If you have read any of my blog posts about networking in Azure, you can guess that this is one of my favorite topics. For ITops, this is one of the changes in thinking required to make changes to the cloud. Since software-defined-networking is one of the main concepts required for a successful cloud implementation, it is no surprise that the security of that networking is a close second.
Looking at it as simply as possible, good network security means allowing only the necessary traffic and stopping everything while logging in when it is useful for auditing. Azure provides many integrated services that can help achieve this.
With that in mind, there are three major scenarios to talk about with Azure Networking:
Azure Resources for Azure Resources
Azure Resources On-Premises Resources
Azure resources for / from the Internet
I will refer to each as we cover the various best practices available.
Layering is required for good network access control. A vnet does not, by default, gain access to another vnet. However, within a vnet, each subnet is, by default, used interchangeably. Therefore, the subnet layer is most likely where you will need to address access control. Custom Root Tables and / or Network Security Groups.
Custom root tables are exactly the way they sound.
They modify the system route table using the routes you specify. If your route matches the system route, it will take precedence, user defined routes always do. Similarly the lowest prefix will always win the match. More on the root table here. CRT is implemented at the subnet level and can quickly manipulate network traffic for your entire vnet. For example, preventing Internet access from dropping traffic to 0.0.0.0/0.
Network security groups are slightly more complex in application, but their concept is straight forward. They are an ACL for your network. They can be implemented at the subnet or network interface level. Although NSGs allow you to create complex and granular rules, managing them on a large scale can be a challenge. On them and here.
While the above allows one to control the network from a routing and access point of view, you may also need to control traffic by inspection and filtering.
It offers HA and scalability, however, it is still a young product and therefore sheds light on traditional network security options. There is more here.
Thankfully, Azure and network equipment vendors have been doing a better job together lately.
Most of the solutions that you hope are available in the market. The common catch is that documentation can be mild if not bad. However, if you need consistency with your local site, or a specific feature, they are your best option. My advice is to reach out to the Azure community if you have issues, usually someone will have the same issue and can help!
Will Azure have a public perimeter?
Will it be inbound and outbound?
What are the requirements for a private perimeter?
Once the above answers are given, you have a pair of well-documented implementation options. They all operate on the same basis of layering. This allows traffic to be separated with a firewall aspect. This coupled with the UDR can lead to a well-designed and secure environment, allowing only the necessary network access. Hence keeping everything already discussed.
Azure Network Watcher
Azure Security Center
Network Watcher is one of my favorite tools in Azure. Within minutes, you can get granular insights into your complex network issues with minimal effort. You can also integrate the output of other Azure services, such as monitors and functions, to automatically capture alerts and traffic (* Notes to Self * must be blog).
The Security Center, as for other infrastructure, provides insight into your network topology and can provide largely actionable recommendations. Meaning you have a single pane to test your network, no matter how complex it is.