Rachata Watthanawong, profile picture
Uploaded byRachata Watthanawong
PPTX, PDF340 views

Segmentation on azure platform

The document discusses network segmentation strategies on the Azure platform. It outlines several segmentation options on Azure including subscriptions, virtual networks, network security groups, application security groups, and Azure Firewall. It recommends segmenting based on principles such as splitting workstations from servers, grouping by physical location, separating production and non-production workloads, and isolating high risk or sensitive assets. The hub-spoke architecture is presented as a common topology for implementing segmentation on Azure with shared services in the hub and isolated workloads in spokes.

Embed presentation

Download to read offline
Internal Use Segmentation on Azure Platform From principle to practice
Internal Use A Good Segmentation Enables Operations – Minimizes operation friction by aligning to business practices and applications Contains Risk - Adds cost and friction to attackers by Isolating sensitive workloads from compromise of other assets Isolating high exposure systems from being used as a pivot to other systems Monitored – Security Operations should monitor for potential violations of the integrity of the segments (account usage, unexpected traffic, etc.)
Internal Use Segmentation Design Principle Split workstations from servers Group by physical locations: Campus/branch, on-premises data center/IaaS. Data center zones: Separate non-production from production, development from QA, and databases/data stores from nondata stores. Group similar assets: IoT, OT, groups of applications (“application fencing”), databases, core services, corperate device, guest device and BYOD, untrusted or unknow device. Split high risk assets: Compliance (PCI, critical infrastructure), risk assessment (high/medium/low), data categorization (highly confidential, internal). Align with authentication strategy: Group unauthenticated public assets separately from authenticated private entities.
Internal Use Azure segmentation options
Internal Use Azure segmentation options: Subscription Subscription: Subscriptions are a high-level construct, which provides platform powered separation between entities. It's intended to carve out boundaries between large organizations within a company. Communication between resources in different subscriptions needs to be explicitly provisioned.
Internal Use Azure segmentation options: Virtual Network Virtual Network: Virtual networks are created within a subscription in private address spaces. The networks provide network-level containment of resources, with no traffic allowed by default between any two virtual networks. Like subscriptions, any communication between virtual networks needs to be explicitly provisioned.
Internal Use Azure segmentation options: Network Security Groups Network Security Groups (NSG): NSGs are access control mechanisms for controlling traffic between resources within a virtual network. An NSG also controls traffic with external networks, such as the internet, other virtual networks, and so on. NSGs can take your segmentation strategy to a granular level by creating perimeters for a subnet, group of VMs, or even a single virtual machine.
Internal Use Azure segmentation options: Application Security Groups Application Security Groups (ASGs): ASGs provide control mechanisms similar to NSGs but are referenced with an application context. An ASG allows you to group a set of VMs under an application tag. It can define traffic rules that are then applied to each of the underlying VMs.
Internal Use Azure segmentation options: Azure Firewall Azure Firewall: Azure Firewall is a cloud native stateful Firewall as a service. This firewall can be deployed in your virtual networks or in Azure Virtual WAN hub deployments for filtering traffic that flows between cloud resources, the Internet, and on-premise. You create rules or policies (using Azure Firewall or Azure Firewall Manager) specifying allow/deny traffic using layer 3 to layer 7 controls. You can also filter traffic that goes to the internet using both Azure Firewall and third parties. Direct some or all traffic through third- party security providers for advanced filtering and user protection.
Internal Use Hub-spoke architecture
Internal Use Hub-spoke network topology in Azure : Use cases • Workloads deployed in different environments, such as development, testing, and production, that require shared services such as DNS, IDS, NTP, or AD DS. Shared services are placed in the hub virtual network, while each environment is deployed to a spoke to maintain isolation. • Workloads that don't require connectivity to each other but require access to shared services. • Enterprises that require central control over security aspects, such as a firewall in the hub as a DMZ, and segregated management for the workloads in each spoke.
Internal Use Hub-spoke network topology in Azure : Architecture • Hub virtual network: The hub virtual network is the central point of connectivity to your on-premises network. It's a place to host services that can be consumed by the different workloads hosted in the spoke virtual networks. • Spoke virtual networks: Spoke virtual networks are used to isolate workloads in their own virtual networks, managed separately from other spokes. Each workload might include multiple tiers, with multiple subnets connected through Azure load balancers.
