Azure Network Security and Interface

Today we will learn about the networking features of Azure. We will see Azure Network Security and Interface. So, let us begin.

Azure Networking

Azure virtual machines must be linked to an Azure Virtual Network. A virtual network is a logical construct built on top of the physical network fabric of Azure.

Each virtual network is completely isolated from the others. This ensures that network traffic in your deployments is not visible to other Azure customers.

Microsoft Azure Network Interface

A Network Interface Card (NIC) connects a Virtual Machine to the underlying software network. One or more network interface cards (NICs) are attached to an Azure Virtual Machine (VM). Azure can assign any NIC for one or more static or dynamic public and private IP addresses.

Azure Network Access Control

The act of limiting connectivity to and from specific devices or subnets within a virtual network is known as network access control.

The goal of network access control is to restrict authorized users and devices from accessing your virtual machines and services.

Access controls are based on whether or not connections to and from your virtual machine or service are allowed or denied.

Azure supports a variety of network access control methods, including:

• Control at the network layer
• Forced tunneling and route control
• Appliances for virtual network security

Azure Network Layer Control

Every secure deployment necessitates some level of network access control. The goal of network access control is to limit virtual machine communication to only those systems that require it. Other attempts at communication are thwarted.

Azure Network Security Rules (NSGs)

Network Security Groups can be used to provide basic network-level access control (based on IP address and the TCP or UDP protocols) (NSGs).

An NSG is a simple, stateful packet filtering firewall that allows you to control access using a 5-tuple.

NSGs include the following features to simplify management and reduce the likelihood of configuration errors:

1. Augmented security rules simplify NSG rule definition and enable you to create complex rules instead of multiple simple rules to achieve the same result.

2. Service tags are labels created by Microsoft that represent a group of IP addresses. They are dynamically updated to include IP ranges that meet the conditions for inclusion in the label. Storage, for example, can be used to create a rule that applies to all Azure storage in the East region. East US

3. Application security groups enable you to deploy resources to application groups and control access to those resources through the use of rules that use those application groups.

For example, if you have web servers in the ‘Web Servers’ application group, you can create a rule that applies an NSG allowing 443 traffic from the Internet to all systems in the ‘Web Servers’ application group.

Application layer inspection and authenticated access controls are not provided by NSGs.

What is Azure Network Security?

Azure’s Network security can be defined as the process of protecting resources from unauthorized access or attack through the use of network traffic controls.

The goal is to ensure that only legal traffic is permitted. Azure comes with a solid networking infrastructure to meet your application and service connectivity needs.

Network connectivity is possible between Azure resources, on-premises and Azure-hosted resources, as well as to and from the internet and Azure.

Check network interface settings

After a network interface is created, you can view and change the majority of its settings. The portal does not display the network interface’s DNS suffix or application security group membership.

To view the DNS suffix and application security group membership, use the PowerShell or Azure CLI commands.

• Type network interfaces in the box labeled Search resources at the top of the Azure portal.
• Select network interfaces when they appear in the search results.
• Choose the network interface for which you want to view or change settings from the list.
• For the network interface you selected, the following items are listed:
• Type network interfaces in the box labeled Search resources at the top of the Azure portal. Select network interfaces when they appear in the search results.
• Choose the network interface for which you want to view or change settings from the list.

For the network interface you selected, the following items are listed:

1. Overview

Provides information about the network interface, such as the IP addresses assigned to it, the virtual network/subnet to which it is assigned, and the virtual machine to which it is attached.

By selecting (change) next to the Resource Group or Subscription name, you can move a network interface to a different resource group or subscription.

If you move the network interface to a new subscription, you must also move all network interface-related resources with it. If the network interface is connected to a virtual machine.

2. IP configurations

This section lists the public and private IPv4 and IPv6 addresses assigned to IP configurations.

When an IPv6 address is assigned to an IP configuration, it is not displayed. See Configure IP addresses for an Azure network interface for more information on IP configurations and how to add and remove IP addresses.

