SlideShare una empresa de Scribd logo
1 de 93
Descargar para leer sin conexión
Micro-Segmentation of
Services& Datain Azure
© Cloud Mechanix www.cloudmechanix.co
Aidan Finn,
MVP Cloud Mechanix &
Innofactor Norway
• 12 year MVP – currently Microsoft Azure (3)
• Previously Hyper-V and SCCM
• Onwer of Cloud Mechanix
• Custom-written Azure training
• Principal Consultant for Innofactor
Norway
• Azure infrastructure – networking & security
• Working as consultant/sys admin since 1996
• Windows Server, Hyper-V, System Center, desktop managment, and
Azure
• http://aidanfinn.com
• http://innofactor.com
• http://www.cloudmechanix.com
• @joe_elway
Aidan Finn
Introduction
© Cloud Mechanix www.cloudmechanix.co
Infrastructure andPlatform
© Cloud Mechanix www.cloudmechanix.co
• Networks:
• Connection to/from Internet
• Between components of your
service
• Resource include (but not limited
to):
• Virtual machines
• App Services
• Azure Kubernetes Service
• Logic Apps
• And everything else
© Cloud Mechanix www.cloudmechanix.co
There IsAlwaysA Network
It’s The Cloud!
• Control:
• Inbound flows
• Flows between components of your
service
• Data access
• Outbound flows
• Log & report:
• Flows
• Classification of threats
• Alert
• Security threats
© Cloud Mechanix www.cloudmechanix.co
Network Security
Taking control
• Usual data center approach:
• “Open up everything inside the network”
• It’s easy for admins … and malware and
attackers
• Micro-Segmentation
• Breaking up a network into smaller secure zones
• Right down to the workload
• Yes, I know “secure zone” is a special term in
Norway!
© Cloud Mechanix www.cloudmechanix.co
Essential TermOf The Day
Micro-segmentation
BackToBasics– Virtual Network
(VNet)
© Cloud Mechanix www.cloudmechanix.co
• I have never created a VLAN
• Never!
• But I am the Azure networking guy at work
• Who struggles with Azure networking?
• The network admin
• Who ends up being best at Azure
networking?
• The person who forgets/doesn’t know on-
prem networking
YourOn-PremisesNetwork Knowledge
To keep or not to keep, that is the question
© Cloud Mechanix www.cloudmechanix.co
• NSX
• An abstraction of physical network
• Overlapping address ranges are possible (if not routed)
• Data transmission is encapsulated on a physical
network
• A memory transfer between physical hosts
• There is no Default gateway
• Handled in the fabric:
• Routing
• Load balancing
© Cloud Mechanix www.cloudmechanix.co
Virtual Network
Software Defined
• Yes:
• VNets are needed for virtual machines
• The useful:
• VNet-integrated PaaS resources
• The hidden:
• Platform services are often built using VMs under-the-
covers
• VMs require VNets!
© Cloud Mechanix www.cloudmechanix.co
Virtual Network Scenarios
Not just VMs/IaaS
• A threat against business of all
sizes
• Attackers:
• State-sponsored
• Professional criminals
• Amateurs: rented botnets!
© Cloud Mechanix www.cloudmechanix.co
Distributed Denial of Service(DDoS)Attacks
Our first security feature
• Every VNet has DDoS Basic
• You pay (a lot) for Standard
• Enabled on VNets with public
IP
• It takes 2 weeks for the
machine
• Don’t wait until you are
attacked!
addresses
learning to “learn” your
network
AzureDDoSProtectionOptions
Choosing a tier
https://docs.microsoft.com/en-us/azure/virtual-network/ddos-protection-
overview
© Cloud Mechanix www.cloudmechanix.co
Public IPAddresses
© Cloud Mechanix www.cloudmechanix.co
• Azure services tend to be public by
default
• A public IP address (PIP)
• Limit your attack surface:
• Centralise PIPs
• Limit creation by Azure Policy
• Force everything through a secure network
core
© Cloud Mechanix www.cloudmechanix.co
Long-Story-Short
How many on-premises services have their own
public IP?
Network Security Groups(NSGs)
© Cloud Mechanix www.cloudmechanix.co
• An NSG resource associated with a subnet
• Best practice: 1 NSG : 1 Subnet
• Contains inbound and outbound rules
• Inbound default rules:
• Allow everything from VNet in, allow Azure load balancer in, deny
everything else
• Outbound default rules:
• Allow everything out
© Cloud Mechanix www.cloudmechanix.co
BasicLayer-4 Security
A free form of allow/deny Layer-4
firewall
• Priority
• Order that rules are applied: low (1) to high (4096)
• Name
• User friendly label
• Port
• TCP/UDP port
• Protocol
• TCP, UCP, ICMP, Any
• Source
• IP address, range, CIDR, service tag, application security
group
• Destination
• IP address, range, CIDR, service tag, application security
group
• Action
• Allow | Deny
© Cloud Mechanix www.cloudmechanix.co
RuleComponents
Basic firewall
components
• Source/Destination IP addresses can be unfriendly:
• Complex subnets with many Azure virtual machines
• Azure services
• Service Tags
• Abstracts the IP addresses of Azure Services, e.g.
AzureLoadBalancer,
GatewayManager, VirtualNetwork, Internet
• Application Security Groups
• A label, associated with NICs of Azure virtual machines
• Can be used to more-easily micro-segment a single subnet
© Cloud Mechanix www.cloudmechanix.co
UserFriendly Labels
Abstraction of many IPv4
addresses
• It’s not just the virtual network!
