by Contributed | Feb 26, 2021 | Technology
This article is contributed. See the original author and article here.
Many of our customers use Azure DNS for name resolution when it comes to infrastructure they have in Azure. The setup with Azure DNS works like a charm and provides name resolution to Azure Infrastructure without doing any complex setup. One challenge you may have is that Azure DNS do not log DNS queries from your VM’s, which means you have no visibility into what endpoints their azure infrastructure is trying to connect to or the DNS name resolution queries being used.
In this blog, we will see how Azure Firewall can help our customers overcome this challenge and provide visibility not only to Azure DNS logging but also to control the traffic flows both east-west and to the internet for their Azure resources.
Azure Firewall recently added Custom DNS and DNS proxy capabilities which was a big ask from all of our customers and, these are the features which we will explore in this blog and how it can help you.
Azure DNS
Azure DNS provides name resolution and basic authoritative DNS capabilities of public DNS names. The Azure DNS IP address is 168.63.129.16. Azure DNS provides DNS name resolution for your Azure infrastructure if you do not have your own DNS server hosted. For example, when you setup a new VM in Azure, it can resolve the public names out of the box using Azure provided name resolution (Azure DNS).
Azure Firewall Custom DNS
By Default, Azure Firewall uses Azure DNS to ensure the service can reliably resolve internet based name resolution. Custom DNS allows you to configure Azure Firewall to use your own corporate DNS server or Azure DNS to resolve the DNS queries.
You may configure a single DNS server or multiple servers in Azure Firewall and Firewall Policy DNS settings. We will go through the setup in more detail later on in this blog.
Azure Firewall DNS Proxy
This feature enables Azure Firewall to act as a DNS forwarder for your Infrastructure. When DNS proxy is enabled, your clients can point to Azure Firewall to resolve the DNS queries and act as DNS servers for your infrastructure.
DNS Proxy logs all the queries coming from your infrastructure in Azure Firewall logs, and we will go through the logs in detail later on in this blog.
We hope the above gives you a good understanding of the components involved in the challenge we are trying to resolve. Let’s look at the solution now and see how Azure firewall Custom DNS and DNS proxy will help with getting visibility into Azure DNS logging.
Architecture
The problem we are trying to solve in this blog is even when UDR’s force all traffic to Firewall, DNS traffic goes straight to DNS which means you cannot log the DNS traffic or control the traffic flow going from your infrastructure to Azure DNS. With this architecture, you can centrally log all DNS traffic going to Azure DNS using Azure Firewall.
In this architecture/deployment we will use a hub and spoke model is recommended, where the firewall is in its own Virtual Network. For the purpose of the blog we will assume a simple architecture where both Workload VM and Azure Firewall is in the same Virtual network but deployed in two different subnets as represented in the below Diagram.
Azure Firewall Deployment
You can deploy azure firewall either from Azure Portal, ARM, REST or CLI. Here is the article which you can follow to setup the above configuration step by step using azure portal.
Tutorial: Deploy & configure Azure Firewall using the Azure portal | Microsoft Docs
From the above article, you only need to follow the first five steps
- Prerequisites
- Set up the network
- Deploy the firewall
- Create a default route
- Configure an application rule
- Configure a DNAT rule
Once you have followed the above steps, you have an Azure Firewall and you can connect to your workload VM using the Azure Firewall Public IP.
Custom DNS and DNS Proxy Configuration
We will now configure Custom DNS and DNS proxy in Azure Firewall.
Configure custom DNS servers and DNS Proxy – Azure portal
- Under Azure Firewall Settings, select DNS Settings.
- Under DNS servers, Select Default (Azure provided).
- Under DNS Proxy, Select Enabled
- Select Save.
Now the Azure firewall directs DNS traffic to Azure DNS for name resolution and Azure Firewall is configured as a DNS proxy.
Enable Diagnostic logs for Azure Firewall
- In the Azure portal, Select the Azure firewall.
- Under Monitoring, select Diagnostic settings.
For Azure Firewall, four service-specific logs are available:
- AzureFirewallApplicationRule
- AzureFirewallNetworkRule
- AzureFirewallThreatIntelLog
- AzureFirewallDnsProxy
- Select Add diagnostic setting. The Diagnostics settings page provides the settings for the diagnostic logs.
- In this example, Azure Monitor logs stores the logs, so type Firewall log analytics for the name.
- Under Log, select AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallThreatIntelLog, and AzureFirewallDnsProxy to collect the logs.
