This article is contributed. See the original author and article here.
Last updated on May 14, 2021
In this blog post, we will walk you through basic to advanced scenarios for Azure network security. Ready to become an Azure NetSec ninja? Dive right in!
Check back here routinely, as we will keep updating this blog post with new content as it becomes available.
Anything in here that could be improved or may be missing? Let us know in the comments below, we’re looking forward to hearing from you.
1 The Basics
1.1 Introduction to network security concepts
This module introduces general concepts of network and web application security.
1.1.1 Network security in Azure
Be familiar with network security concepts and ways you can achieve a secure network deployment in the Azure cloud.
- Network security and containment in Azure
- Secure and govern workloads with network level segmentation
- Best practices for network security
1.1.2 Web application protection in Azure
Be familiar with web application protection concepts and ways you can achieve a secure web application deployment in the Azure cloud.
1.2 Introduction to Azure network security products
Do you prefer videos? Check out the Introduction to Azure Network Security (50 minutes) webinar, which covers all products listed individually below. You can also quickly browse through the contents of the presentation deck.
1.2.1 Azure DDoS Protection Standard
Azure DDoS Protection Standard, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks.
For more information, check the Azure DDoS Protection Standard documentation.
MS Learn Training Material: Azure DDoS Protection Standard (35 minutes)
This MS Learn module will show you how to guard your Azure services from a denial-of-service attack using Azure DDoS Protection Standard.
1.2.2 Azure Firewall and Azure Firewall Manager
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
For more information, check the Azure Firewall documentation.
Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.
For more information, check the Azure Firewall Manager documentation.
MS Learn Training Material: Azure Firewall and Azure Firewall Manager (40 minutes)
This MS Learn module will describe how Azure Firewall protects Azure Virtual Network resources, including the Azure Firewall features, rules, deployment options, and administration with Azure Firewall Manager.
1.2.3 Azure Web Application Firewall (WAF)
Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities. You can deploy WAF on Azure Application Gateway or WAF on Azure Front Door.
For more information, check the Azure Web Application Firewall (WAF) documentation.
MS Learn Training Material: Azure Web Application Firewall (WAF) (40 minutes)
This MS Learn module will show how Azure Web Application Firewall protects Azure web applications from common attacks, including its features, how it’s deployed, and its common use cases.
2 Architecture and Deployments
2.1 Standalone Deployments
2.1.1 Azure DDoS Protection Standard
When deploying Azure DDoS Protection Standard, keep in mind that public IPs in ARM-based VNETs are currently the only type of protected resource. PaaS services (multitenant) are not supported for Azure DDoS Protection Standard SKU at this time. For these services, the default DDoS Protection Basic SKU applies.
The main steps to deploy Azure DDoS Protection Standard are:
- Create a DDoS protection plan
- Attach vNETs to the DDoS protection plan
- Configure DDoS logging
- Enable diagnostic settings on Public IP Address resources
Do you prefer videos? Check out the Getting started with Azure Distributed Denial of Service (DDoS) Protection (60 minutes) webinar. You can also quickly browse through the contents of the presentation deck.
2.1.2 Azure Firewall
You can choose to deploy Azure Firewall Standard SKU or Azure Firewall Premium SKU (currently in Public Preview). Check the documentation below to get an understanding of their feature differences:
During your planning stages, it’s also a good idea to refer to the known issues for these products. Being aware of these known issues will save you time and stress when deploying your Azure Firewall.
Deploy and configure Azure Firewall using the Azure portal
Azure Firewall logs and metrics
- Azure Firewall logs and metrics
- Monitor Azure Firewall logs and metrics
- Overview of Azure Firewall logs and metrics
Integrate Azure Firewall with Azure Standard Load Balancer
Use Azure Firewall to protect Azure Kubernetes Service (AKS) Deployments
- Use Azure Firewall to protect Azure Kubernetes Service (AKS) Deployments
- Restrict egress traffic in Azure Kubernetes Service (AKS)
Azure Firewall DNS settings
- Azure Firewall DNS settings
- Enabling DNS proxy in your Azure Firewall will allow you to use FQDN filtering in network rules
- Enabling Central Visibility For DNS Using Azure Firewall Custom DNS and DNS Proxy
Azure Firewall in forced tunneling mode
Do you prefer videos? Check out the Manage application and network connectivity with Azure Firewall (50 minutes) webinar. You can also quickly browse through the contents of the presentation deck.
2.1.1 Azure Web Application Firewall (WAF)
- Create a WAF Policy on Azure Application Gateway
- Create a WAF Policy on Azure Front Door
- Configure WAF logging for an Application Gateway deployment
- Configure WAF logging for a Front Door deployment
- Azure Web Application Firewall: WAF config versus WAF policy
2.2 Advanced Deployments
2.2.1 On-Prem Hybrid
- Deploy and configure Azure Firewall in a hybrid network via Azure Portal or via PowerShell
- Deploy network virtual appliances (NVAs) for high availability in Azure
- Implement a secure hybrid
2.2.2 vWAN (Secured Virtual Hub)
- Introduction to Azure Virtual WAN
- What are the Azure Firewall Manager architecture options?