• It’s the current virtual PLUS:
• Every other connected virtual network
• Peering
• ExpressRoute
• VPN
• So the default rule of AllowVnetInbound breaks micro-
segmentation
© Cloud Mechanix www.cloudmechanix.co
TheVirtualNetwork Service Tag
Understanding this is important
Building Up ASimple NSGRuleset
Note the DenyEverythingElse rule
VNet-0
10.2.0.0/1
6
WebServerSubn
et
10.0.0.0/24
SqlServerSubn
et
10.0.2.0/24
Priority Name Port Protocol Source Destination Action
100 AllowHttpAndHttps 80, 443 TCP Internet WebServersAsg Allow
200 AllowLoadBalancer Any Any AzureLoadBalancer WebServersAsg Allow
300 DenyEverythingElse Any Any Any Any Deny
© Cloud Mechanix www.cloudmechanix.co
Building Up ASimple NSGRuleset
Note the use of Application Security Groups &
Service Tags
VNet-0
10.2.0.0/1
6
WebServerSubn
et
10.0.0.0/24
SqlServerSubn
et
10.0.2.0/24
Priority Name Port Protocol Source Destination Action
100 AllowSQLFromWeb 1433 TCP WebServersAsg SqlServersAsg Allow
200 AllowLoadBalancer Any Any AzureLoadBalancer SqlServersAsg Allow
300 DenyEverythingElse Any Any Any Any Deny
Priority Name Port Protocol Source Destination Action
100 AllowHttpAndHttps 80, 443 TCP Internet WebServersAsg Allow
200 AllowLoadBalancer Any Any AzureLoadBalancer WebServersAsg Allow
300 DenyEverythingElse Any Any Any Any Deny
© Cloud Mechanix www.cloudmechanix.co
• Real-world experience:
• There’s always more than just
the
basic rules
• Get comfortable with IPv4
subnetting
• Migration scenarios:
• Log Analytics Service Map
• Troubleshooting
• NSG Traffic Analytics
© Cloud Mechanix www.cloudmechanix.co
But There’s Likely Much More!
My examples were simple illustrations
Priority Name Port Protocol Source Destination Action
100 AllowHttpAndHttps 80, 443 TCP Internet WebServersAsg Allow
200 AllowDnsResponses 53 UDP DnsServersAsg WebServersAsg Allow
300 AllowMonitoring 5001 TCP MonitoringAsg WebServersAsg Allow
400 CiCd … … … … …
… … … … … … …
1200 AllowLoadBalancer Any Any AzureLoadBalancer WebServersAsg Allow
1300 DenyEverythingElse Any Any Any Any Deny
BackToBasics– Routing
© Cloud Mechanix www.cloudmechanix.co
• In the physical data centre
• Cables control the connections
• In the cloud:
• Software-defined networks
• We have no access to cables!
• Packets go from A-Z directly
• Azure VNets are flat & open
• We control flows using routing
• This is the most important thing
you
will learn today!
TheImportance of Routing
What controls the flow of packets between
devices?
© Cloud Mechanix www.cloudmechanix.co
• Configuring routing in a guest OS has no
influence
• The fabric takes over when the packet hits the
NIC
• Routing is only done in the fabric
• Per-subnet route tables are always present
• Route table:
• Destination
• Next hop instruction
• Route chosen:
• Longest path first (LPF)
• Route type
© Cloud Mechanix www.cloudmechanix.co
How Routing Works
Forget what you know about on-premises
routing
• Example ….
• You want to get to 10.0.1.4
• Two routes exist:
• 10.0.0.0/8 … 16-bit match
• 10.0.1.0/24 … 32-bit match
• The chosen route is
10.0.1.0/24
© Cloud Mechanix www.cloudmechanix.co
Longest PathFirst (LPF)
First rule of Azure routing
1. Default routes
2. BGP
3. User-defined
routes
© Cloud Mechanix www.cloudmechanix.co
Route Type
Second Rule of Azure
routing
• Simply there for basic functionality
• Added when you enabled Azure
features
© Cloud Mechanix www.cloudmechanix.co
Default / SystemRoutes
Routes that exist automatically
VNet-0
10.0.0.0/16
Example
Simple Default
Routes
Subnet-1
10.0.1.0/24
Subnet-2
10.0.2.0/24
Source State Address Prefixes Next Hop Type Next Hop IP Address
Default Active 10.0.0.0/16 Virtual Network
Default Active 0.0.0.0 Internet
Source State Address Prefixes Next Hop Type Next Hop IP Address
Default Active 10.0.0.0/16 Virtual Network
Default Active 0.0.0.0 Internet
© Cloud Mechanix www.cloudmechanix.co
VNet-0
10.0.0.0/1
6
Example
Simple Default Routes | VNet
Peering
Subnet-1
10.0.1.0/2
4
Subnet-2
10.0.2.0/2
4
Source State Address Prefixes Next Hop Type Next Hop IP Address
Default Active 10.0.0.0/16 Virtual Network
Default Active 0.0.0.0 Internet
Source State Address Prefixes Next Hop Type Next Hop IP Address
Default Active 10.0.0.0/16 Virtual Network
Default Active 0.0.0.0 Internet