Internal Use Hub-spoke network topology in Azure: Operational considerations Network monitoring Use Azure Network Watcher to monitor and troubleshoot the network components. Tools like Traffic Analytics will show you the systems in your virtual networks that generate the most traffic. Then you can visually identify bottlenecks before they degenerate into problems. Network Performance Manager is the right tool to monitor information about Microsoft ExpressRoute circuits. VPN diagnostics is another tool that can help troubleshoot site-to-site VPN connections connecting your applications to users on- premises.
Internal Use Hub-spoke network topology in Azure: Cost considerations Azure Firewall An Azure Firewall is deployed in the hub network in this architecture. When used as a shared solution and consumed by multiple workloads, an Azure Firewall can save up to 30-50% over other network virtual appliance Virtual network peering Ingress and egress traffic is charged at both ends of the peered networks. Different zones have different transfer rates. For instance, data transfer from a virtual network in zone 1 to another virtual network in zone 2, will incur outbound transfer rate for zone 1 and inbound rate for zone 2.
Internal Use Microsoft hub and spoke reference architecture
Internal Use By segmentation design principle Azure segmentation design
Internal Use Segmentation at Subscription level • Align with management • Billing • Policy • Line of Responsibility
Internal Use Segmentation at VNet level • Split Clients from Servers • Cloud virtual desktop infrastructure (VDI): • Azure Virtual Desktop • Citrix Virtual App and Desktop • VMWare Horizon Cloud • Cloud PC: • Windows 365 Desktop • Point to Site (P2S) VPN • Group by physical location: Azure region • Split non-production from production • Non-production and production • Dev, test and production
Internal Use Segmentation at VNet level (2) • Separate high potential impact and/or a high potential exposure to risk applications • High potential impact: • Business critical data – Applications that process or store information, which would cause significant negative business or mission impact if an assurance of confidentiality, integrity, or availability is lost. • Regulated data – Applications that handle monetary instruments and sensitive personal information regulated by standards. For example, payment card industry (PCI) and Health Information Portability and Accountability Act (HIPAA). • Business critical availability – Applications whose functionality is critical to organizations business mission such as production lines generating revenue, devices, or services critical to life and safety, and other critical functions. • Significant Access – Applications which have access to systems with a high potential impact through technical • Stored Credentials or keys/certificates that grant access to the data/service • Permissions granted via access control lists or other means • High exposure to attacks: • Applications that are easily accessible to attackers such as web applications on the open internet. • Legacy applications can also be higher exposure as attackers and penetration testers frequently target them because they know these legacy applications often have vulnerabilities that are difficult to fix.
Internal Use Segmentation at NSG Level • Split compute service from data store service • Group similar resources • Group of Applications • Group of Databases • Group of Clients ** recommend associate NSG to subnet
Internal Use Segmentation at ASG Level • Group same resource in NSG • configure network security follow component dependency
Internal Use Q&A
Internal Use Reference • Gartner, The 6 Principles of Successful Network Segmentation Strategies. https://www.gartner.com/document/4002289 • Gartner, Segmentation or Isolation: Implementing Best Practices for Connecting ‘All’ Devices. https://www.gartner.com/document/3969768 • Microsoft, Segmentation strategies – Azure Architecture Center | Microsoft Docs. https://docs.microsoft.com/en- us/azure/architecture/framework/security/design-segmentation • Microsoft, Implement network segmentation patterns on Azure – Azure Architecture Center | Microsoft Docs. https://docs.microsoft.com/en- us/azure/architecture/framework/security/design-network-segmentation • Microsoft, Application classification for security – Azure Architecture Center | Microsoft Docs. https://docs.microsoft.com/en- us/azure/architecture/framework/security/design-apps-considerations • Microsoft, Hub-spoke network topology in Azure – Azure Reference Architecture | Microsoft Docs. https://docs.microsoft.com/en- us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke • Microsoft, Management group and subscription organization – Cloud Adoption Framework | Microsoft Docs. https://docs.microsoft.com/en- us/azure/cloud-adoption-framework/ready/enterprise-scale/management-group-and-subscription-organization • Microsoft, Azure virtual network| Microsoft Docs. https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview • Microsoft, Azure network security group overview | Microsoft Docs. https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups- overview • Microsoft, Azure application security group overview | Microsoft Docs. https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups • Azure, Deploy Enterprise-Scale with hub and spoke architecture. https://github.com/Azure/Enterprise- Scale/blob/main/docs/reference/adventureworks/README.md

