This document discusses Azure network security features for securing the cloud perimeter and implementing a zero trust architecture. It covers Azure Virtual WAN for connecting and segmenting networks, Azure Firewall for security policy enforcement across distributed networks, and Azure Private Link for private connectivity to PaaS resources without an internet accessible IP address. Other relevant security services mentioned include Azure Web Application Firewall, Azure Bastion for secure RDP/SSH access without a public IP, and Azure DDoS Protection.

2. Securing your cloud perimeter with Azure
Network Security​

3. Zero Trust Architecture
Devices
Security
Policy Enforcement
Identities
Visibility and Analytics
Automation
Data
Apps
Infrastructure
Network
1
2
3
https://www.Microsoft.com/en-
us/security/

4. Zero Trust Networking Maturity Model
Security
Enforcement
ty and Analytics
utomation
Data
Apps
Infrastructure
Network
Network

5. Segment
Prevent lateral
movement and
data exfiltration
Protect
Secure network
with threat
intelligence
Deploy securely across DevOps process
Azure Network Security
Connect
Embrace
distributed
connectivity

6. Achieving Zero Trust with Azure Networking
Cloud-Native Network Security Services
Networking Partner Solutions
Defense-in-Depth
+
Software Defined Network (SDN)
Virtual
Networks
Network
Security Groups
User Defined
Routes
Load Balancer
Azure
Firewall
Azure DDoS
Protection
Azure Web
Application Firewall
Azure
PrivateLink

7. Photo of main entrance at the Orange County Convention Center.

8. Network Segmentation
Web Application
Firewall
Virtual Network Network Security
Group
Azure Firewall
Subscription

9. Multi-level Segmentation
Network Security
Group
Subscriptions Virtual Network Azure Firewall
Application Security
Group or FQDN or
Service Tag
Kubernetes
Services
Container
Networking
Interface
Web Application
Firewall
Private Link Vnet Peering
Virtual WAN VPN Gateway

10. Azure Firewall Manager
Central network security policy and route management
for globally distributed, software-defined perimeters
Central deployment and configuration
Automated routing
Advanced security with 3rd party SECaaS
[Roadmap] Split routing
PREVIEW
3rd party
SecSaaS
3rd party
Sec SaaS

12. Internet
Corpnet
Customer
VNet
Subnet
10.3.0.0/25
Cloud Native Firewall
Central VNet
Gateway
VNet
CSEO Infra
L3 – L7
Connectivity Policies
VNet Peering
VNet Peering
Subnet
10.1.0.0/27
Spoke 1
VNet
Subnet
10.2.0.0/27
Spoke 2
Public
Azure
Source Destination Ports/Protocols
LAB Internet HTTP - 80, HTTPS - 443 , KMS - 1688
Internet LAB Not available
Source Destination Ports/Protocols
LAB Azure Public HTTP - 80, HTTPS - 443 , KMS - 1688
Azure Public LAB Not available
Source Destination Ports/Protocols
LAB "CorpNet" HTTPS-443,HTTP-80, RDP, SSH, WinRM,445,ICMP
"CorpNet" LAB HTTPS-443,HTTP-80, RDP, SSH, WinRM,445,ICMP
Microsoft Core Services Engineering
Labs @ Microsoft
Goals
Migrate 100’s of labs to Cloud
Network Segmentation (From Corpnet and each other)
Enable engineering agility and time to market
Solution:
Leverage cloud native
Scalable Infrastructure
Central Edge Controls
Learnings :
Scalability Improved
Performance Improved (lack of
Force Tunnel)

13. Photo of main entrance at the Orange County Convention Center.

14. Azure Web Application Firewall
BRK3171 | 11/08 (9:15 - 10 AM) | Using Azure Web Application Firewall to protect your web applications and web APIs
Azure Global WAF
(Front Door)
Azure Regional WAF
(Application Gateway)
Uniform policy
WAF policy
PaaS, IaaS, AKS, serverless and on-premises backends
OWASP rules
Bot management
Custom rules
Microsoft threat intelligence
• Protect apps against automated attacks
• Manage good/bad bots with Azure BotManager RuleSet
Site and URI path specific WAF policies
 Customize WAF policies at regional WAF for finer grained protection
at each host/listener or URI path level
Geo filtering on regional WAF
 Enhanced custom rule matching criterion
PREVIEW
Unified WAF policy
Protect your apps at network edge or in Azure regions

15. Cloud scale DDoS protection for Azure
Azure DDoS Protection Standard
Azure
Spoke
VNET
Central VNET
Azure Firewall
Spoke
VNET
Azure WAF
Azure DDoS
Public Internet
Inbound
Inbound /
Outbound
Internet
Public IP 1 Public IP 2
DDoS Protection
Standard
Adaptive
Tuning
Engine
Web Application 1
Web Application 2
Azure global
network
1 2
Adaptive
tuning
3
Attack analytics
and metrics
4
DDoS Rapid
Response (DRR)
5
SLA guarantee and
cost protection