This section also configures IP forwarding and subnet assignment. See Enable or disable IP forwarding and Change subnet assignment for more information.

3. Network Security Group (NSG)

This shows which NSG is linked to the network interface (if any). An NSG contains inbound and outbound network traffic filtering rules for the network interface.

If an NSG is linked to a network interface, the name of the NSG is displayed. See Associate or dissociate a network security group to change what’s displayed.

4. DNS Servers

You can specify which DNS server the Azure DHCP servers assign to each network interface.

The network interface may inherit the setting from the virtual network to which it is assigned, or it may have a custom setting that overrides the setting for the virtual network to which it is assigned. Change DNS servers to change what is displayed.

5. Properties

Displays the network interface’s key settings, such as its MAC address (blank if the network interface isn’t attached to a virtual machine) and the subscription it is a part of.

6. Security Rules

They are listed if the network interface is attached to a running virtual machine and an NSG is associated with the network interface, the subnet to which it is assigned, or both.

View effective security rules to learn more about what’s displayed.

7. Effective Routes

Routes are listed if the network interface is connected to a virtual machine that is running. The routes are a mix of Azure default routes, user-defined routes, and any BGP routes that may exist for the subnet to which the network interface is assigned.

View effective routes to learn more about what’s displayed. See Routing overview for more information on Azure default routes and user-defined routes. Common Azure Resource Manager configurations:

• See Activity log
• Access control (IAM)
• Tags
• Locks
• Automation script for more information on common Azure Resource Manager settings.

8. Commands

When an IPv6 address is assigned to a network interface, the PowerShell output returns the fact that the address has been assigned but not the assigned address. Similarly, the CLI returns the fact that the address has been assigned but returns null for the address in its output.

CLI: az network nic list – It is used to see the network interfaces that are available in the subscription. Simultaneously, az-network nic show will display the settings for a network interface

PowerShell: Get-AzNetworkInterface – It is used to check the network interfaces inside the subscription or check the settings in a network interface.

Configuring multiple NICs and IP addresses for a VM in Azure

Follow below steps to configure multiple NICs and IP addresses for Azure Virtual Machine:

1: In the first step, the user should click on the Create resource button and type in a network interface. Once done click on Network Interface and hit on the create button.

2: In the second step, the user should fill in all the required details in the field and click on the create button.

3: Now, Azure’s Network Interface will be created and ready to get embedded.

4: Once again the user should get back to the home page and then create a public IP address.

5: In the next step, the user must fill in all the required details and then click on create button.

6: Now, the user can see both the NIC and IP address ready to use with their virtual machine in Azure.

Creating a Network Security Group (NSG) in Azure

Microsoft Azure provides a straightforward interface for creating Network Security Groups from both a modern (recommended) and “classic” perspective. It is simple to add a new security group from the Network Security Group interface, where you will specify the name, subscription, Azure resource group, and location where it will be configured. The screenshot below depicts the creation of an Azure NSG from the modern interface.

Network Security Group Rules

After you’ve created this NSG, you’ll be able to manage its rules. A rule is used to define whether network traffic is safe and should be allowed or denied through the network.

A rule consists of the following sections:

Name A distinct name that administrators can use to locate the rule.

Priority: It is an integer between 100 and 4096 that must be unique. This value determines the rule’s processing order, with rules with lower values (higher priority) being executed first.

Source or destination: Indicates which application or user(s) the rule applies to. This could be an IP address, a range of IP addresses, or an Azure resource.

Protocol: The TCP, UDP, or ICMP protocol to be examined.

The direction: This will showcase whether the traffic is inbound or outbound.

Port Range: This specifies which port or range of ports the rule applies to.

Action: Specifying Allow (allow traffic through) or Deny (block traffic) will tell the NSG what to do when network traffic matching the rule is detected.

When network traffic is allowed, a record is created to keep track of it, and these records can be used by network traffic analytics tools for further threat inspection and analysis.