More Related Content

PDF
Azure Arc Overview from Microsoft
byDavid J Rosenthal
 
PPTX
Microsoft Azure Technical Overview
bygjuljo
 
PPTX
Let's Talk About: Azure Networking
byPedro Sousa
 
PDF
Introduction to Azure IaaS
byRobert Crane
 
PPTX
Azure Fundamentals Part 1
byCCG
 
PPTX
Azure Security Fundamentals
byLorenzo Barbieri
 
PDF
Introduction to Microsoft 365 Enterprise
byRobert Crane
 
PPTX
Azure Fundamentals Part 2
byCCG
 
Azure Arc Overview from Microsoft
byDavid J Rosenthal
 
Microsoft Azure Technical Overview
bygjuljo
 
Let's Talk About: Azure Networking
byPedro Sousa
 
Introduction to Azure IaaS
byRobert Crane
 
Azure Fundamentals Part 1
byCCG
 
Azure Security Fundamentals
byLorenzo Barbieri
 
Introduction to Microsoft 365 Enterprise
byRobert Crane
 
Azure Fundamentals Part 2
byCCG
 

What's hot

PDF
Azure Security Overview
byDavid J Rosenthal
 
PDF
Azure cloud migration simplified
byGirlo
 
PDF
Microsoft Azure Security Overview
byAlert Logic
 
PDF
Introduction to Azure Sentinel
byarnaudlh
 
PPTX
Azure Fundamentals || AZ-900
bythisiswali
 
PDF
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
byWinWire Technologies Inc
 
PDF
Understanding Azure Networking Services
byInCycleSoftware
 
PDF
Introduction to Microsoft Azure Cloud
byDinesh Kumar Wickramasinghe
 
PPTX
A Deepdive into Azure Networking
byKarim Vaes
 
PPTX
Azure governance
bygirish goudar
 
PPTX
Azure WAF
byCheah Eng Soon
 
PPTX
Azure - Identity as a service
byBizTalk360
 
PDF
TechnicalTerraformLandingZones121120229238.pdf
byMIlton788007
 
PPTX
App Modernisation with Microsoft Azure
byAdam Stephensen
 
PPTX
Azure Governance
byBenjamin Hüpeden
 
PPSX
On-premise to Microsoft Azure Cloud Migration.
byEmtec Inc.
 
PPTX
Microsoft 365
byJeannette Browning
 
PPTX
Enterprise Mobility+Security Overview
byChris Genazzio
 
PPTX
Azure Compute, Networking and Storage Overview
byAzure Riyadh User Group
 
PDF
Office 365 introduction and technical overview
byMotty Ben Atia
 
Azure Security Overview
byDavid J Rosenthal
 
Azure cloud migration simplified
byGirlo
 
Microsoft Azure Security Overview
byAlert Logic
 
Introduction to Azure Sentinel
byarnaudlh
 
Azure Fundamentals || AZ-900
bythisiswali
 
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
byWinWire Technologies Inc
 
Understanding Azure Networking Services
byInCycleSoftware
 
Introduction to Microsoft Azure Cloud
byDinesh Kumar Wickramasinghe
 
A Deepdive into Azure Networking
byKarim Vaes
 
Azure governance
bygirish goudar
 
Azure WAF
byCheah Eng Soon
 
Azure - Identity as a service
byBizTalk360
 
TechnicalTerraformLandingZones121120229238.pdf
byMIlton788007
 
App Modernisation with Microsoft Azure
byAdam Stephensen
 
Azure Governance
byBenjamin Hüpeden
 
On-premise to Microsoft Azure Cloud Migration.
byEmtec Inc.
 
