- VMs created with the Azure Resource Manager deployment model can connect directly to the internet by using a public IP address that is assigned directly to the VMs
- VMs created with the Azure classic deployment model communicate with internet resources through the cloud service that is assigned the public IP address, known as the VIP address
- VMs that reside inside the cloud service share that VIP address and establish communications with internet resources by using endpoints
- Network Security Groups help provide advanced security protection for the VMs that you create by using either deployment method
- NSGs contain rules that specify whether traffic is approved or denied
- Each rule consists of the following properties:
- Name
- Direction
- Priority
- Access
- Source IP address prefix
- Source port range
- Destination IP address prefix
- Destination port range
- Protocol
- There are predefined default rules for inbound and outbound traffic
- You can also create custom rules
- You can design NSGs to isolate virtual networks in security zones, like the model used in on-premises infrastructure
- You also can assign NSGs to individual computers in the Azure classic deployment model to control a VM’s incoming and outgoing traffic
- In an Azure Resource Manager deployment, you can assign NSGs to a NIC
- You create NSGs as resources in a resource group, but you can share them with other resource groups that exist in your subscription
- A UDR is a custom route in Azure that overrides Azure's default system routes or adds routes to a subnet's route table
- UDRs and NSGs provide layer 3 and layer 4 (of the OSI model) security
- Network virtual appliances (NVAs) provide layer 7 (application-layer) security
- You can deploy an NVA to a perimeter network in many different architectures
- Forced tunneling lets you redirect or "force" all internet-bound traffic back to your on-premises location via a Site-to-Site VPN tunnel for inspection and auditing
- Without forced tunneling, internet-bound traffic from your VMs in Azure always traverses from Azure network infrastructure directly out to the internet, without allowing you to inspect or audit the traffic
- Azure Firewall is a managed, cloud-based network security service that helps protect your Azure Virtual Network resources
- It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability
- You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks
- Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network
Some of the key features of Azure Firewall include:
- Built-in high availability
- Unrestricted cloud scalability
- Application fully qualified domain names (FQDN) filtering rules
- Network traffic filtering rules
- FQDN tags
- Outbound SNAT support
- Inbound Destination Network Address Translation (DNAT) support
- Azure Monitor logging
Several methods are available to help secure access to Windows and Linux VMs running in Azure, including:
- SSH
- With a Secure Shell (SSH) key pair, you can create VMs in Azure that use SSH keys for authentication, eliminating the need for passwords to sign in
- Connect to the VM
- Create an SSH connection with the VM by using the public IP address
- Clean up
- When you no longer need the resource group, VM, and related resources, use the Remove-AzResourceGroup cmdlet to remove them
- RDP
- Remote Desktop Protocol (RDP) enables you to access the desktop of a role running in Azure
- We recommend using Privileged Access Workstations (PAWs) and VPN when administering VMs in Azure
- PAWs provide a dedicated operating system for sensitive tasks, with additional protection from internet attacks and threat vectors
- The goal of a DoS attack is to prevent access to services or systems
- Botnets are collections of internet-connected systems that an individual controls and uses without their owners’ knowledge
- A Distributed DoS (DDoS) is a collection of attack types aimed at disrupting the availability of a target
- DDoS involves many systems sending traffic to targets as part of a botnet
- Azure DDoS Protection, combined with application design best practices, provides defense against DDoS attacks
- DDoS Protection provides the following service tiers:
- Basic: Automatically enabled as part of the Azure platform
- Standard: Provides additional mitigation capabilities over the Basic service tier that are tuned specifically to Azure Virtual Network resources
- DDoS Protection Standard can mitigate the following types of attacks:
- Volumetric attacks
- Protocol attacks
- Resource (application) layer attacks