VNet-1
10.1.0.0/1
6
Subnet-A
10.1.1.0/24
Subnet-B
10.1.2.0/2
4
Source State Address Prefixes Next Hop Type Next Hop IP Address
Default Active 10.0.0.0/16 Virtual Network
Default Active 0.0.0.0 Internet
Source State Address Prefixes Next Hop Type Next Hop IP Address
Default Active 10.0.0.0/16 Virtual Network
Default Active 0.0.0.0 Internet
© Cloud Mechanix www.cloudmechanix.co
VNet-0
10.0.0.0/1
6
Example– Simple Default Routes| VNet
Peering
Subnet-1
10.0.1.0/2
4
Subnet-2
10.0.2.0/2
4
Source State Address Prefixes Next Hop Type Next Hop IP Address Source State Address Prefixes Next Hop Type Next Hop IP Address
Default Active 10.0.0.0/16 Virtual Network Default Active 10.0.0.0/16 Virtual Network
Default Active 0.0.0.0 Internet Default Active 0.0.0.0 Internet
Default
© Cloud
Active
2020
10.1.0.0/16 Peering Default Active 10.1.0.0/16 Peering
www.cloudmechanix.co
VNet-1
10.1.0.0/1
6
Subnet-A
10.1.1.0/24
Subnet-B
10.1.2.0/2
4
Source State Address Prefixes Next Hop Type Next Hop IP Address
Default Active 10.0.0.0/16 Virtual Network
Default Active 0.0.0.0 Internet
Default Active 10.0.0.0/16 Peering
Source State Address Prefixes Next Hop Type Next Hop IP Address
Default Active 10.0.0.0/16 Virtual Network
Default Active 0.0.0.0 Internet
Default Active 10.0.0.0/16 Peering
• BGP is used when there is site-to-site networking
• ExpressRoute
• VPN
• Ways:
• Propagate routes from to/from on-premises
• ExpressRoute: required
• VPN: Optional
• Propagate routes from the GatewaySubnet to other
subnets/VNets
• Even if you don’t enable BGP in S2S VPN
© Cloud Mechanix www.cloudmechanix.co
BGPRoutes
Bi-directional site-to-site
routing
• A list of routes is maintained in a route table
• Routes are propagated to a neighbour(s)
• That neighbour propagates routes to it’s
neighbour(s)
• The network learns how to get to any remote
destination
• Possibly over many hops
© Cloud Mechanix www.cloudmechanix.co
BGPSummary
Basic explainer
BGP& Site-to-Site
BGP routes propagate from on-premises to
GatewaySubnet
VNet-0
10.0.0.0/1
6
GatewaySubn
et
10.0.0.0/24
ExpressRoute/V
PN
172.16.0.0/1
2
Source State Address Prefixes Next Hop Type Next Hop
IP
Address
Default Active 10.0.0.0/16 Virtual Network
Default Active 0.0.0.0 Internet
BGP Active 172.16.0.0/12 VirtualNetworkGateway
© Cloud Mechanix www.cloudmechanix.co
www.cloud echanix.c
BGP& Site-to-Site
BGP routes propagate from GatewaySubnet to all connected
subnets
VNet-0
10.0.0.0/1
6
GatewaySubn
et
10.0.0.0/24
ExpressRoute/V
PN
172.16.0.0/1
2
VNet-1
10.1.0.0/1
6
Subnet-1
10.1.1.0/24
Source State Address Prefixes Next Hop Type Next Hop
IP
Address
Default Active 10.0.0.0/16 Virtual Network
Default Active 0.0.0.0 Internet
Default Active 10.0.0.0/16 Peering
BGP Active 172.16.0.0/12 VirtualNetworkGateway
Sourc
e
Stat
e
Address
Prefixes
Next Hop
Type
Next Hop
IP
Source State Address Prefixes Next Hop Type Next Hop
IP
Address
VNet-2
10.2.0.0/1
6
Subnet-1
Default Active 10.0.0.0/16 Virtual Network
Default Active 0.0.0.0 Internet Address
Default Active 10.1.0.0/16 Peering
Default Active 10.0.0.0/16 Virtual Network
Default Active 10.2.0.0/16 Peering Default Active 0.0.0.0 Internet
BGP
© Cloud
Active
Mech
172.16.0.0/12
nix
VirtualNetworkGateway Default
BGP
Active
Active
10.0.0.0/16
172.16.0.0/12
Peering
VirtualNetworkGateway
VNet
PeeringUse Remote Gateway
Gateway Transit
• A BGP route that matches a Default Route beats the Default
Route
• Scenario:
• A Default route exists for 10.1.0.0/16
• A BGP route to 10.1.0.0/16 propagates to the subnet
• The Default route is marked by Azure as Invalid (disabled)
• The BGP route is chosen instead
© Cloud Mechanix www.cloudmechanix.co
BGPBeatsDefault
Applying the second rule of routing
(part 1)
• Sometimes you need force traffic via a particular
destination
• This is always the case when you use a firewall … ah-
ha!
• Third-party firewall appliance
• Azure Firewall
• And also when you use third-party routers/VPN
appliances
© Cloud Mechanix www.cloudmechanix.co
User-Defined Routes (UDRs)
Cabling our Azure devices
• Associated with a subnet
• Tip: 1 subnet per Route Table only!
• Common mistake:
• People think the route table contains the only routes in a
subnet
• Don’t forget about Default and BGP routes hidden in the
fabric!