16. New Partner WAF-as-a-Service Offerings in Azure
• Advanced Security Stack with Bot Manager,
Analytics & Threat Detection
• Application Specific Rule Sets with positive /
negative rules and auto policy generation
Leverages the scale & reach of Azure
Defended against DDoS attacks by Azure DDoS Protection Standard
Consumption based pricing model & available on Azure Marketplace
• Web application security, simplified
• All the advanced WAF functionality with the
ease of SaaS – deployed in minutes

17. Photo of main entrance at the Orange County Convention Center.

18. Clouds
Business SaaS Consumer SaaS
Azure Networking Connectivity
Transforming your network approach
Azure

19. Azure Virtual WAN
Region 2
Region 1
Region 3
Datacenter
Point-to-site VPN
ExpressRoute
VNet
VNet
VNet
Corp HQ
Branch Branch Branch Branch
VNet
• ExpressRoute Integration
• Point to site VPN Integration
• Path selection from branch
GA
PREVIEW
• Hub/Any-to-any connectivity
• Azure Firewall integration
Provides optimized and automated branch
connectivity to, and through Azure

20. On-premises
VNet
Azure Firewall
VNet
Other PaaS Consumer SaaS
Business SaaS
HQ/Branch Datacenter
Virtual WAN
Direct Internet
Breakout for O365
Secure Internet access
via Azure, based on
IPs/FQDNs/Tags
PaaS
User-aware Internet
access via 3rd Party
Azure Firewall Manager
Multiple Secured Virtuals
Secured vHub
Azure Firewall Manager
Extend your Security Edge to Azure
PREVIEW

21. 21 Securing your cloud transformation
©2019 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION
Microsoft Azure Firewall Manager and Zscaler Internet
Access
Azure
Region 1
Azure
Region n
“The Zscaler and Microsoft joint solution ensures
best-in-class internet/web security and low-latency
performance to empower enterprise users and
applications to securely access any internet
destination."
Dhawal Sharma Sr. Director Product
Management, Zscaler

22. Checkpoint CloudGuard Connect

25. Microsoft Core Service Engineering
Quantum Computing Private Network
Need:
Quickly create an isolated network for collaboration
between Microsoft employees embedded at Universities
around the world.
Solution:
Azure Virtual WAN
Azure Firewall
Azure VPN
Full Deployment in less
than a Day
Azure
3rd Party Site1
University S1 University S2 University S3
Azure Virtual WAN
Azure Firewall
3rd Party Site1
Remote User
University S1 University S2
VNET VNET VNET VNET VNET
3rd Party Site1
University S3
3rd Party Site1
Remote User
VPN
Appliance
HUB

26. Azure Private Link
Highly secure and private connectivity solution for Azure Platform
Private
endpoint
Storage
10.0.0.5
SQL DW
SQL
Private Link
Service
Deny Internet
Deny Internet
ER Gateway
On-premises
Private
Link
Customer
owned
services
Azure
PaaS
services
Marketplace
services
Virtual Network (10.0.0.0/16)
ER Private
Peering
Private access from Virtual
Network resources,
peered networks and
on-premise networks
In-built Data
Exfiltration Protection
Predictable private IP addresses
for PaaS resources
Unified experience across PaaS,
Customer Owned and
marketplace Services
BRK3168 | 11/07 (9:15 - 10 AM) | Delivering services privately in your VNet with Azure Private Link

27. Azure Bastion
Secure and seamless RDP and SSH access to your
virtual machines using zero trust
GA
RDP/SSH to your workload using HTML5 standards-
based web-browser, directly in Azure Portal
Resources can be accessed without public IP
addresses
Supported Azure resources include VMs, VM Scale
Sets, Dev-Test Labs
No agent required
Azure Portal
Remote Protocol
(RDP, SSH, et al)
SSL
443,
Internet
AzureBastionSubnet
Port: 3389/22
“AzureBastionSubnet”
Target VM Subnet(s)
Private IP
Azure VM
Azure VM
Azure VM
Customer’s Virtual Network
SSL
Azure Bastion

28. Azure Bastion Demo

29. How it all works together
Azure
Hub VNET
Public Internet
Express Route
VPN Gateway & Virtual WAN
On-Premises Data Center,
Branch Offices, Mobile Workers
Azure Firewall
Azure Regional
WAF
Azure DDoS
Inbound
Inbound /
Outbound
Azure Global WAF
Private Link
PaaS Services
IaaS/PaaS
Spoke VNET
App on IaaS
App on PaaS
=
Network
Service Group
+
Private
Link
PRIVATE PaaS
IaaS/PaaS
Spoke VNET
App on IaaS App on PaaS
=
Public PaaS
Services
Network
Service Group
Service
Endpoints
+
PUBLIC PaaS

30. Key takeaways

31. Please evaluate this session
Your feedback is important to us!
https://aka.ms/ignite.mobileapp
https://myignite.techcommunity.microsoft.com/evaluations

32. Find this session
in Microsoft Tech
Community