- Azure Virtual WAN FAQs
- How does the virtual hub in a virtual WAN select the best path for a route from multiple hubs?
- Configure Azure Firewall in a VWAN hub
- Convert a VWAN to a Secure Hub
- Secure your VirtualHub with Azure Firewall Manager
- Migrate to Virtual WAN
2.2.3 vWAN (Secured Virtual Hub) with 3rd party SECCaaS
- VWAN hub partners
- Deploy a security partner provider
- Deploy Check Point CloudGuard Connect as a trusted Azure security partner
2.2.4 Hub and Spoke
- Hub and spoke network topology
- Hub-spoke network topology in with Azure Firewall
- Using Azure Firewall as a Network Virtual Appliance (NVA)
2.2.5 Forced Tunneling with 3rd party NVAs
2.2.6 Multi-product combination in Azure
- Combine Azure Firewall with other Network security products.
- Determine how best to combine App Gateway and Azure Frontdoor
2.2.7 TLS Inspection on Azure Firewall
- Enable TLS inspection in Azure firewall
- Learn about URL filtering and Web Categories
- Certificate Management Overview for Azure Firewall Premium TLS Inspection
Do you prefer videos? Check out the Content Inspection Using TLS Termination with Azure Firewall Premium (50 minutes) webinar. You can also quickly browse through the contents of the presentation deck.
2.2.8 Per-Site or Per-URI WAF policies on Azure Application Gateway
Do you prefer videos? Check out the Using Azure WAF Policies to Protect Your Web Application at Different Association Levels (50 minutes) webinar. You can also quickly browse through the contents of the presentation deck.
3.1 Centralized Management
3.1.1 Azure Firewall Manager and Firewall Policy
Do you prefer videos? Check out the Getting started with Azure Firewall Manager (35 minutes) webinar. You can also quickly browse through the contents of the Azure Firewall Manager presentation deck.
3.1.2 Web Application Firewall (WAF) Policy
3.2.1 Web Application Firewall (WAF) tuning
- Troubleshooting and tuning for Azure WAF for Application Gateway
- Troubleshooting and tuning for Azure WAF for Front Door
Do you prefer videos? Check out the Boosting your Azure Web Application (WAF) deployment (45 minutes) webinar. You can also quickly browse through the contents of the presentation deck.
3.3.1 Built-in Azure Policies for Azure DDoS Protection Standard
- Azure DDoS Protection Standard should be enabled
- Public IP addresses should have resource logs enabled for Azure DDoS Protection Standard
- Virtual networks should be protected by Azure DDoS Protection Standard
3.3.2 Built-in Azure Policies for Azure Web Application Firewall (WAF)
- Web Application Firewall (WAF) should be enabled for Application Gateway
- Web Application Firewall (WAF) should be enabled for Azure Front Door Service service
- Web Application Firewall (WAF) should use the specified mode for Application Gateway
- Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service
3.3.3 Restrict creation of Azure DDoS Protection Standard plans with Azure Policy
If you are looking to prevent unplanned or unapproved costs associated with the creation of multiple DDoS plans within the same tenant, check out this Azure Policy template. This policy denies the creation of Azure DDoS Protection Standard plans on any subscriptions, except for the ones defined as allowed.
3.4.1 Azure Web Application Firewall (WAF)
This Logic App Playbook for Sentinel will add the source IP address passed from the Sentinel Incident to a custom WAF rule blocking the IP. For a more comprehensive description of this use case, check our blog post Integrating Azure Web Application Firewall with Azure Sentinel.
3.4.2 Azure DDoS Protection Standard
During an active access, Azure DDoS Protection Standard customers have access to the DDoS Rapid Response (DRR) team, who can help with attack investigation during an attack and post-attack analysis.
This DDoS Mitigation Alert Enrichment template will alert administrators of a DDoS event, while adding essential information in the body of the email for a more detailed notification.
Using Azure Sentinel with Azure Web Application Firewall
You can integrate Azure WAF with Azure Sentinel for security information event management (SIEM). By doing this, you can use Azure Sentinel’s security analytics, playbooks and workbooks with your WAF’s log data.
In this blog post, we cover in further detail how to configure the log connector, query logs, generate incidents, and automate responses to incidents.
5 Hands-on Labs
Network Security Demo lab: Azure pre-configured test deployment kit for POC is available in this repository. You can use this lab to validate Proof of Concepts for the different Network security products. You can find more information on set up and demo in the NetSec POC blogpost
WAF Attack test lab: Set up a Web Application Firewall lab environment to verify how you can identify, detect and protect against suspicious activities in your environment. This blogpost provides steps to protect against potential attacks and you can deploy the template from Github.
6 Resource References
Register for upcoming webinars or watch recordings of past webinars in our Microsoft Security Community!
Check out and be sure to contribute with our Azure Network Security samples in GitHub!
Check out our Azure Network Security blog posts in our Tech Community!
Provide feedback and ideas about Azure products and features in our Azure Feedback portal!
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.