© Cloud Mechanix www.cloudmechanix.co
Route Tables
An Azure resource that contains
UDRs
• Name: A human friendly label
• Address Prefix: CIDR
destination
• Next Hop Type:
• Virtual Network Gateway
• Virtual Network
• Internet
• Virtual Appliance *
• None (black hole)
• * Next Hop IP Address
• * Virtual Appliance IPv4
address
© Cloud Mechanix www.cloudmechanix.co
UDRComponents
Pretty simple
Inbound FlowsVia Firewall
Force traffic from on-premises in via
firewall
VNet-0
10.0.0.0/1
6
GatewaySubn
et
10.0.0.0/24
ExpressRoute/V
PN
172.16.0.0/1
2
VNet-1
10.1.0.0/1
6
Subnet-1
10.1.1.0/2
4
Source State Address Prefixes Next Hop Type Next Hop
IP
Address
Default Active 10.0.0.0/16 Virtual Network
Default Active 0.0.0.0 Internet
Default Inactive 10.1.0.0/16 Peering
BGP Active 172.16.0.0/12 VirtualNetworkGateway
User Active 10.1.0.0/16 Virtual Appliance 10.0.1.4
Source State Address Prefixes Next Hop Type Next Hop
IP
Address
Default Active 10.0.0.0/16 Virtual Network
Default Active 0.0.0.0 Internet
Default Active 10.0.0.0/16 Peering
BGP Active 172.16.0.0/12 VirtualNetworkGateway
AzureFirewallSubn
et 10.0.1.0/24
Source State Address Prefixes Next Hop Type Next Hop
IP
Address
Default Active 10.0.0.0/16 Virtual Network
Default Inactive 0.0.0.0 Internet
Default Inactive 10.1.0.0/16 Peering
BGP Active 172.16.0.0/12 VirtualNetworkGateway
User Active 0.0.0.0/0 Internet
10.0.1.
4
© Cloud Mechanix www.cloudmechanix.co
Outbound FlowsVia Firewall
Common mistake for outbound flows – remember
LPF?
VNet-0
10.0.0.0/1
6
GatewaySubn
et
10.0.0.0/24
ExpressRoute/V
PN
172.16.0.0/1
2
VNet-1
10.1.0.0/1
6
Subnet-1
10.1.1.0/2
4
Source State Address Prefixes Next Hop Type Next Hop
IP
Address
Default Active 10.0.0.0/16 Virtual Network
Default Active 0.0.0.0 Internet
Default Inactive 10.1.0.0/16 Peering
BGP Active 172.16.0.0/12 VirtualNetworkGateway
User Active 10.1.0.0/16 Virtual Appliance 10.0.1.4
Source State Address Prefixes Next Hop Type Next Hop
IP
Address
Default Active 10.0.0.0/16 Virtual Network
Default Inactive 0.0.0.0 Internet
Default Active 10.0.0.0/16 Peering
BGP Active 172.16.0.0/12 VirtualNetworkGateway
User Active 0.0.0.0/0 Virtual Appliance 10.0.1.4
AzureFirewallSubn
et 10.0.1.0/24
Source State Address Prefixes Next Hop Type Next Hop
IP
Address
Default Active 10.0.0.0/16 Virtual Network
Default Inactive 0.0.0.0 Internet
Default Inactive 10.1.0.0/16 Peering
BGP Active 172.16.0.0/12 VirtualNetworkGateway
User Active 0.0.0.0/0 Internet
10.0.1.
4
© Cloud Mechanix www.cloudmechanix.co
• A UDR route that matches a BGP/Default Route beats the
BGP/Default Route
• Scenario:
• A Default route exists for 10.1.0.0/16
• A BGP route to 10.1.0.0/16 propagates to the subnet
• You add a UDR to 10.1.0.0/16
• The Default route is marked by Azure as Invalid (disabled)
• The BGP route is marked by Azure as Invalid (disabled)
• The UDR is chosen instead
© Cloud Mechanix www.cloudmechanix.co
UDRBeatsBGP&Default
Applying the second rule of routing
(part 2)
• A BGP route that matches a Default Route beats the Default
Route
• Scenario:
• A Default route exists for 10.1.0.0/16
• A BGP route to 10.1.0.0/16 propagates to the subnet
• You add a UDR to 0.0.0.0/0
• Send a packet to 10.1.1.4
• The Default route is marked by Azure as Invalid (disabled)
• The BGP route is a 16-bit match
• The UDR is a 0-bit match
• The BGP route is chosen!
© Cloud Mechanix www.cloudmechanix.co
But Remember – TheMost Accurate RouteWins!
Rule 1 and Rule 2 together
VNet-0
10.0.0.0/1
6
GatewaySubn
et
10.0.0.0/24
VNet-1
10.1.0.0/1
6
Subnet-1
10.1.1.0/2
4
Source State Address Prefixes Next Hop Type Next Hop
IP
Address
Default Active 10.0.0.0/16 Virtual Network
Default Active 0.0.0.0 Internet
Default Inactive 10.1.0.0/16 Peering
BGP Active 172.16.0.0/12 VirtualNetworkGateway
User Active 10.1.0.0/16 Virtual Appliance 10.0.1.4
AzureFirewallSubn
et 10.0.1.0/24
Source State Address Prefixes Next Hop Type Next Hop
IP
Address
Default Active 10.0.0.0/16 Virtual Network
Default Inactive 0.0.0.0 Internet
Default Inactive 10.1.0.0/16 Peering
BGP Active 172.16.0.0/12 VirtualNetworkGateway
User Active 0.0.0.0/0 Internet
10.0.1.
4
Outbound FlowsVia Firewall
Disabling BGP propagation in a spoke Route
Table
Route Table > Disable
Source
BGP
Propaga
State
tion
Addres
s
Prefixe
s
Ne xt Hop Type Next Hop
IP
Address
Default Active 10.0.0.0/16 V irtual Network
172.16.0.0/12 ExpressRoute/VPN
Public IP Address Default Inactive 0.0.0.0 I nternet
Default Active 10.0.0.0/16 P
e
ering
User Active 0.0.0.0/0 V irtual Appliance 10.0.1.4
© Cloud Mechanix www.cloudmechanix.co
• Today:
• Only possible via the NIC of an allocated (running) VM
• Desired:
• See it via any subnet
• Tips:
1. LEARN how routing really works (see previous)
2. Try it out
3. Draw how it works
4. Put a “canary” subnet/VM into a complex VNet so you can see
effective
routes
• VMs cannot be added to GatewaySubnet or AzureFirewallSubnet
© Cloud Mechanix www.cloudmechanix.co
Viewing Effective Route Tables
How do you see the actual route table?