A best practice for network security rules is to start by denying all traffic and then create rules only for known safe traffic. In each Network Security Group, Microsoft Azure automatically creates a few default rules, including:

The following image displays a network security group for a database resource, and one can see that all inbound and outbound traffic is explicitly denied but along with the exception of some rules.

Service Tags & Application Security Groups

When you start using NSGs, you will likely discover that managing IP addresses at scale becomes difficult, necessitating the creation and management of numerous rules.

To make things easier, Microsoft Azure introduced the concept of a “service tag,” which is a pre-defined collection of IP addresses associated with a particular resource such as:

• Azure virtual networks
• Load balancers
• Cloud
• Traffic manager
• Storage
• SQL
• Cosmos DB
• Key vault
• Event hub
• Service bus
• Container registry
• App service
• App service management
• API management
• Connectors
• Gateway manager
• Data lake
• Active Directory
• Monitor
• Service fabric
• Machine learning resources are currently supported.

Microsoft maintains an up-to-date list, which can be found in the portal.

Microsoft Azure also allows security groups to be managed at the application level, which simplifies management even further by abstracting the IP address(es) from an application.

This means that an Azure application can be used as a source or destination in a rule. To simplify management, it is best to practise using either service tags or application security groups.

Other Network Security Group Tips

When planning your NSGs, you only need to consider the IP addresses assigned to your company, which means you can ignore anything assigned to an Azure infrastructure service, such as DNS, DHCP, and so on.

Similarly, if you use load balancers, you only need to be concerned with the origin and destination of the computer or service, not the IP addresses used by the load balancer itself.

You must also ensure that all VMs in the security group have a valid license for their guest operating system.

Finally, be cautious about blocking all outbound internet traffic for VMs that use extensions, as these extensions may become blocked, causing the VM to appear to be stuck in an ‘updating’ state.

Best practices for network security

1. Using strong network controls

By putting Azure virtual machines (VMs) and appliances on Azure virtual networks, you can connect them to other networked devices.

That is, virtual network interface cards can be connected to a virtual network to enable TCP/IP-based communications between network-enabled devices.

Virtual machines on an Azure virtual network can communicate with devices on the same virtual network, different virtual networks, the internet, or your on-premises networks.

We recommend that you centralize: As you plan your network and its security, we recommend that you centralize:

• Core network functions such as ExpressRoute, virtual network and subnet provisioning, and IP addresses are managed.
• Governance of network security elements such as ExpressRoute network virtual appliance functions, virtual network and subnet provisioning, and IP address.

2. Logically segment subnets

Azure virtual networks are similar to local area networks (LANs) on your on-premises network. The idea behind an Azure virtual network is that you create a network based on a single private IP address space that you can use to host all of your Azure virtual machines.

Class A (10.0.0.0/8), Class B (172.16.0.0/12), and Class C (192.168.0.0/16) private IP address spaces are available.

3. Adopting a Zero Trust approach

Perimeter-based networks assume that all systems within a network can be trusted. However, today’s employees can access their organization’s resources from anywhere using a variety of devices and apps, rendering perimeter security controls obsolete.

Access control policies that focus solely on who has access to a resource are insufficient.

To master the balance of security and productivity, security administrators must also consider how a resource is accessed.

Because networks may be vulnerable to breaches, traditional defenses must evolve: an attacker can compromise a single endpoint within the trusted boundary and then quickly expand a foothold across the entire network.

The concept of trust based on network location within a perimeter is eliminated in Zero Trust networks.

Zero Trust architectures, on the other hand, user device and user trust claim to control access to organizational data and resources.

Adopt Zero Trust approaches for new initiatives that validate trust at the point of access.

4. Controlling routing behavior

When you add a virtual machine to an Azure virtual network, it can connect to any other VM on the same virtual network, even if they are on different subnets.

This is possible due to a set of system routes that are enabled by default and allow for this type of communication.

These default routes enable VMs on the same virtual network to connect to each other and the internet (for outbound communications to the internet only).