Microsoft 365
byJeannette Browning
 
Enterprise Mobility+Security Overview
byChris Genazzio
 
Azure Compute, Networking and Storage Overview
byAzure Riyadh User Group
 
Office 365 introduction and technical overview
byMotty Ben Atia
 

Similar to Segmentation on azure platform

PPTX
CCI2018 - Azure Network - Security Best Practices
bywalk2talk srl
 
PPTX
Azure_Fundamentals_Unit 2 .pptx
bychiefwardenmh1
 
PPTX
A_Z-_104_T0_0_A-EN_U-Power_Point_04.pptx
byjayshuklatrainer
 
DOCX
AZ500 Secure Networking. and how things are implemented
bybharat4704
 
PPTX
Trust No-One Architecture For Services And Data
byAidan Finn
 
PDF
AZ900-AzureFundamentals-part-11.pdf
byssuser2dbaee
 
PPTX
Azure Networking (1).pptx
byRazith2
 
PDF
Microsoft Core Cloud Services powerpoint
byKamelAbouSaleh1
 
PPTX
azure_fundamentals_5674379643333389633.pptx
bySourjyaBose
 
PPTX
AZ-900T00A-ENU-PowerPoint-02.pptx
byTheGameSquad
 
PPTX
AZ-900 Azure Fundamentals Slideshow number 2.pptx
byBhuvanaGowda9
 
PDF
Major Cloud Providers - Azure.pdf new doc
byVaradhaB
 
PPTX
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
byjayshuklatrainer
 
PPTX
671956595-Az-900t00a-Enu-Powerpoint-02.pptx
byranandraj2
 
PPTX
CCI2019 - Architecting and Implementing Azure Networking
bywalk2talk srl
 
PPTX
Microsoft Windows Azure Platform Appfabric for Technical Decision Makers
byMicrosoft Private Cloud
 
PDF
Az 104 session 5: Azure networking
byAzureEzy1
 
PPTX
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
byThuan Ng
 
PPTX
AzureSecurity - Day2 - Azure Network Security
by2nd Sight Lab
 
PPTX
Brk30176 enterprise class networking in azure
byAbou CONDE
 
CCI2018 - Azure Network - Security Best Practices
bywalk2talk srl
 
Azure_Fundamentals_Unit 2 .pptx
bychiefwardenmh1
 
A_Z-_104_T0_0_A-EN_U-Power_Point_04.pptx
byjayshuklatrainer
 
AZ500 Secure Networking. and how things are implemented
bybharat4704
 
Trust No-One Architecture For Services And Data
byAidan Finn
 
AZ900-AzureFundamentals-part-11.pdf
byssuser2dbaee
 
Azure Networking (1).pptx
byRazith2
 
Microsoft Core Cloud Services powerpoint
byKamelAbouSaleh1
 
azure_fundamentals_5674379643333389633.pptx
bySourjyaBose
 
AZ-900T00A-ENU-PowerPoint-02.pptx
byTheGameSquad
 
AZ-900 Azure Fundamentals Slideshow number 2.pptx
byBhuvanaGowda9
 
Major Cloud Providers - Azure.pdf new doc
byVaradhaB
 
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
byjayshuklatrainer
 
671956595-Az-900t00a-Enu-Powerpoint-02.pptx
byranandraj2
 
CCI2019 - Architecting and Implementing Azure Networking
bywalk2talk srl
 
Microsoft Windows Azure Platform Appfabric for Technical Decision Makers
byMicrosoft Private Cloud
 
Az 104 session 5: Azure networking
byAzureEzy1
 
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
byThuan Ng
 
AzureSecurity - Day2 - Azure Network Security
by2nd Sight Lab
 
Brk30176 enterprise class networking in azure
byAbou CONDE
 

Recently uploaded

PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
AI for Risk Management & Fraud Detection ppt.pdf
byalexmartincaneda
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PDF
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
PDF
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
PDF
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
AI for Risk Management & Fraud Detection ppt.pdf
byalexmartincaneda
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 

