ABCS25: Stay safe! – Mastering Network Security on Azure by Stefan Rapp

Transcript

1. Mastering Network Security on Azure (by Stefan Rapp, 5th June

   2025, 13:20 – 14:05, Room 3.53) “Stay safe!”
2. None

3. What is Network Security all about? 3 “Network Architecture” →

   Groundwork Focus on… “Security by Design”

4. …Bad Results 4 • Vulnerabilities & Potential breaches • Network

   Complexity • Operational Inefficiencies (slower) • Scalability Issues (growth & changes) • Compliance Risks (industry standards & regulations) • Inconsistent Security Settings (each team) Network Security is suffering!

5. Table of contents 5 1. Prerequisites 2. Overview Network Services

   3. Virtual Network (VNet) 4. Traffic Management 5. Service & Private Endpoints 6. Infrastructure as Code (IaC) 7. Key Takeaways (Q&A)

6. Prerequisites of Azure Network Services 6 Which requirements must be

   fulfilled before an enterprise can successfully start with Azure workloads (modernization).

7. Prerequisites Checklist What is needed before bringing the first Workload

   to Azure? 7 • Azure Billing & Cost Management • Azure Hierarchy • Azure RBAC • Azure Policies • Naming Convention • Tag & Lock Strategy Azure Governance • General Design • Network Architecture & Security • Hybrid Connection • Backup & Restore • Oberservability • etc. Azure Core Infrastructure • No “Click-Click-Cloud”/”ClickOps” • Infrastructure as Code (IaC) • Central Module Library • Reusability • Module Lifecycle • CI/CD • etc. Cloud Automation Cloud Strategy (Goal, Destination, etc.) Azure Security

8. Overview Azure Network Services 8 What kind of Azure resources

   are relevant to bring application workloads to the cloud?

9. Azure Networking Services – Overview Networking Capabilities to secure Azure

   Services 9 • Virtual Network & Peerings • Virtual WAN • ExpressRoute & VPN • Azure DNS • User defined Routes • NAT Gateway • …etc. Connect to Azure & on-premises resources Connectivity Application Protection Protect cloud applications • Private Links • DDoS Protection • Azure Firewall • Network Security Groups • Web Application Firewall (WAF) • Private Endpoints • … etc. Application Delivery Deliver applications in the Azure network • Azure CDN • Azure Front Door Service • Traffic Manager • Application Gateway • Internet Analyzer • Load Balancer • …etc. • Access & Connect Azure resources and on-premises resources • Support, Protect, and Monitor applications in the Azure network. Network Monitoring Monitor network resources • Network Watcher • ExpressRoute Monitor • Azure Monitor • VNet Flow Log • …etc. • Microsoft CAF for Azure • Azure Well-architected Framework (WAF)

10. Azure Virtual Network 10 Azure Virtual Network (VNet) is the

    fundamental building block for the private network in Azure.

11. Azure Networking Services Azure Virtual Network 11 • Essential on

    Microsoft Azure to connect cloud resources (within Azure LZ). • „Hub & Spoke“ Architecture • Hub Network: Core Azure Services • Spoke Network: VNets isolated and manage app workloads separately • VNet Peering is not transitive! Hub Spoke 1 • Gateway • Firewall / NVA • DNS ...etc. Data Center (on-premises) S2S-VPN Express Route Spoke 2 Spoke 3 Spoke 4 Spoke …

12. Network Segmentation Isolating resources in the network from each other

    12 • Azure VNet → /22 (Visual Subnet Calculator - Split/Join) • Azure Subnet → /26 → Number of possible Subnets 16 • Azure Subnet → /27 → Number of possible Subnets 32

13. Microsoft Azure VNets What are the characteristics of an Azure

    VNet? 13 • Logical isolation with control over the network • Support for IP addresses ranges (CIDR) • DNS Support • Non-overlapping address ranges • Support for static/dynamic IPs • DHCP “out-of-the-box” available

14. Network Traffic Management 14 How to filter and control traffic?

15. Network Security Groups (NSG) Use NSG to filter network traffic

    between Azure resources in an Azure VNet. 15 • No extra costs. • Enables subnet segmentation scenarios. • Contains a list of ACL rules that “Allow” or “Deny” traffic from/to a VNET. (Layer 3 & 4) • Restrict traffic from/to internal and external sources. • Rules on URLs or FQDN is not supported. • But “Service Tags” can be used for rules. • Custom rules with priority between 100 and 4096. • Can be assigned to a NIC or an Azure subnet.

16. Firewalling & Routing 16 • Control network traffic • Centralized

    Management (SPoC) • East-west Traffic (within trusted boundary) • North-south Traffic (to external boundary) • Key Components: • Azure Firewall/NVA • VNet Peering • Route Tables (UDRs) • Azure Firewall → PaaS (cloud-native) • Azure NVA → (mostly) IaaS

17. Zero-trust network for web apps with Azure Firewall and Application

    Gateway 17 From the Q&A: Zero-trust network for web applications with Azure Firewall and Application Gateway - Azure Architecture Center | Microsoft Learn

18. Service & Private Endpoints 18 Provide a secure and direct

    connectivity to Azure services.

19. Service Endpoints Overview 19 • Azure Services are generally public.

    → Document (JSON) • Fully removing public internet access → Only allow traffic from your VNet/Subnet. • Provide a secure and direct connectivity to Azure services. • Enable private IP addresses in the Azure VNet to reach the endpoint of an Azure service. • An optimized route over the Azure Backbone network. • Goal: Secure your critical Azure service resources. • Without needing a public IP address on the VNet. ServiceTags_Public_20230925.json

20. Private Endpoint Use Private Endpoint with a private IP to

    secure your Azure service. 20 • Private endpoint = NIC that uses a private IP address from your VNet. • Used to bring certain services into your VNet. • Connects privately and securely to a service that is powered by Azure Private Link. • Private Link resource is the destination target of a specified private endpoint (List). • Causes extra costs!

21. Infrastructure as Code (IaC) 21 Why IaC is a real

    game changer?

22. Mind change of (Cloud ) resource deployment „Click-Click-Cloud“ „Click-Ops“ „Clicky-Bunti“

    Mind Change: From “static” to “dynamic” infrastructure CI/CD-driven Infrastructure deployment 22

23. Key Takeaways 23 What are the essential takeaways of the

    session?

24. Key Takeaways 24 Check with your Governance & Platform Team

    before the start! Start making a plan → Network design (“But do not click!”) Use Microsoft CAF & Well-architected Framework Size your application network according to your workload • # of possible hosts • # of possible subnets • Restrictions from Microsoft Think about a suitable separation of the application workloads How traffic is controlled in the given Azure Landing Zone Secure Azure Services using the “Networking” section Service Endpoints Private Endpoints Use IaC approach to do resource provisioning in the cloud

25. PROFILE – Speaker 25 Stefan Rapp Cloud Solution Architect (CSA)

    & Microsoft MVP Specializations: (MS Consultant since 2008) • Identity & Access Management (IAM) • Microsoft Infrastructure • Azure Governance • Azure Infrastructure • Cloud Automation – IaC (with Terraform) • Cloud Migrations • Application Modernization Let’s engage: https://www.linkedin.com/in/rapster83/ #AzureRocks E-Mail: [email protected] Blog: https://blog.misterazure.com GitHub: @rapster83
26. None