• ExpressRoute
• View/export routes propagated from on-premises
• Circuit > Peerings > Private Peering
• VPN
• Non-BGP: See Local Network Gateway
• BGP: Query Log Analytics … AzureDiagnostics | where
OperationName
==
"BgpRouteUpdate"
© Cloud Mechanix www.cloudmechanix.co
ExpressRoute& VPN
See the routes associated with site-to-site
networking
Firewalls
© Cloud Mechanix www.cloudmechanix.co
• Ideally – yes!
• Central point of:
• Network security
• Routing
• Can offer more than just simple “Allow TCP From X
To Y”
• Centrally control outbound and east-west flows
• FQDN support for SQL and Web
© Cloud Mechanix www.cloudmechanix.co
DoI Need AFirewall?
Great question!
Platform VersusAppliance
I prefer the platform option – Azure
Firewall
© Cloud Mechanix www.cloudmechanix.co
Feature Appliance Azure Firewall
Type Virtual machines Platform
Complexity High None
High availability None to challenging Availability Set/Zones
Scale-Out 1-2 Automatic
Maintenance/Upgrades You (Guest OS) Microsoft (Platform)
Layer-7 None-Little Little (see Azure WAFv2)
IDS/IPS Maybe Azure Security Center/Sentinel
Documentation Mostly awful Good
Max throughput Varies 30 Gbps (more with Support call)
• Architecture
• Single subnet / Private IP
• 1-100 Public IPv4 (SNAT and DNAT
scale-out)
• Availability sets/zones
• Features:
• NAT Rules
• DNAT from Internet
• Network Rules
• Layer-4 protection at central location
• Application Rules
• FQDN HTTP/S and SQL Server traffic
• FQDN Tags
• Threat Intelligence
• Machine learning based alerting/blocking
• Logging
• Storage account, Event Hub, Log Analytics
© Cloud Mechanix www.cloudmechanix.co
Azure Firewall
A platform-based
firewall
• Network
• A single resource
• Managed via the resource
• Secure Virtual Hub (Preview)
• A hub (hub and spoke)
• Firewall and Azure WAN hub
• Managed via hub and Azure Firewall
Policy
• AFP not in the Network SKU
© Cloud Mechanix www.cloudmechanix.co
AzureFirewall SKUS
Ways to deploy the same resource
type
• It depends – consult whatever documentation the vendor has
• Caution: some major vendors sell you ticking timebombs!
• Beware of appliance clusters that don’t have 2 Azure load balancers
• And don’t use any brand that expects you to program Azure UDRs
via their
appliance
© Cloud Mechanix www.cloudmechanix.co
Third-Party Firewall ApplianceArchitecture
If you insist on unnecessary work, scalability & complexity
issues
Simple Firewall Appliance Architecture
Single firewall appliance
VNet-0
10.0.0.0/1
6
GatewaySubn
et
10.0.0.0/24
FirewallSubn
et
10.0.1.0/24
Public IP
Address
10.0.1.4
VM: Typically
D4v2
© Cloud Mechanix www.cloudmechanix.co
www.cloudmechanix.coN©oteC:lAoduditdionMalefircehwaalnlmixan2a0ge2m0ent subnet typically
Split-Subnet Firewall Appliance Architecture
Is this really required in The Cloud?
VNet-0
10.0.0.0/1
6
GatewaySubn
et
10.0.0.0/24
FirewallExternalSubn
et 10.0.1.0/24
Public IP
Address
FirewallInternalSubn
et 10.0.2.0/24
10.0.1.4 10.0.2.4
VM: Typically
D4v2
© Cloud Mechanix www.cloudmechanix.co
• GatewaySubnet
• Address Prefix : Spoke CIDR
• Next Hop Type: Virtual Appliance
• Next Hop IP Address: External NIC private IP
address
• Spoke Subnets
• Address Prefix : 0.0.0.0/0
• Next Hop Type: Virtual Appliance
• Next Hop IP Address: Internal NIC private IP
address
UDRsFor ThisScenario
Still required … and maybe dangerous, depending on your
appliance
www.cloudmechanix.coN©oteC:lAoduditdionMalefircehwaalnlmixan2a0ge2m0ent subnet typically
HAFirewall Appliance Architecture
Assuming your firewall appliance supports this
VNet-0
10.0.0.0/1
6
GatewaySubn
et
10.0.0.0/24
FirewallExternalSubn
et 10.0.1.0/24 BasicAzure
Load
Balancer
Public IP
Address
FirewallInternalSubn
et 10.0.2.0/24 Standard
AzureLoad
Balancer
10.0.1.4 10.0.2.4
VM: Typically
D4v2
• GatewaySubnet
• Address Prefix : Spoke CIDR
• Next Hop Type: Virtual Appliance
• Next Hop IP Address: External Load Balancer Private IP
address
• Spoke Subnets
• Address Prefix : 0.0.0.0/0
• Next Hop Type: Virtual Appliance
• Next Hop IP Address: Internal Load Balancer Private IP
address
© Cloud Mechanix www.cloudmechanix.co
UDRsFor ThisScenario
Beware of HA firewalls that must manage the UDRs
themselves
• Most vendors will add management subnet/NICs
• Not load balanced
• Some vendors require Azure Service Bus for configuration
replication
• There is an option for another subnet with load balanced NICs:
• Internet traffic
• ExpressRoute/VPN traffic
© Cloud Mechanix www.cloudmechanix.co
Variations OnThis Scenario
Consult your vendor … assuming they even
know
Layer-7WebApplication Firewall
(WAF)
© Cloud Mechanix www.cloudmechanix.co
• Specialised firewall for HTTP/S traffic
• Think of it as a reverse proxy with firewall features for HTTP/S
servers
• Different to your firewall
• Focused on simple allow/deny traffic
• WAF focus:
• Attacks on HTTP/S servers
© Cloud Mechanix www.cloudmechanix.co
What is aWAF?