- Select Send to Log Analytics to configure your workspace.
- Select your subscription.
- Select Save.
Configure Azure Firewall as a DNS server
You can configure DNS server settings directly on the Network interface of virtual machine or you can specify directly at Virtual network. Below you can see both the methods.
Configure Azure Firewall as DNS server on your Workload Virtual Machine
- In the Azure portal, Select the Workload Virtual Machine.
- Under Settings, select Networking.
- The Networking page, click on Network Interface.
- This will open up the Network Interface page, under Settings, Select DNS servers.
- In DNS Server Page, Select Custom and enter the internal IP of the Azure Firewall.
Configure Azure Firewall as DNS Server directly on the Virtual network
- In the search box at the top of the portal, enter virtual networks in the search box. When Virtual networks appear in the search results, select it.
- From the list of virtual networks, select the virtual network for which you want to change DNS servers for.
- Select DNS servers, under SETTINGS. Select Custom and enter the internal IP of the Azure Firewall.
Now, we are all set up and will quickly review how azure firewall provides us the visibility of DNS logs from our Azure infrastructure going to Azure Provided DNS.
- Azure Firewall is set up and using its default Custom DNS configuration, which is Azure DNS.
- Azure Firewall is now configured as DNS proxy and acts as a DNS server for our workload VM.
- Workload VM is configured to use Azure Firewall as a DNS server.
- Azure Firewall Diagnostic settings are configured and logging to Log analytics workspace.
Connect to your workload client and access internet.
- RDP to your workload Virtual machine.
- Open browser and browse to www.google.com
Azure Firewall DNS log fields with explanations
Format: {remote}:{port} – {id} {type} {class} {name} {protocol} {size} {do} {bufsize} {rcode} {rflags} {rsize} {duration}
{remote}: client’s IP address, for IPv6 addresses these are enclosed in brackets: [::1]
{port}: client’s port
{id}: query ID
{type}: type of the request
{class}: class of the request
{name}: name of the request
{protocol}: protocol used (tcp or udp)
{size}: request size in bytes
{do}: is the EDNS0 DO (DNSSEC OK) bit set in the query
{bufsize}: the EDNS0 buffer size advertised in the query
{rcode}: response CODE
{rflags}: response flags, each set flag will be displayed, e.g. “aa, tc”. This includes the qr bit as well
{rsize}: response size
{duration}: response duration
Check the Azure Firewall DNS logs
- In the Azure portal, Select the Azure firewall.
- Under Monitoring, select Diagnostic settings.
- In Diagnostics settings page, Click on workspace name under Log Analytics Workspace which will open the Log analytics workspace blade for you.
- In the left Menu, select logs and copy/paste the following query and click on Run.
AzureDiagnostics
| where Category == "AzureFirewallDnsProxy"
| parse msg_s with "DNS Request: " ClientIP ":" ClientPort " - " QueryID " " Request_Type " " Request_Class " " Request_Name ". " Request_Protocol " " Request_Size " " EDNSO_DO " " EDNS0_Buffersize " " Responce_Code " " Responce_Flags " " Responce_Size " " Response_Duration
| project-away msg_s
| summarize by TimeGenerated, ResourceId, ClientIP, ClientPort, QueryID, Request_Type, Request_Class, Request_Name, Request_Protocol, Request_Size, EDNSO_DO, EDNS0_Buffersize, Responce_Code, Responce_Flags, Responce_Size, Response_Duration, SubscriptionId
- You will see an output like the one below and can see all the DNS queries your workload VM is making to Azure provided DNS.
As you can see that now your organization has visibility into all the DNS requests which your Azure Infrastructure is making to Azure Provided DNS and how you can utilize Azure Firewall to control traffic flows. We hope you find this blog useful.
by Contributed | Feb 26, 2021 | Technology
This article is contributed. See the original author and article here.
My new year resolution of Year 2021 is to write more. Before I know, it’s already February and I even celebrated Chinese Lunar Near of 2021 two weeks ago. OK, I guess I can count the clock that way. This year is the Year of the Ox. In Chinese Ox is “牛“. That same Chinse character also means super cool, super awesome. I hope this speaks to the year of Windows containers too .
There have been a lot to share and celebrate in the first 2 months.