When deploying a security appliance for a virtual network, we recommend that you configure user-defined routes

5. Using virtual network appliances

At the network and transport layers of the OSI model, network security groups and user-defined routing can provide some network security.

However, in some cases, you may want or need to enable security at the highest levels of the stack.

In such cases, we advise you to use virtual network security appliances provided by Azure partners.

Azure network security appliances can provide greater security than network-level controls. Virtual network security appliances have the following network security capabilities:

• Firewalling
• Intrusion detection/intrusion prevention
• Vulnerability management
• Application control
• Network-based anomaly detection
• Web filtering
• Antivirus
• Botnet protection

Users can visit Azure’s Marketplace and search for “security” and “network security” and find their suitable Azure virtual network security appliances.

6. Deploying perimeter networks for security zones

A perimeter network (also referred to as a DMZ) is a physical or logical network segment that adds an extra layer of security between your assets and the internet.

On the edge of a perimeter network, specialized network access control devices allow only desired traffic into your virtual network.

Based on the Zero Trust concept, we recommend that you use a perimeter network for all high-security deployments to improve network security and access control for your Azure resources.

To add an extra layer of security between your assets and the internet, you can use Azure or a third-party solution.

7. Avoiding exposure to the internet with dedicated WAN links

Many businesses have opted for hybrid IT. Some organizations’ information or assets reside in Azure, while others remain on-premises.

Many times, some components of a service run in Azure while others remain on-premises.

There is usually some type of cross-premises connectivity in a hybrid IT scenario. The company can connect its on-premises networks to Azure virtual networks using cross-premises connectivity. There are two cross-premises connectivity options:

a. VPN between two locations: It is a trusted, dependable, and well-established technology, but the connection is made via the internet. Bandwidth is limited to approximately 1.25 Gbps. In some cases, a site-to-site VPN is a viable option.

b. ExpressRoute Connection: Your ExpressRoute connection’s location can have an impact on firewall capacity, scalability, reliability, and network traffic visibility. You must determine where ExpressRoute should be terminated in existing (on-premises) networks. You may:

Terminate outside the firewall (the perimeter network paradigm) if you need visibility into traffic, if you need to continue isolating data centers, or if you’re only putting extranet resources on Azure.

Stop inside the firewall (the network extension paradigm). This is the standard recommendation. In all other cases, we recommend that Azure be treated as the nth datacenter.

8. Optimizing uptime and performance

Information cannot be accessed if a service is unavailable. If the performance is so poor that the data is unusable, the data is considered inaccessible.

From a security standpoint, you must do everything possible to ensure that your services operate at peak efficiency and performance.

Load balancing is a popular and effective method for improving availability and performance. Load balancing is a technique for distributing network traffic across servers in service.

9. Disabling RDP/SSH Access to virtual machines

Azure virtual machines can be accessed via the Remote Desktop Protocol (RDP) and the Secure Shell (SSH) protocols.

These protocols, which are common in datacenter computing, allow for the management of VMs from remote locations.

The risk of using these protocols over the internet is that attackers can use brute force techniques to gain access to Azure virtual machines.

After gaining access, the attackers can use your VM as a springboard to compromise other machines on your virtual network or even networked devices outside of Azure.

10. Securing critical Azure service resources with virtual networks

Access Azure PaaS Services (such as Azure Storage and SQL Database) via Azure Private Link from a private endpoint in your virtual network.

Private Endpoints enable you to limit access to your critical Azure service resources to only your virtual networks.

Traffic between your virtual network and the Azure service is always routed through the Microsoft Azure backbone network.

It is no longer necessary to expose your virtual network to the public internet in order to use Azure PaaS Services.

Conclusion

Finally, you should appreciate Azure network security groups for their ability to help you manage network security quickly and easily.

While configuration may be time-consuming at first, you can speed up the process by utilizing service tags and application security groups.

To help secure and protect your Microsoft cloud infrastructure, ensure that NSG planning and management are integrated into your standard Azure operating procedures moving forward.