How network security in Azure works

Learning Center | Cloud Security | Network Security in Azure


Learning Objectives

As you read through this article, you are going to learn the following:

  • Azure Private Networks Security
  • Security management and Threat Defense

What is Site to Cloud VPN?
What Do Egress and Ingress Mean in the Cloud?
What is the AWS Console?
Why Use Egress Filtering?
What does AWS Networking Services Offer?
What are Security Groups in AWS?
Network Security in Azure
What is Azure Firewall?
How do I create Network Security Groups in Azure?
What is Azure Network Security Group?
What is Azure Express Route?
What is Azure Network Virtual Appliance (NVA)?


Network Security in Azure

Azure is a networking infrastructure powered by Microsoft to provide a secure connection for virtual machines (VMs) between shared environments and to be the secure link between the data center and the cloud. Azure is an on-demand network designed to improve business performance for its users. It supports thousands of customers across 80 global data centers. As customers using active virtual machines (VMs) continues to increase, ensuring the security and confidentiality of network traffic information is paramount.

As you read through this article, you are going to learn the following;

  • Securing Azure virtual machines
  • Azure private network security features
  • Security management and threat defense
  • Layers of Security and Defense in Depth

Securing Azure Virtual Machines

For Azure to be able to guarantee customers data in shared environments, it uses a combination of logical isolation, access control, firewalls, authentication and encryption mechanisms. Microsoft Azure also implements a comprehensive information security policy while following industry standard control frameworks (SOC 1, SOC 2, & ISO 27001) across its data center operations. It should also be noted that Microsoft Azure ensures its physical and virtual infrastructure by employing third-party auditors to certify adherence.

Conventionally, a company’s IT department has to control network systems and monitor including the physical access to hardware. In this regard, the company employs the services of an employee or contractor to procure, configure, and manage the physical network, routers, and firewalls.

But in the cloud service model of Azure, the duties for network safety and operations are shared between the cloud provider and the customer. Unlike the conventional data center model, customers do not have physical access to the cloud datacenter. But they have the freedom to implement the logical equivalent within the cloud platform through the use of applications and virtual private networks. This physical and coherent partition empowers clients to depend on the vital security capacities conveyed by Azure as they assemble their foundation.

Azure Private Networks Security

When it comes to cloud services, a customer’s security is paramount. That’s why Azure maintains a customer’s security through a distributed virtual firewall. Also, apart from applying logical isolation to a customer’s infrastructure, a customer may deploy multiple logically isolated private networks as another step for network security. This network is generally thought of as two separate divisions:

  • Deployed Network: Deployed systems at the network level can be separated from each other while VM’s within a deployment can communicate with each other through private IP addresses.
  • Virtual Networks: On the other hand, multiple deployments at the network level can be aligned on the same virtual networks. Each virtual network is isolated from the other virtual networks, and they also communicate with a private IP address. The management of these networks can be similar to conventional on-premise infrastructures.

If an application sends or receives sensitive information over an internal private network, for example, through a VPN, the data can be encrypted via IPsec, SSL/TLS, or other application-level encryption innovations. Clients with higher privacy or on the other hand security concerns, (for example, for consistency with various industry directions, what’s more, measures) ought to guarantee that every private correspondence between VMs inside a locale is encrypted.

Figure 1. An isolated multi-tier application hosted within Azure

Security management and Threat Defense

Securing remote control of VMs

Architects and administrators can make a VM utilizing either the Azure Management Portal or Windows PowerShell. At the point when an administrator uses the Azure Management Portal to create a VM, Remote Desktop Protocol (RDP) and remote Windows PowerShell ports are opened as a matter of course. The Azure Management Portal at that point doles out RDP and remote Windows PowerShell random port numbers to decrease the odds of an automated network-based attack being successful.

The director can keep the RDP and remote Windows PowerShell ports open to the Internet, however at the very least, the director should secure the accounts permitted to make RDP and remote Windows PowerShell associations with complex passwords.

Protecting against Denial-of-Service (DDoS)

To ensure Azure availability, Microsoft provides a Distributed Denial of Service (DDoS) resistance framework that is a piece of Azure’s continuous checking process and is consistently enhanced through infiltration testing.

Securing connections from VMs to Microsoft Azure SQL Database

Microsoft Azure SQL Database also features an integrated firewall to channel incoming traffic. At first, all communication with the SQL Database is blocked. To secure connections with the database, the admin must build firewall rules in the Azure SQL Database permitting public IP address of the VM in Azure to communicate with the information source.

Layers of security barriers

Figure 2. Layers for protection in Azure infrastructure

Layer A: The Network Access Layer isolates Azure’s private system from the Internet.

Layer B: Azure’s DDoS/DOS/IDS Layer utilizes diverse strategies than physical datacenter organizations to accomplish similar security goals.

Layer C: Host firewalls ensure every one of the hosts, and the VLANs give extra security to critical resources.

Layer D: Conformance with security and protection prerequisites incorporates two-factor confirmation for administrators.