Security is very important for any network design. If we don’t make sure our Azure network workloads are secure, someone could use our resources for illegal activities, access sensitive customer data, or damage our reputation. To avoid these risks, we need to consider security when we set up our Azure virtual networks. This helps to keep our data and resources safe from unauthorized access or attacks. By the end of this chapter, you will have a good understanding of the following:

• Securing the Azure virtual network perimeter
• Implementing Azure Distributed Denial-of-Service (DDoS) Protection
• Implementing Azure Firewall
• Implementing a Web Application Firewall (WAF) in Azure
• Implementing central management with Firewall Manager

We have arranged the topics to match the exam objectives. Let’s get started!

To follow along with the instructions in this chapter, you will need the following:

• A PC with internet connection
• An Azure subscription

A network perimeter is a boundary that separates the public internet and our private virtual networks in Azure (see Figure 8.1). The objectives of securing the network perimeter are to keep out bad traffic, such as DDoS attacks, and to protect our network from unauthorized access and threats coming from an external network.

Azure offers several services to help with this, including the DDoS Protection service, Azure Firewall, Azure Web Application Firewall, and third-party security Network Virtual Appliance options.

Figure 8.1 – Azure network perimeter security

Figure 8.1 shows the main perimeter security services that we will talk about in this chapter and how they fit into an Azure network architecture. We will begin by discussing the Azure DDoS protection service in the next section.

A DDoS attack is a collection of attack types aimed at disrupting the availability of a target by overwhelming it with malicious traffic. They are usually targeted at virtual network workloads that are accessible via the internet.

The Azure DDoS Protection service helps protect internet-facing virtual network workloads from these attacks by identifying and blocking the malicious attempts to overwhelm our network before they can reach our resources. This service uses the scale and elasticity of Microsoft’s global network to stop the attack at the edge of the Azure network (see Figure 8.1). There are three main types of DDoS attacks:

• Volumetric DDoS attacks such as amplification floods and UDP floods, which overload the network bandwidth capabilities of a target to make it inaccessible. This is the equivalent of what happens in a traffic jam – when vehicles cannot move forward because there is too much traffic. Mitigating this category...

To follow along with the exercises in this chapter and the next one, we will provision some Azure resources to work with. We have prepared an Azure ARM template in the GitHub repository for this book for this purpose. The template will deploy an Azure virtual network with three subnets. The public subnet will have an Ubuntu Linux VM with NGINX installed as shown in Figure 8.5. The VM has a public IP, and it is reachable directly from the internet. The other two subnets are empty. Here are the tasks that we will complete in this exercise:

• Task 1: Initialize template deployment in GitHub
• Task 2: Complete the parameters and deploy the template to Azure

Figure 8.5 – Chapter 8 exercises scenario

Let us begin deploying our template deployment:

1. Open a web browser and browse to https://packt.link/WJxvK. This link will open the GitHub repository with...

Here are the tasks that we will complete in this exercise:

• Task 1: Create a DDoS Protection plan
• Task 2: Enable DDoS Protection on a virtual network
• Task 3: Review DDoS metrics for telemetry
• Task 4: Configure DDoS diagnostic logs forwarding
• Task 5: Configure DDoS alerts
• Task 6: Create a BreakingPoint Cloud account and authorize your Azure subscription
• Task 7: Run a DDoS test
• Task 8: Review DDoS test results

By the end of this exercise, our implementation will be like what is shown in Figure 8.9. Let’s get into this!

Figure 8.9 – End result of Exercise 2

Task 1 – creating a DDoS Protection plan

The first thing that we will do is to create a DDoS Network Protection plan, which we will apply to virtual networks that we want to protect:

1. On the Azure portal home page, in the search box, type DDoS and...

Azure Firewall is a perimeter network security service in Azure. It can be used to inspect both incoming and outgoing virtual network connections to keep workloads safe from malicious traffic. Unlike a third-party firewall appliance that is deployed as a Network Virtual Appliance (NVA) in Azure, Azure Firewall is a managed service, meaning we don’t have to worry about maintaining its underlying operating system, updating its services, implementing high availability, or scaling it, as all these tasks are taken care of by Microsoft. All we need to do is deploy the service, configure it, use it, and pay for usage!

Understanding Azure Firewall service tiers

When implementing Azure Firewall, one of the first decisions that we need to make is the service tier that we want to implement. Azure Firewall offers three service tier options: Basic, Standard, and Premium (see Figure 8.31).

Figure 8.31 – Azure Firewall service...

Here are the tasks that we will complete in this exercise:

• Task 1: Deploy an Azure Firewall test environment template with the Azure CLI
• Task 2: Review the firewall service and the firewall policy
• Task 3: Test connectivity through the firewall

Task 1 – deploying an Azure Firewall test environment template with the Azure CLI

The first thing that we will do is deploy a test environment with Azure Firewall and test resources:

1. Open a web browser and go to the Azure Cloud Shell page – https://shell.azure.com. If you are prompted, log in with your Azure admin credentials. Check that the environment dropdown from the left-hand side of the Shell window says Bash.
   

Figure 8.45 – Opening CloudShell (Bash)

2. Run the following command to deploy a template with an Azure Firewall test environment. Replace <Complex_Password> with a password...

Web and API applications are popular workload types to host in Azure virtual networks. They are also frequently targeted by malicious attacks exploiting well-known vulnerabilities such as SQL injection, cross-site scripting, and code injection. To complement secure coding practices for web application development, a WAF can be deployed at the network perimeter as an additional layer of protection against these types of exploits and vulnerabilities. Azure WAF is not a standalone service in Azure. Instead, it is a capability that can be integrated into two Azure traffic management services – Azure Application Gateway and Azure Front Door.

Azure Application Gateway is a regional-level application delivery service that can be deployed with a WAF to protect public-facing or internal workloads in an Azure virtual network. It can be deployed into a designated subnet within our Azure virtual networks, and we can apply a WAF policy to it (see Figure 8.57...

In this chapter, we covered the application of network security configurations to safeguard the network perimeter. To protect virtual networks or public IP addresses from DDoS attacks, we can employ DDoS protection plans, deploy Azure Firewall in a virtual network or virtual WAN hub, and use Azure WAF policies on Application Gateway or Front Door instances. However, managing these security capabilities independently becomes ineffective when dealing with multiple Azure subscriptions and services spread across several regions.

This is where Azure Firewall Manager can help us. Firewall Manager provides centralized network security management across subscriptions and across regions. We can manage configuration and policies for Azure Firewall, Azure Application Gateway WAFs, Front Door WAFs, and DDoS protection plans from one place and deploy to networks and instances across subscriptions or regions. This significantly reduces the...

In this chapter, we focused on securing the Azure virtual network perimeter using various methods. We covered the implementation of Azure DDoS Protection plans to prevent DDoS attacks, Azure Firewall to implement outbound traffic inspection, and a WAF to protect against common web application attacks. We also highlighted the importance of managing security capabilities across multiple Azure subscriptions and regions using Firewall Manager.

These insights align with important exam objectives and equip readers with the knowledge and skills needed to safeguard Azure virtual networks in the real world. In the next chapter, we will focus on network traffic management and load balancing in Azure. Looking forward to seeing you there!

Refer to the following links to know more about the topics covered in this chapter:

• https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview
• https://learn.microsoft.com/en-us/azure/firewall/overview
• https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-drs
• https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/waf-engine
• https://learn.microsoft.com/en-us/azure/firewall-manager/overview