AKS on Azure Stack HCI February Update
The biggest news is AKS on Azure Stack HCI February Update released last Friday! Ben Armstrong led the team and delivered lots of new changes and fixes in this release. Nice job! The crown jewel for me is the guide for evaluating AKS-HCI inside an Azure VM authored by Matt McSpirit. Anyone with an Azure subscription can try out AKS on Azure Stack HCI in an Azure VM and of course spin up your Windows containers on it. You won’t be constrained on hardware availability. Matt’s team runs the customer engagement program. They are actively looking at customers who are interested in enrolling in the Early Access Program (EAP) of AKS-HCI. You can fill out this survey if you are interested.
AKS-HCI now supports strong authentication using Active Directory Credentials is another great improvement that enables Active Directory authentication, fully integrated into Kubernetes authentication and configuration workflows. Sumit Lahiri did an excellent job explaining the architecture and what’s under the hood. The new scenario was delivered from the same team that we’ve been partnering closely to bring more gMSA related innovations to Windows containers to make the Lift and Shift experience easier for workloads that need Active Directory. If you are new to gMSA – Group Managed Service Account, it’s a service account that enables Windows containers to have an identity on the wire to allow Active Directory authentications. Our documentation gMSA for Windows containers have more details. We’ll share gMSA related improvements for Windows containers in coming months.
Docs. Docs. Docs.
The team took the quiet time during the Christmas holiday and made improvements on Windows container documentation. I want to list them so everyone can see and benefit.
- We added a new page Lift and Shift to containers under “Get Started”. It shares high level benefits of using containers, applications supported in Windows containers, and a decision tree. This page will help those of you who just started looking at moving your Windows applications to containers.
- We added a new section under “Tutorials” – Manage containers with Windows Admin Center starting with this page “Configure the Container extension on Windows Admin Center”. If you are looking for some tooling to help containerize your apps and deploy them, this will be a great starting point.
- We updated the Base image servicing cycle page under “Reference” to reflect that we have extended Nano Server container SAC1809 release to be supported to 1/9/2024, and the Window container SAC1809 to be supported to 5/11/2021. There is a bit more update on this that I’ll cover later in the blog.
- We added the Events page under “Reference” where all related content from last 2-3 years in major Microsoft and industry conferences are now compiled. We spent lot of effort and time on building quality slides and demos for events. So even though some content could be slightly outdated, they can still be valuable if you are just starting on Windows containers.
Overall, we aim to make this documentation page as a one-stop shop for you to find all the relevant resources no matter which stage you are in leveraging Windows containers to lift and shift and modernize your Windows applications. We welcome your feedback and love to see you help contributing directly on documentation.
Lifecyle Management Update
We streamlined Server Core container and Nano Server container support and lifecycle management. Some of you may recall Nano Server container SAC1809 release was about to reach its end of life (EOL) in Nov 2020. We listened to your feedback especially those of you in the Kubernetes community that moved to use Nano Server containers for comformance testing in addition to regular workload use. Nano Server container SAC1809 now has the same EOL as Server Core container LTSC2019/1809 on 1/9/2024.
The Windows container, sometimes also referred as “the 3rd Windows container”, has been gaining popularity thanks to its broader Windows API support. Recently we were brought to the attention that its SAC1809 release is going to reach its EOL on 5/11/2021. We understand customers who need to stay on Windows Server 2019 as the container host are concerned. That is because those customers can only use containers released in the same wave with the same Build number (also referred as “Major release number”) due to Windows container host and guest version compatibility We are actively looking at options and will update when we are ready.
New Development from the .NET Team
We work very closely with the .NET Team, and I know that many of you run .NET apps on Windows containers. There are two recently blogs from Richard Lander of the .NET team that I want to share.
You will notice this blog is mainly about Linux and only a small portion on Windows. I take it as a positive thing for Windows because it mostly just works with our current company-wide security practices. But we stay vigilant and keep innovating. There will be updates to our docs and blogs coming related to Windows Server container security.
In the Container section, you will notice this is mentioned: “Improve scaling in containers, and better support for Windows process-isolated containers.” This issue in process-isolated containers was reported from a few of our AKS customers. In a nutshell, the issue is that CPUs and memory are not being honored for process-isolated containers by .NET runtime. We are happy to see the .NET Team making improvements that will better take advantage of the capabilities of Windows containers.
I also wanted to call out this update .NET 5.0 Support for Windows Server Core Containers that was made available last November. Both .NET team and our team are very curious of your feedback on this.
What’s Ahead
Two exciting events are coming up on the horizon.
- Microsoft Spring Ignite 2021 is next week March 2-4. I am excited to see quite a few new things our team have been working on will be showcased.
