Network Connectivity and Security

Question 1

Web Application Firewalls

Answer 1

Azure Web Application Firewall (WAF) is a cloud-native security service designed to protect web applications from common threats and vulnerabilities. It is available through Azure Front Door, Application Gateway, and Azure CDN, providing Layer 7 protection for HTTP/HTTPS traffic.

Web Security
* OWASP threats: Protects against common vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), etc.
* Geographic and IP filtering: Restricts access based on geographic location or specific IP addresses.
* Bot protection: Detects and blocks malicious bot traffic while allowing legitimate bots.
* Rate limiting for DoS protection: Limits request rates to prevent Denial-of-Service (DoS) attacks.

Architecture - Key Components
1. WAF Policy: Web Application Firewalls are supported by Front Door or App Gateway.
2. Settings: Managed/custom rules, policy settings, and policy mode.
3. Association:Associate with one or more Front Doors or App Gateways (listener, path, all).
4. Features/Tier: The available features are in part determined bny the associated LB.

Question 2

User Defined Routing (Custom Routes)

Answer 2

Is a feature that allows users to have fine-grained control over the traffic flowing through their virtual networks or subnets.

Implementation

1. Route Table: Contains a list of routes that define where traffic should go
2. Assignment: Route Tables can be assigned to one or more VNet subents
3. Routes: A route defines the Next Hop for a specific destination (Address Prefix)
   -Name: A label describing the custom route
   -Address Prefix: Destination address. Can be Service Tag or CIDR
   -Next Hop: Defines where the traffic should go

Rule Processing
-Longest Prefix Match: Choose the rule where the address prefix is the most specific (/32)

Limitations
-VNets include default/system routes
-Route precedence: Custom > Border Gateway Protocol (BGP) > Default
-Routes can be advertised to a route table

Question 3

VNet Peering

Answer 3

It’s the ability to create private connectivity between VNet’s that are isolated, without having to go over the internet.

• High bandwidth
• Low latency
• Not encrypted traffic, unless your VNet peers are going across data centers (MACsec), then the traffic is not going to be encrypted

Implementation
1. VNet Peerings: Two peers are created - one for each direction in the peering
2. Routes: System routes are automatically updated to allow connectivity
3. Options: Peers can support traffic forwarding and gateway/route-server access
-Allow on-premises through the hub VNet, as long as, you tick the allow box on that allow gateway access

Considerations
* Peering work across regions/subscriptions/tenants
* Peering is unsupported for overlapping IP ranges
* Transitive routing is not possible by default

Question 4

Service Endpoints

Answer 4

Help us to get access to Microsoft publicly accessible solutions without the need of a public IP

-Uses the Microsoft Backbone, which means we can keep all traffic private.
-Still uses the Public Endpoints

Implementation
1. Subnet: Service Endpoints are configured on a per-subnet level
2. Service Endpoint: Enabled for a specific Resource Provider for the given subnet
3. Routes: When configured, a system route is automatically generated

Question 5

Private Link

Answer 5

It enables customers to securely access services hosted on these cloud platforms privately, without exposing them to the public internet.

-Extension of resources into your VNet and give them a private IP
-On-premises resources connected via VPN or a VNet that is peered, they can access the private endpoint as well

Private Endpoints

1. Private Endpoint: Network interface that is deployed to a subnet within a VNet
2. Resource: The target resource/sub-resource (can be different region)
3. DNS Integration: When configured, a Private DNS Zone will use the private IP addressing
   -The DNS will tell the VM the private IP of the SA

Private Link Service

Provides private connectivity from a virtual network to Azure platform as a service (PaaS), customer-owned, or Microsoft partner services

-If you’ve got a partner that buils a solution within Azure, they put a standard Azuer Load Balancer in front, then you can go and configure exactly the same sort of private endpoint.

Question 6

Azure Bastion

Answer 6

Is a fully managed Platform-as-a-Service (PaaS) offering, designed to provide secure and seamless RDP (Remote Desktop Protocol) and SSH (Secure Shell) access to virtual machines (VMs) within an Azure Virtual Network (VNet) without the need for public IP addresses or VPN connections.

-Secure entry point to VMs in a secured VNet

Implementation

1. Azure Bastion: Basic or Standard SKU. Must be deployed to special subnet (at least a /26)
   -To provide connectivity to the Bastion, you’ll need a public IP
   -If you choose the Standard SKU, you get additional features like: custom inbound ports, connect to VMs using IP, you don’t have to strictly have to use the Azure Portal and you get additional capabilities to create a tunnel on your computer over TLS and just use native RDP
2. Connectivity: Manage machines on connected networks. Secure with NSG
   -Make sure you are securing that Bastion subnet
3. Client: Management connectivity is over TLS using the Azure Portal as a client

Question 7

VPN Gateway

Answer 7

Is a managed networking service that allows organizations to establish secure connections between their on-premises networks or client devices and Azure virtual networks.

-It enables secure communication over the public internet by creating a virtual private network (VPN) tunnel (encrypted). (Using private IPs)

Implementation

Site-to-Site (S2S) Configuration

Allows organizations to establish encrypted connections between their on-premises networks and Azure virtual networks.

