Virtual Networks Security - MSDN Documentation

Securing Your Virtual Networks

Virtual networks (VNet) are the fundamental building blocks for your private network in the cloud. Securing these networks is paramount to protecting your applications and data from unauthorized access and malicious threats. This article explores key strategies and features available to enhance the security of your Azure Virtual Networks.

Key Takeaway: A multi-layered approach to security is essential. Combine network segmentation, access control, threat detection, and encryption to create a robust security posture.

Network Segmentation with Subnets

Dividing your VNet into smaller subnets is a fundamental security practice. This allows you to:

Isolate different tiers of your application (e.g., web, application, database).
Apply specific security policies to each subnet.
Limit the blast radius of a security breach.

Network Security Groups (NSGs)

Network Security Groups act as a distributed firewall for your virtual machines and subnets. You can define inbound and outbound security rules to filter traffic based on:

Source and destination IP addresses/ranges
Source and destination ports
Protocols (TCP, UDP, ICMP, etc.)

Here's a basic example of an NSG rule to allow SSH traffic:


{
    "properties": {
        "priority": 100,
        "access": "Allow",
        "direction": "Inbound",
        "protocol": "Tcp",
        "sourcePortRange": "*",
        "destinationPortRange": "22",
        "sourceAddressPrefix": "*",
        "destinationAddressPrefix": "*"
    }
}

Azure Firewall

For more advanced threat protection and centralized management, Azure Firewall provides a cloud-native, intelligent network firewall service. It offers features like:

Network Rule Collections: Filter traffic to and from Azure resources based on IP address, port, and protocol.
Application Rule Collections: Filter outbound traffic based on FQDN (Fully Qualified Domain Name).
Threat Intelligence-based Filtering: Automatically block known malicious IP addresses and domains.
Centralized Logging: Gain visibility into network traffic for security analysis and compliance.

High-level architecture of Azure Firewall

Virtual Network Service Endpoints and Private Link

To enhance security when accessing Azure PaaS services, consider:

Service Endpoints: Extend your VNet's private address space and identity to Azure services, enabling direct connection from your VNet. This prevents the public internet from being an attack vector.
Azure Private Link: Access Azure PaaS services (and customer-owned/partner services) over a private endpoint within your VNet. This brings the service into your network, eliminating public internet exposure entirely.

Encryption

Protecting data in transit is crucial. Ensure your VNet traffic is secured:

TLS/SSL: Use TLS/SSL for securing application-level communication.
VPN Gateway: For site-to-site or point-to-site connectivity, Azure VPN Gateway provides encrypted tunnels for traffic between your on-premises networks and your VNet, or for remote users connecting to your VNet.
ExpressRoute: For dedicated private connections, ExpressRoute can be configured with MACsec for layer 2 encryption.

Monitoring and Logging

Continuous monitoring is key to detecting and responding to security incidents. Utilize:

Network Watcher: Provides tools for monitoring, diagnosing, and viewing metrics for your virtual network resources.
Azure Security Center: Offers advanced threat protection and security recommendations for your network resources.
Azure Monitor Logs: Collect and analyze logs from NSGs, Azure Firewall, and other network components.