- Microsoft Global MVP Summit 2021 is also coming on March 29-31. MVPs are our best customers and friends. I am excited to see some old and new friends again.
That reminds me recently I had a few email exchanges and GitHub discussions with one of our MVPs Tobias Fenster, CTO of COSMO CONSULT Group based in Germany. To my pleasant surprise, Tobias has been writing blogs on Windows containers, like this one ”Building Docker images for multiple Windows Server versions using self hosted containerized Github runners” . Hidden gems! Go check out Tobias’s presentation list.
To close, I really liked what Satya said in Microsoft Fiscal Year 2021 2nd Quarter Earnings Conference Call in January
“What we are witnessing is the dawn of a second wave of digital transformation sweeping every company and every industry.
Digital capability is key to both resilience and growth.
It’s no longer enough to just adopt technology. Businesses need to build their own technology to compete and grow. “
Borrowing that perspective, it’s no longer just about adopting Windows containers to lift and shift and modernize with AKS and AKS on Azure Stack HCI. It’s about leveraging Windows containers, differentiate your company and grow to new heights.
As always, we’d love to hear from you, how you use Windows containers, on AKS, AKS on Azure Stack HCI, or other environments, and what we can do better to help you make your digital transformation journey easier.
Weijuan
Twitter: @WeijuanLand
Email: win-containers@microsoft.com
by Contributed | Feb 26, 2021 | Technology
This article is contributed. See the original author and article here.
Welcome back to the Security Controls in Azure Security Center series! This time we are here to talk about “Protect applications against DDoS attacks”.
Distributed denial-of-service (DDoS) attacks overwhelm resources and render applications unusable.
Use Azure DDoS Protection Standard to defend your organization from the three main types of DDoS attacks:
- Volumetric attacks flood the network with legitimate traffic. DDoS Protection Standard mitigates these attacks by absorbing or scrubbing them automatically.
- Protocol attacks render a target inaccessible, by exploiting weaknesses in the layer 3 and layer 4 protocol stack. DDoS Protection Standard mitigates these attacks by blocking malicious traffic.
- Resource (application) layer attacks target web application packets. Defend against this type with a web application firewall and DDoS Protection Standard.
The “Protect applications against DDoS attacks” Security Control is worth two points and includes the recommendations below.
Azure DDoS Protection Standard should be enabled
DDoS attacks are often designed to make an application resource or online service unavailable by overwhelming the resource or service with more traffic than it can handle. Once the resource is no longer able to handle legitimate requests, it might also become vulnerable for code injection. The unavailability of the resource or service presents a significant issue considering legitimate parties also lose access to these resources or services. Daily business offerings may be halted as a result of the denial of service. Any endpoint that can be publicly reached through the internet is vulnerable to a DDoS attack. DDoS attacks can often be used to divert attention from larger targets such as injecting malware into company resources or data exfiltration.
Like most cyber threats, repairing a DDoS attack will take time and money. Aside from diverting resources to repair the attack, your organization could also be losing money due to the time it takes to get your resources and services back up and running. The best way to be prepared is to have precautions in place that will prevent these attacks from being successful. Azure resources are deployed with Azure Basic DDoS protection enabled, allowing for integrated defense against common network layer threats. Azure DDoS Protection Standard provides enhanced features that are designed specifically for your Azure resources including attack analytics and metrics.
Security Center works with Application Gateway, a web traffic load balancer, that enables users to manage traffic to their web applications. Application Gateway also utilizes Web Application Firewall (WAF) to respond, detect and prevent threats from web applications. APG/WAF is best combined with DDoS Protection to ensure Layer 4 – 7 protection.
Container CPU and memory limits should be enforced
Different types of DDoS attacks including Application Level Attacks focus on exhausting a server’s resources, including the CPU, in order to make the server unable to process legitimate requests. Enforcing container CPU and memory limits protect your container workloads from DDoS attacks by preventing the container from using more than the configured resource limit.
Azure Policy add-on for Kubernetes should be installed and enabled on your clusters
As discussed in our overview of the Remediate Security Configurations Control and Manage Access and Permissions, this recommendation is geared towards helping users safeguard their Kubernetes clusters by managing and reporting their compliance state.
Next Steps
Thanks for tuning back in to learn about the “Protect applications against DDoS attacks” Security Control within Azure Security Center. To gain credit for taking steps to protect your resources from DDoS attacks, you must remediate all the recommendations within this Security Control. As a reminder recommendations in Preview are not included in your Secure Score calculation until they are GA. Make sure to also check out our previous blogs and documentation to help you on your Secure Score journey!