Web Application
Firewall
Options
VNet, Microsoft or partner, and
location
© Cloud Mechanix www.cloudmechanix.co
Type Vendor Location
Third-party WAF Third-Party Virtual Network
Third-party cloud service Third-Party 1+ locations
Azure Application Gateway
WAF
Microsoft Virtual Network
Azure Frontdoor WAF Microsoft 170+ edge data centres
• Azure Frontdoor:
• Located at every Microsoft edge data centre
• Reduce latency between global customers and your
service
• Keeping the threat further from your assets
• SSL Offload
• End-to-end encryption
• WAF Policy:
• OWASP 3.1 rules, SQL injection, malformed
requests, etc
• Extended rules customisation
• Bot protection rule (preview)
• Geo-match filtering (preview)
© Cloud Mechanix www.cloudmechanix.co
AzureFront Door WAFFeatures
Deployed in Microsoft’s 170+ edge data
centres
• Application Gateway:
• Availability sets/zones
• SSL Offload
• SSL storage in Azure Key Vault – delegated access via User
Managed ID
• End-to-end encryption
• WAF:
• OWASP 3.1 rules, SQL injection, malformed requests, etc
• Extends DDoS Standard Tier to Layer-7
• Optional management via WAF Policy resource
• Extended rules customisation
• Bot protection rule (preview)
• Geomatch filtering (limited region preview)
© Cloud Mechanix www.cloudmechanix.co
AzureApplication Gateway WAFv2Features
Focus in this presentation
• Where will you place the WAF?
• Centrally:
• Managed by security experts
• Requires process for change requests
• With each application
• Flexible for Devs/Operators
• Security handled by the wrong people!
• Typically not in-front or behind the network
firewall
• Isolated flow to protect against DDoS
• Protected at Layer-4 by NSG
© Cloud Mechanix www.cloudmechanix.co
WAFPlacement
Question you need to ask
yourself
NSG,WAF,and Firewall
Name of service resolves to
WAF
VNet-0
10.0.0.0/1
6
GatewaySubn
et
10.0.0.0/24
ExpressRoute/V
PN172.16.0.0/1
2
AzureFirewallSubn
et 10.0.1.0/24
10.0.1.
4
Public IP
Address
InternalWafSubne
t
10.0.2.0/24
Source State Address Prefixes Next Hop Type Next Hop
IP
Address
User Active 10.19.3.0/24 Virtual Appliance 10.0.1.4
User Active 10.0.2.0/24 Virtual Network
© Cloud Mechanix www.cloudmechanix.co
Priority Name Port Protocol Source Destination Action
100 AllowHealthProbe 65200-65535 TCP GatewayManager Any Allow
200 AllowWeb 80, 443 TCP 172.16.0.0/12 10.0.2.0/24 Allow
300 AllowLoadBalancer Any Any AzureLoadBalancer 10.0.2.0/24 Allow
400 DenyEverythingElse Any Any Any Any Deny
A, internal.joeelway.com =
10.0.2.4 A, sql.joeelway.com =
10.19.3.8
NSG,WAF,and Firewall
Name of service resolv
VNet-0
10.0.0.0/1
6
GatewaySubn
et
10.0.0.0/24
ExpressRoute/V
PN172.16.0.0/1
2
AzureFirewallSubn
et 10.0.1.0/24
10.0.1.
4
Public IP
Address
InternalWafSubnet
10.0.2.0/24
Source State Address Prefixes Next Hop Type Next Hop
IP
Address
User Active 10.19.3.0/24 Virtual Appliance 10.0.1.4
User Active 10.0.2.0/24 Virtual Network
© Cloud Mechanix www.cloudmechanix.co
Priority Name Port Protocol Source Destination Action
100 AllowHealthProbe 65200-65535 TCP GatewayManager Any Allow
200 AllowWeb 80, 443 TCP 172.16.0.0/12 10.0.2.0/24 Allow
300 AllowLoadBalancer Any Any AzureLoadBalancer 10.0.2.0/24 Allow
400 DenyEverythingElse Any Any Any Any Deny
A, internal.joeelway.com =
10.0.2.4 A, sql.joeelway.com =
10.19.3.8
Service Endpoints
© Cloud Mechanix www.cloudmechanix.co
How AVNet ResourceTalksToAzure Services
The long way there
VNet-1
10.1.0.0/1
6
Subnet-
1
10.1.1.0/2
4
App Service
(ASE or VNet
Integration)
AzureSQL
Storage(Azure)
Public
Azure
Backbone
© Cloud Mechanix www.cloudmechanix.co
• Enabled per-subnet
• A trick of routing
• Kind of the same idea as ExpressRoute Azure Public
Peering
• Uses Default routes
• Redirects traffic to certain Azure services
• Direct path: not public, lower latency
• Extend network security to PaaS (see Access Rules)
© Cloud Mechanix www.cloudmechanix.co
Service Endpoints
Routing shortcut to Azure
services
How AVNet ResourceTalksToAzure Services
The short way there
VNet-1
10.1.0.0/1
6
Subnet-
1
10.1.1.0/2
4
App Service
(ASE or VNet
Integration)
AzureSQL
Storage(Azure)
Public
Azure
Backbone
Private
Azure
