud @jaxcloudug
http://jaxug.cloud https://jaxcloudug.azurewebsites.net