- The main blog post to this series (found here)
- The DOCs article about secure score (which is this one)
Reviewers
@Tobi Otolorin, Program Manager 2, CxE Network Security
@Tom Janetscheck , Senior Program Manager, CxE ASC
by Contributed | Feb 26, 2021 | Technology
This article is contributed. See the original author and article here.
Welcome back to the Security Controls in Azure Security Center series! This time we are here to talk about “Protect applications against DDoS attacks”.
Distributed denial-of-service (DDoS) attacks overwhelm resources and render applications unusable.
Use Azure DDoS Protection Standard to defend your organization from the three main types of DDoS attacks:
- Volumetric attacks flood the network with legitimate traffic. DDoS Protection Standard mitigates these attacks by absorbing or scrubbing them automatically.
- Protocol attacks render a target inaccessible, by exploiting weaknesses in the layer 3 and layer 4 protocol stack. DDoS Protection Standard mitigates these attacks by blocking malicious traffic.
- Resource (application) layer attacks target web application packets. Defend against this type with a web application firewall and DDoS Protection Standard.
The “Protect applications against DDoS attacks” Security Control is worth two points and includes the recommendations below.
Azure DDoS Protection Standard should be enabled
DDoS attacks are often designed to make an application resource or online service unavailable by overwhelming the resource or service with more traffic than it can handle. Once the resource is no longer able to handle legitimate requests, it might also become vulnerable for code injection. The unavailability of the resource or service presents a significant issue considering legitimate parties also lose access to these resources or services. Daily business offerings may be halted as a result of the denial of service. Any endpoint that can be publicly reached through the internet is vulnerable to a DDoS attack. DDoS attacks can often be used to divert attention from larger targets such as injecting malware into company resources or data exfiltration.
Like most cyber threats, repairing a DDoS attack will take time and money. Aside from diverting resources to repair the attack, your organization could also be losing money due to the time it takes to get your resources and services back up and running. The best way to be prepared is to have precautions in place that will prevent these attacks from being successful. Azure resources are deployed with Azure Basic DDoS protection enabled, allowing for integrated defense against common network layer threats. Azure DDoS Protection Standard provides enhanced features that are designed specifically for your Azure resources including attack analytics and metrics.
Security Center works with Application Gateway, a web traffic load balancer, that enables users to manage traffic to their web applications. Application Gateway also utilizes Web Application Firewall (WAF) to respond, detect and prevent threats from web applications. APG/WAF is best combined with DDoS Protection to ensure Layer 4 – 7 protection.
Container CPU and memory limits should be enforced
Different types of DDoS attacks including Application Level Attacks focus on exhausting a server’s resources, including the CPU, in order to make the server unable to process legitimate requests. Enforcing container CPU and memory limits protect your container workloads from DDoS attacks by preventing the container from using more than the configured resource limit.
Azure Policy add-on for Kubernetes should be installed and enabled on your clusters
As discussed in our overview of the Remediate Security Configurations Control and Manage Access and Permissions, this recommendation is geared towards helping users safeguard their Kubernetes clusters by managing and reporting their compliance state.
Next Steps
Thanks for tuning back in to learn about the “Protect applications against DDoS attacks” Security Control within Azure Security Center. To gain credit for taking steps to protect your resources from DDoS attacks, you must remediate all the recommendations within this Security Control. As a reminder recommendations in Preview are not included in your Secure Score calculation until they are GA. Make sure to also check out our previous blogs and documentation to help you on your Secure Score journey!
- The main blog post to this series (found here)
- The DOCs article about secure score (which is this one)
Reviewers
@Tobi Otolorin, Program Manager 2, CxE Network Security
@Tom Janetscheck , Senior Program Manager, CxE ASC
by Contributed | Feb 26, 2021 | Technology
This article is contributed. See the original author and article here.
Did you know that Microsoft Learn Student Ambassadors speak at least 117 languages between them? Or that about 15 percent of them go to school more than 805 kilometers from where they grew up?
To learn more about the big stuff and the small stuff that makes them tick, check out this visual introduction to who they are and what student life looks like for them.
And if you see yourself in this incredible community and wonder what you could achieve with the right opportunity, we’d love to meet you. Learn more at StudentAmbassadors.microsoft.com.
Recent Comments