Backbone
Source State Address Prefixes Next Hop Type Next Hop
IP
Address
Default Active 10.0.0.0/16 Virtual Network
Default Active 0.0.0.0 Internet
Default Active [Microsoft.SQL] VirtualNetworkServiceEndpoint
Default Active [Microsoft.Storage] VirtualNetworkServiceEndpoint
© Cloud Mechanix www.cloudmechanix.co
ResourceAccess Policies
© Cloud Mechanix www.cloudmechanix.co
• PaaS resources run on a VNet
• We cannot see that VNet
• But we can enable “firewall rules” on the PaaS
resources:
• App Service access rules
• Azure SQL firewall rules
• And more
• Often used with Service Endpoints
© Cloud Mechanix www.cloudmechanix.co
Platform ServicesHidden Networking
Azure PaaS is built on many Azure resources that you
can use
How AVNet ResourceTalksToAzure Services
Control inbound connections at the PaaS instance
VNet-1
10.1.0.0/1
6
Subnet-
1
10.1.1.0/2
4
App Service
(ASE or VNet
Integration)
AzureSQL
Storage(Azure)
Public
Azure
Backbone
Private
Azure
Backbone
Source State Address Prefixes Next Hop Type Next Hop
IP
Address
Default Active 10.0.0.0/16 Virtual Network
Default Active 0.0.0.0 Internet
Default Active [Microsoft.SQL] VirtualNetworkServiceEndpoint
Firewall Rule: Allow
10.1.1.0/24
© Cloud Mechanix www.cloudmechanix.co
Private Link & PrivateEndpoints
© Cloud Mechanix www.cloudmechanix.co
• PaaS is the cloud of services in The
Cloud
• PaaS is natively public:
• Your internal application is on The
Internet
• The Data Lake is publicly addressable
• That database is addressable by
everyone
© Cloud Mechanix www.cloudmechanix.co
Challengeof Platform-as-a-Service(PaaS)
The default setting is public
• VNet integration
• Expensive SKUs
• Access Policies
• Basic Layer-4 filters
• Service Endpoints
• Maps an entire service, not an instance
• WAF with Service Endpoints, Access Policies, and basic VNet
connectivity
• Doesn’t control all network flows
• Hybrid connectivity agents
• Only protects PaaS outbound connections to private services
• ExpressRoute Microsoft Peering with Access Policies
• Maps an entire service, not an instance
• ExpressRoute is less popular thanks to cost and SD-WAN (Azure WAN)
option
© Cloud Mechanix www.cloudmechanix.co
PaaSPrivacyOptions
So many options
Private PaaS(PartlyGA)
Private Link (the service) GA, Private Endpoints (the method)
preview
Virtual Network (10.0.0.0/16)
AzurePaaS
Internet
Virtual Network (10.0.0.0/16)
AzurePaaS
InternetSERVICE ENDPOINT PRIVATE LINK – PRIVATE ENDPOINT
VNettoPaaSserviceviatheMicrosoftbackbone
DestinationisstillapublicIPaddress.NSGopenedto
Service Tags
NeedtopassNVA/Firewallfor exfiltrationprotection
VNetPaasviatheMicrosoftbackbone
PaaSresourcemappedtoPrivateIPAddress.NSGs
restrictedtoVNetspace
In-built dataexfiltration protection
PRIVATE
© Cloud Mechanix www.cloudmechanix.co
• From Azure VMs to Azure PaaS resources
• Secure connection over VPN, SD-WAN, ExpressRoute
via VNet Gateway
• Services shared via Standard tier Azure Load Balancer:
• Enable overlapping IP address spaces
• Privately share IaaS/PaaS as SaaS with customers
© Cloud Mechanix www.cloudmechanix.co
Scenarios
Interesting
future
• Private Link
• The fabric service that allows mapping
• Private Endpoint
• The IP address for your PaaS resource in your VNet
• Private Endpoint maps a specific resource
• Not just an instance like Service Endpoint or ExpressRoute Microsoft
Peering
• Provides protection against data exfiltration
© Cloud Mechanix www.cloudmechanix.co
Points ToNote
How it’s different to Service
Endpoints
• Limited preview with mixed support of:
• Resources
• Regions
• No support for NSG rules
• Still can use NSG Flow Logs
• VNet Peering
• Requires 1+ VMs on the Private Endpoint VNet
• Private Endpoint not addressable by some resource
types:
• App Service Plan, Azure Container Instance, Azure NetApp
Files, Azure
Dedicated HSM© Cloud Mechanix www.cloudmechanix.co
Preview Limitations
Documentation still not updated for
GA
Security Management &
Monitoring
© Cloud Mechanix www.cloudmechanix.co
• Features:
• Compliance reporting
• Recommendations
• Monitoring
• An Azure IDS that runs across the subscription
• Not focused on just 1 virtual appliance!
