This article is contributed. See the original author and article here.

Last updated on May 14, 2021


 


In this blog post, we will walk you through basic to advanced scenarios for Azure network security. Ready to become an Azure NetSec ninja? Dive right in!


 


Check back here routinely, as we will keep updating this blog post with new content as it becomes available.


 


Anything in here that could be improved or may be missing? Let us know in the comments below, we’re looking forward to hearing from you.


 


Azure Network Security Ninja Training SectionsAzure Network Security Ninja Training Sections


1       The Basics


 


1.1     Introduction to network security concepts


 


This module introduces general concepts of network and web application security.


 


1.1.1    Network security in Azure


Be familiar with network security concepts and ways you can achieve a secure network deployment in the Azure cloud.



 


1.1.2    Web application protection in Azure


Be familiar with web application protection concepts and ways you can achieve a secure web application deployment in the Azure cloud.



 


1.2     Introduction to Azure network security products


 



Do you prefer videos? Check out the Introduction to Azure Network Security (50 minutes) webinar, which covers all products listed individually below. You can also quickly browse through the contents of the presentation deck



 


1.2.1    Azure DDoS Protection Standard


Azure DDoS Protection Standard, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks.


 



For more information, check the Azure DDoS Protection Standard documentation.



MS Learn Training Material: Azure DDoS Protection Standard (35 minutes)


This MS Learn module will show you how to guard your Azure services from a denial-of-service attack using Azure DDoS Protection Standard.


 


1.2.2    Azure Firewall and Azure Firewall Manager


Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.


 



For more information, check the Azure Firewall documentation



 


Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.


 



For more information, check the Azure Firewall Manager documentation.



MS Learn Training Material: Azure Firewall and Azure Firewall Manager (40 minutes)


This MS Learn module will describe how Azure Firewall protects Azure Virtual Network resources, including the Azure Firewall features, rules, deployment options, and administration with Azure Firewall Manager.


 


1.2.3    Azure Web Application Firewall (WAF)


Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities. You can deploy WAF on Azure Application Gateway or WAF on Azure Front Door.


 



For more information, check the Azure Web Application Firewall (WAF) documentation.



MS Learn Training Material: Azure Web Application Firewall (WAF) (40 minutes)


This MS Learn module will show how Azure Web Application Firewall protects Azure web applications from common attacks, including its features, how it’s deployed, and its common use cases.


 


2       Architecture and Deployments


 


2.1     Standalone Deployments


 


2.1.1    Azure DDoS Protection Standard


When deploying Azure DDoS Protection Standard, keep in mind that public IPs in ARM-based VNETs are currently the only type of protected resource. PaaS services (multitenant) are not supported for Azure DDoS Protection Standard SKU at this time. For these services, the default DDoS Protection Basic SKU applies.


The main steps to deploy Azure DDoS Protection Standard are:




Do you prefer videos? Check out the Getting started with Azure Distributed Denial of Service (DDoS) Protection (60 minutes) webinar. You can also quickly browse through the contents of the presentation deck.   



 


2.1.2    Azure Firewall


You can choose to deploy Azure Firewall Standard SKU or Azure Firewall Premium SKU (currently in Public Preview). Check the documentation below to get an understanding of their feature differences:



During your planning stages, it’s also a good idea to refer to the known issues for these products. Being aware of these known issues will save you time and stress when deploying your Azure Firewall.



 


Deploy and configure Azure Firewall using the Azure portal



 


Azure Firewall logs and metrics



 


Integrate Azure Firewall with Azure Standard Load Balancer



 


Use Azure Firewall to protect Azure Kubernetes Service (AKS) Deployments



 


Azure Firewall DNS settings



 


Azure Firewall in forced tunneling mode




Do you prefer videos? Check out the Manage application and network connectivity with Azure Firewall (50 minutes) webinar. You can also quickly browse through the contents of the presentation deck.



