As we went through the AZ-500 exam preparation, one of the concepts that Microsoft drill into you is that Security is not just a switch you flick.
It needs to be planned, designed, coordinated and contain multiple layers to effectively mitigate and isolate threats.
The Cybersecurity Reference Architecture below shows how to use multiple products and apps from Microsoft to help protect your estate. However before we get to that level of complexity there are some fundamental and basic features natively built-in to Azure that can have a huge impact in limiting threats and malicious activity, if we assume breach and adopt a Zero Trust approach to security. It all begins with the process of hardening Azure, or what is commonly referred to as Platform Hardening.
I want to introduce you to three features in Azure that help with Platform Hardening:
Network Security Groups (NSG's)
Private and Service Endpoints (including Azure Private Link)
Security begins with a well thought out and architected Network topology.
When we are designing our network architecture in Azure, NSGs, Service and Private Endpoints help stop actors dead in their tracks.
Firstly, Service Endpoints allow you to configure your vNet to limit access only to a specific service from that vNet, such as to Azure Storage or Kubernetes, for example. Additionally, Private Endpoints provide the most restrictive networking and routing abilities, helping secure access to PaaS services over a private network by providing a dedicated Network interface for a public PaaS service that terminates on your vNet, providing a virtual private link between your vNet and the PaaS service.
This is very useful when integrating database and storage services with Synapse Analytics to build ETL pipelines, as one example. The helpful chart below highlights the differences in features between Service Endpoints and Private Endpoints (with private link).
Azure Private Link enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network.
Traffic between your virtual network and the service travels the Microsoft backbone network. Exposing your service to the public internet is no longer necessary. You can create your own private link service in your virtual network and deliver it to your users.
NSG's on the other hand, provide an additional layer between Azure Firewall or WAF, your vNet configuration and your resources when access is required from the internet, providing protections at the backend subnet layer. If an actor manages to get through our perimeter security and across the Service or Private EndPoint security, then an NSG provides yet another layer of defence.
And finally, some resources in Azure provide you with the ability to configure Resource Level Firewalls. Essentially IP or vNet whitelisting at the resource level, such as storage, backup and others.
You can find more information on all features below:
Note that resource firewalls are service specific. Not all PaaS services have built in filtering. The documentation provided above is a link to Storage resource firewall configuration which provides details on where to locate and configure firewall settings on a resource.
So now you can begin to see how cyber-security protection starts with a well thought out and well architected network foundation. Much planning and consideration is required to understand what services are needed, who will access them, from which location and what can be locked down and controlled.
If you are ready to start your well-architected journey with Wrive and Microsoft, reach out to our architecture team today