Segmentation on azure platform

  • 1.
    Internal Use Segmentation on AzurePlatform From principle to practice
  • 2.
    Internal Use A GoodSegmentation Enables Operations – Minimizes operation friction by aligning to business practices and applications Contains Risk - Adds cost and friction to attackers by Isolating sensitive workloads from compromise of other assets Isolating high exposure systems from being used as a pivot to other systems Monitored – Security Operations should monitor for potential violations of the integrity of the segments (account usage, unexpected traffic, etc.)
  • 3.
    Internal Use Segmentation DesignPrinciple Split workstations from servers Group by physical locations: Campus/branch, on-premises data center/IaaS. Data center zones: Separate non-production from production, development from QA, and databases/data stores from nondata stores. Group similar assets: IoT, OT, groups of applications (“application fencing”), databases, core services, corperate device, guest device and BYOD, untrusted or unknow device. Split high risk assets: Compliance (PCI, critical infrastructure), risk assessment (high/medium/low), data categorization (highly confidential, internal). Align with authentication strategy: Group unauthenticated public assets separately from authenticated private entities.
  • 4.
  • 5.
    Internal Use Azure segmentationoptions: Subscription Subscription: Subscriptions are a high-level construct, which provides platform powered separation between entities. It's intended to carve out boundaries between large organizations within a company. Communication between resources in different subscriptions needs to be explicitly provisioned.
  • 6.
    Internal Use Azure segmentationoptions: Virtual Network Virtual Network: Virtual networks are created within a subscription in private address spaces. The networks provide network-level containment of resources, with no traffic allowed by default between any two virtual networks. Like subscriptions, any communication between virtual networks needs to be explicitly provisioned.
  • 7.
    Internal Use Azure segmentationoptions: Network Security Groups Network Security Groups (NSG): NSGs are access control mechanisms for controlling traffic between resources within a virtual network. An NSG also controls traffic with external networks, such as the internet, other virtual networks, and so on. NSGs can take your segmentation strategy to a granular level by creating perimeters for a subnet, group of VMs, or even a single virtual machine.
  • 8.
    Internal Use Azure segmentationoptions: Application Security Groups Application Security Groups (ASGs): ASGs provide control mechanisms similar to NSGs but are referenced with an application context. An ASG allows you to group a set of VMs under an application tag. It can define traffic rules that are then applied to each of the underlying VMs.
  • 9.
    Internal Use Azure segmentationoptions: Azure Firewall Azure Firewall: Azure Firewall is a cloud native stateful Firewall as a service. This firewall can be deployed in your virtual networks or in Azure Virtual WAN hub deployments for filtering traffic that flows between cloud resources, the Internet, and on-premise. You create rules or policies (using Azure Firewall or Azure Firewall Manager) specifying allow/deny traffic using layer 3 to layer 7 controls. You can also filter traffic that goes to the internet using both Azure Firewall and third parties. Direct some or all traffic through third- party security providers for advanced filtering and user protection.
  • 10.
  • 11.
    Internal Use Hub-spoke networktopology in Azure : Use cases • Workloads deployed in different environments, such as development, testing, and production, that require shared services such as DNS, IDS, NTP, or AD DS. Shared services are placed in the hub virtual network, while each environment is deployed to a spoke to maintain isolation. • Workloads that don't require connectivity to each other but require access to shared services. • Enterprises that require central control over security aspects, such as a firewall in the hub as a DMZ, and segregated management for the workloads in each spoke.
  • 12.
    Internal Use Hub-spoke networktopology in Azure : Architecture • Hub virtual network: The hub virtual network is the central point of connectivity to your on-premises network. It's a place to host services that can be consumed by the different workloads hosted in the spoke virtual networks. • Spoke virtual networks: Spoke virtual networks are used to isolate workloads in their own virtual networks, managed separately from other spokes. Each workload might include multiple tiers, with multiple subnets connected through Azure load balancers.
  • 13.
    Internal Use Hub-spoke networktopology in Azure: Operational considerations Network monitoring Use Azure Network Watcher to monitor and troubleshoot the network components. Tools like Traffic Analytics will show you the systems in your virtual networks that generate the most traffic. Then you can visually identify bottlenecks before they degenerate into problems. Network Performance Manager is the right tool to monitor information about Microsoft ExpressRoute circuits. VPN diagnostics is another tool that can help troubleshoot site-to-site VPN connections connecting your applications to users on- premises.