 


2.1.1    Azure Web Application Firewall (WAF)



 


2.2     Advanced Deployments


 


2.2.1    On-Prem Hybrid



 


2.2.2    vWAN (Secured Virtual Hub)



 


2.2.3    vWAN (Secured Virtual Hub) with 3rd party SECCaaS



 


2.2.4    Hub and Spoke



 


2.2.5    Forced Tunneling with 3rd party NVAs



 


2.2.6    Multi-product combination in Azure



 


2.2.7    TLS Inspection on Azure Firewall




Do you prefer videos? Check out the Content Inspection Using TLS Termination with Azure Firewall Premium (50 minutes) webinar. You can also quickly browse through the contents of the presentation deck. 



 


2.2.8    Per-Site or Per-URI WAF policies on Azure Application Gateway




Do you prefer videos? Check out the Using Azure WAF Policies to Protect Your Web Application at Different Association Levels (50 minutes) webinar. You can also quickly browse through the contents of the presentation deck. 



 


3       Operations


 


3.1     Centralized Management


 


3.1.1    Azure Firewall Manager and Firewall Policy




Do you prefer videos? Check out the Getting started with Azure Firewall Manager (35 minutes) webinar. You can also quickly browse through the contents of the Azure Firewall Manager presentation deck



 


3.1.2    Web Application Firewall (WAF) Policy



 


3.2     Optimizing


 


3.2.1    Web Application Firewall (WAF) tuning




Do you prefer videos? Check out the Boosting your Azure Web Application (WAF) deployment (45 minutes) webinar. You can also quickly browse through the contents of the presentation deck. 



 


3.3     Governance


 


3.3.1    Built-in Azure Policies for Azure DDoS Protection Standard



 


3.3.2    Built-in Azure Policies for Azure Web Application Firewall (WAF)



 


3.3.3    Restrict creation of Azure DDoS Protection Standard plans with Azure Policy


If you are looking to prevent unplanned or unapproved costs associated with the creation of multiple DDoS plans within the same tenant, check out this Azure Policy template. This policy denies the creation of Azure DDoS Protection Standard plans on any subscriptions, except for the ones defined as allowed.


 


3.4     Responding


 


3.4.1    Azure Web Application Firewall (WAF)


This Logic App Playbook for Sentinel will add the source IP address passed from the Sentinel Incident to a custom WAF rule blocking the IP. For a more comprehensive description of this use case, check our blog post Integrating Azure Web Application Firewall with Azure Sentinel.


 


3.4.2    Azure DDoS Protection Standard


During an active access, Azure DDoS Protection Standard customers have access to the DDoS Rapid Response (DRR) team, who can help with attack investigation during an attack and post-attack analysis.


This DDoS Mitigation Alert Enrichment template will alert administrators of a DDoS event, while adding essential information in the body of the email for a more detailed notification.


 


4       Integrations


 


Using Azure Sentinel with Azure Web Application Firewall


You can integrate Azure WAF with Azure Sentinel for security information event management (SIEM). By doing this, you can use Azure Sentinel’s security analytics, playbooks and workbooks with your WAF’s log data.


In this blog post, we cover in further detail how to configure the log connector, query logs, generate incidents, and automate responses to incidents.


 


5       Hands-on Labs


 


Network Security Demo lab: Azure pre-configured test deployment kit for POC is available in this repository.  You can use this lab to validate Proof of Concepts for the different Network security products. You can find more information on set up and demo in the NetSec POC blogpost


WAF Attack test lab: Set up a Web Application Firewall lab environment to verify how you can identify, detect and protect against suspicious activities in your environment. This blogpost provides steps to protect against potential attacks and you can deploy the template from Github.


 


6       Resource References


 


Register for upcoming webinars or watch recordings of past webinars in our Microsoft Security Community!



Check out and be sure to contribute with our Azure Network Security samples in GitHub!



Check out our Azure Network Security blog posts in our Tech Community!



Provide feedback and ideas about Azure products and features in our Azure Feedback portal!



 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.