1. VNet Gateway (VPN): Configured as VPN type, and Policy (static) or Route-based routing
   -We deploy it to a Gateway Subnet
   -You can use /29 but Microsoft recommends /27
   -You will also need a public IP
2. Local Network Gateway: Remote networks available via Customer VPN Device (requires public IP)
   -What is this other site that i want to connect to? What does it look like? What are the networks and what is the VPN device that i will connect to?
   -What are the subnets that i can be accessing and what is the public IP address of the VPN device on the other site that the VPN Gateway will need to connect
   -VPN Connection: IPSec IKE encrypted tunnel (encrypted using passphrase)

Point-to-Site (P2S) Configuration

Enables individual client devices (such as laptops or mobile devices) to securely connect to Azure virtual networks over the internet.

-P2S does support more than one user

1. VNet Gateway (VPN): Configured as VPN type, and Route-based routing
   -Has to use Route-based routing, Policy is not supported
2. Authentication: Supports certificate-based, RADIUS, or Azure AD authentication
3. VPN Connection: A VPN client is required to establish the tunner (type depends on config)
   -Will allow to have private IP connectivity
   -Microsoft offers several different VPN clients, you can have an open VPN client (OpenVPN - SSL/TLS), that supports SSL or TLS so it works over port 443. Supports all O.S
   -You can use SSTP (TLS), works over port 443, but it only works with TLS and it only suppors Windows
   -You can use IPSec (IKEv2) protocol but only supports Mac

Question 8

ExpressRoute

Answer 8

Is a dedicated private connection service offered by Microsoft Azure that provides high-performance, low-latency, and secure connectivity between on-premises networks and Azure data centers, as well as other Microsoft cloud services like Microsoft 365 and Dynamics 365.

-Not only does it avoid the public internet, but it also provides you with private access to a range of Microsoft Public services
-We are using a “Partner” provider. Also called “Partner Edge” that supports ExpressRoute
-Allows us to have private connectivity from on-premises into either Microsoft VNet or Microsoft Peering

Implementation

1. VNet Gateway: Configured as ExpressRoute type with BGP routing
   -We deploy it to a Gateway Subnet
   -You can use /29 but Microsoft recommends /27
   -You will also need a public IP
2. ExpressRoute Circuit: Determines peering location/provider, bandwidth, billing model, SKU.
3. ExpressRoute Peering (What do i want to be connected to?)
   -Microsoft: to public MS services (Have a private IP connectivity to publicly accessible services)
   -Private: to one or more Azure VNets (Connectivity to a private VNet)
   -You can have multiple networks. For the Standard ExpressRoute pricing, you can have up to 10 additional VNets, that are connected to your ExpressRoute

Pricing/Feature - Considerations

-Can co-exist with VPN (not Basic VPN SKU), it can help you to failover
-Can support FastPath (Ultra/ERGw3Az SKU), for better performance and low latency connectivity
-Standard supports up to 10 VNets that can be connected to your circuit, if you need more use “Premium”
-Premium supports cross-geography & greater limits

Question 9

Azure Virtual WAN

Question 10

Azure Firewall

Answer 10

Is a managed, cloud-based network security service. It acts as a centralized firewall-as-a-service (FWaaS) solution for securing traffic flowing between Azure Virtual Networks (VNets) and the internet, as well as traffic between VNets within the same Azure region.

-Helps protect your Azure resources from unauthorized access, threats, and attacks by enforcing network-level access controls and security policies.
-Support for Fully Qualified Domain Names (FQDN):

Key Features

-L3 to L7 Connectivity Policies: offers comprehensive connectivity policies that operate at multiple layers of the OSI model. This enables organizations to define granular rules and controls based on IP addresses, ports, protocols, and even application-level traffic.
-Fully Managed and Scalable
-Integrated Threat Intelligence: It leverages up-to-date threat intelligence information to identify and block malicious traffic, known threats, and suspicious activities in real-time.
-Intrusion Detection and Prevention System
-TLS Inspection: Allows it to decrypt and inspect encrypted HTTPS traffic passing through the firewall.
-URL Filtering and Web Categories: Supports filtering based on Fully Qualified Domain Names (FQDNs), allowing you to control access to specific websites or services hosted on the internet. This enables you to implement URL filtering and content inspection for outbound internet-bound traffic.
-Inbound and Outbound NAT: Azure Firewall supports inbound and outbound Network Address Translation (NAT), allowing you to hide the internal IP addresses of your Azure resources and provide internet connectivity for resources hosted within private subnets.

All of these features, depends on the SKU of the Firewall

Implementation

1. Azure Firewall: Enforce rules. Deploy to “AzureFirewallSubnet” (At least a /26)
2. Networking: Supports VNet to VNet filtering/routing. Requires route table to be configured
   -Thanks to the Firewall, you can allow connection between VNet’s connected through the firewall (Spoke to Spoke)
3. Firewall Policy: Configuration can be captured as a Global resource with hierarchy
   -Allow RDP In? Allow VNet to VNet connectivity?
   -You can reuse this policy across multiple firewall instances
   -You can enforce hierarchy. You can have “Parent Policies” that enforce global policies and have “Child Policies” with individual policies (in different firewalls)
   -Make sure that these firewall rules, are created in the same region
   -You can have a global policy that is used across India, Australia, Europe. The policies can be used across firewalls in different regions, but the policies themselves actually need to be stored in the same region
   -A child policy can only have a parent that is in the same region but those policies can be used anywhere across the globe