  • 14.
    Internal Use Hub-spoke networktopology in Azure: Cost considerations Azure Firewall An Azure Firewall is deployed in the hub network in this architecture. When used as a shared solution and consumed by multiple workloads, an Azure Firewall can save up to 30-50% over other network virtual appliance Virtual network peering Ingress and egress traffic is charged at both ends of the peered networks. Different zones have different transfer rates. For instance, data transfer from a virtual network in zone 1 to another virtual network in zone 2, will incur outbound transfer rate for zone 1 and inbound rate for zone 2.
  • 15.
    Internal Use Microsoft huband spoke reference architecture
  • 16.
    Internal Use By segmentationdesign principle Azure segmentation design
  • 17.
    Internal Use Segmentation atSubscription level • Align with management • Billing • Policy • Line of Responsibility
  • 18.
    Internal Use Segmentation atVNet level • Split Clients from Servers • Cloud virtual desktop infrastructure (VDI): • Azure Virtual Desktop • Citrix Virtual App and Desktop • VMWare Horizon Cloud • Cloud PC: • Windows 365 Desktop • Point to Site (P2S) VPN • Group by physical location: Azure region • Split non-production from production • Non-production and production • Dev, test and production
  • 19.
    Internal Use Segmentation atVNet level (2) • Separate high potential impact and/or a high potential exposure to risk applications • High potential impact: • Business critical data – Applications that process or store information, which would cause significant negative business or mission impact if an assurance of confidentiality, integrity, or availability is lost. • Regulated data – Applications that handle monetary instruments and sensitive personal information regulated by standards. For example, payment card industry (PCI) and Health Information Portability and Accountability Act (HIPAA). • Business critical availability – Applications whose functionality is critical to organizations business mission such as production lines generating revenue, devices, or services critical to life and safety, and other critical functions. • Significant Access – Applications which have access to systems with a high potential impact through technical • Stored Credentials or keys/certificates that grant access to the data/service • Permissions granted via access control lists or other means • High exposure to attacks: • Applications that are easily accessible to attackers such as web applications on the open internet. • Legacy applications can also be higher exposure as attackers and penetration testers frequently target them because they know these legacy applications often have vulnerabilities that are difficult to fix.
  • 20.
    Internal Use Segmentation atNSG Level • Split compute service from data store service • Group similar resources • Group of Applications • Group of Databases • Group of Clients ** recommend associate NSG to subnet
  • 21.
    Internal Use Segmentation atASG Level • Group same resource in NSG • configure network security follow component dependency
  • 22.
  • 23.
    Internal Use Reference • Gartner,The 6 Principles of Successful Network Segmentation Strategies. https://www.gartner.com/document/4002289 • Gartner, Segmentation or Isolation: Implementing Best Practices for Connecting ‘All’ Devices. https://www.gartner.com/document/3969768 • Microsoft, Segmentation strategies – Azure Architecture Center | Microsoft Docs. https://docs.microsoft.com/en- us/azure/architecture/framework/security/design-segmentation • Microsoft, Implement network segmentation patterns on Azure – Azure Architecture Center | Microsoft Docs. https://docs.microsoft.com/en- us/azure/architecture/framework/security/design-network-segmentation • Microsoft, Application classification for security – Azure Architecture Center | Microsoft Docs. https://docs.microsoft.com/en- us/azure/architecture/framework/security/design-apps-considerations • Microsoft, Hub-spoke network topology in Azure – Azure Reference Architecture | Microsoft Docs. https://docs.microsoft.com/en- us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke • Microsoft, Management group and subscription organization – Cloud Adoption Framework | Microsoft Docs. https://docs.microsoft.com/en- us/azure/cloud-adoption-framework/ready/enterprise-scale/management-group-and-subscription-organization • Microsoft, Azure virtual network| Microsoft Docs. https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview • Microsoft, Azure network security group overview | Microsoft Docs. https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups- overview • Microsoft, Azure application security group overview | Microsoft Docs. https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups • Azure, Deploy Enterprise-Scale with hub and spoke architecture. https://github.com/Azure/Enterprise- Scale/blob/main/docs/reference/adventureworks/README.md