• Be careful:
• Some recommendations are not based on product best
practices
• Example: NSG should be per-subnet, NOT per-NIC
• Example 2: Be careful of enabling Storage Account firewall
feature
© Cloud Mechanix www.cloudmechanix.co
Security Center
Security monitoring
• Log Analytics
• Send diagnostic & metrics data to a single Workspace
• Add solutions – some from “OMS” gallery in Marketplace, some from
GitHub
• Add saved queries
• Build workbooks for reporting
• NSG Flows
• NSG Flow Logs: Send data to GPv2 storage account
• Traffic Analytics: Forward blob data to Log Analytics
© Cloud Mechanix www.cloudmechanix.co
Monitoring
It’s not managed if it’s not
monitored
• Azure Sentinel
• Features:
• Log Analytics Workspace solution
• Connect to Azure & third-party
resources
• Threat hunting
• Automated responses
• Alerting
© Cloud Mechanix www.cloudmechanix.co
Security Alerting
Security Information & Event Management
(SIEM)
• Azure Firewall
• Traces in Log Analytics … AzureDiagnostics | where Category ==
"AzureFirewallNetworkRule"
• Service Map to identify network requirements pre-migration
• NSGs
• Traffic Analytics … AzureNetworkAnalytics_CL | where SubType_s == 'FlowLog'
• Routing
• Effective Routes
• VM NICs only
• Truly understand routing to map it mentally/on-paper
• Traffic Analytics
• I don’t find Network Watcher to be useful
• WAF
• Traces in Log Analytics … AzureDiagnostics | where Category ==
"ApplicationGatewayFirewallLog"
• Most common problem is false positive SQL injection attack detection
© Cloud Mechanix www.cloudmechanix.co
Troubleshooting
Some tips
Micro-Segmentation
© Cloud Mechanix www.cloudmechanix.co
• Hard on the outside, gooey on the inside
• Firewall at the edge
• No port/VLAN protection
• Windows/Linux firewall disabled
• Direct remote access to machines
• How do attacks happen?
• Find a weak spot (human) to bypass the
firewall
• Spread across open network in minutes
• Used to be 24 hours for complete compromise
© Cloud Mechanix www.cloudmechanix.co
TheTypicalOn-PremisesServer Network
Everyone knew better but …
• Not a new concept
• Implement network protections throughout the entire
network
• Not just the edge
• Easier to do in the cloud:
• Deployment via infrastructure-as-code (IaC)
• CI/CD via Azure DevOps, GitHub, etc
• Enforcement via Azure Policy
© Cloud Mechanix www.cloudmechanix.co
Micro-Segmentation
The way we knew it should be
done
SimpleExample
At the resource level
VNet-0
10.0.0.0/1
6
GatewaySubn
et
10.0.0.0/24
ExpressRoute/V
PN VNet-1
10.1.0.0/1
6
FrontSubnet
10.1.1.0/24
VNet-2
10.2.0.0/1
6
FrontSubnet
10.2.1.0/24
VNet
Peering
AzureFirewallSubn
et 10.0.1.0/24
InternalWafSubnet
10.0.2.0/24
BackSubnet
10.1.2.0/24
BackSubnet
10.2.2.0/24
NSG
NSG NSG
NSG NSG
WAFv2
VM VM
Window
s
Firewall
Linux Firewall
AppSvc Azure SQL
Access
Rules
Server
Firewall
Microsoft.Web
Service
Endpoint
© Cloud Mechanix www.cloudmechanix.co
Micro-Segmentation In ASubnet
In more depth
VNet-1
10.1.0.0/1
6
FrontSubn
et
10.1.1.0/24
BackSubn
et
10.1.2.0/2
4
Web VMs
App
VMs
Logic
VMs
Batch
VMs
SQL
VMs
NSG NSG
Web-
ASG
App-
ASG
Logic-
ASG
Batch-
ASG
SQL-
ASG
Priority Name Port Protocol Source Destination Action
100 AllowWebToApp 443 TCP Web-Asg App-Asg Allow
200 AllowAppToLogic 443 TCP App-Asg Logic-Asg Allow
300 AllowLogicToBatch 443 TCP Logic-Asg Batch-Asg Allow
400 AllowLogicToSql 1433 TCP Logic-Asg SQL-Asg Allow
4096 DenyEverythingElse Any Any Any Any Deny
© Cloud Mechanix www.cloudmechanix.co
Wrapping Up
© Cloud Mechanix www.cloudmechanix.co
• There’s a lot to learn
• Take the deck (when it’s shared) and read through the stuff I
skipped
• Read lots!
• Play with the tech in a lab
• Don’t assume something works
• Try the positive and negative tests
© Cloud Mechanix www.cloudmechanix.co
Summary
We could have used 1-2 days on this
topic!
• http://aidanfinn.com
• http://www.cloudmechanix.co
m
• http://www.innofactor.com
• @joe_elway
Thank You!
Aidan Finn, Cloud
Mechanix
© Cloud Mechanix www.cloudmechanix.co

Más contenido relacionado

La actualidad más candente

(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014Amazon Web Services
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXAbhishek Mallick
 
CloudStack Networking Deepdive CCCEU13
CloudStack Networking Deepdive CCCEU13CloudStack Networking Deepdive CCCEU13
CloudStack Networking Deepdive CCCEU13Chiradeep Vittal
 
Deep Dive VPC - Pop-up Loft TLV 2017
Deep Dive VPC - Pop-up Loft TLV 2017Deep Dive VPC - Pop-up Loft TLV 2017
Deep Dive VPC - Pop-up Loft TLV 2017Amazon Web Services
 
Deep Dive: Amazon Virtual Private Cloud (March 2017)
Deep Dive: Amazon Virtual Private Cloud (March 2017)Deep Dive: Amazon Virtual Private Cloud (March 2017)
Deep Dive: Amazon Virtual Private Cloud (March 2017)Julien SIMON
 
Cloud stack networking shapeblue technical deep dive
Cloud stack networking   shapeblue technical deep diveCloud stack networking   shapeblue technical deep dive
Cloud stack networking shapeblue technical deep diveShapeBlue
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
Microsoft az-104 Dumps
Microsoft az-104 DumpsMicrosoft az-104 Dumps
Microsoft az-104 DumpsArmstrongsmith
 
From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013
From One to Many:  Evolving VPC Design (ARC401) | AWS re:Invent 2013From One to Many:  Evolving VPC Design (ARC401) | AWS re:Invent 2013
From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013Amazon Web Services
 
Integrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureIntegrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureHui Cheng
 
VMworld 2013: VMware NSX Integration with OpenStack
VMworld 2013: VMware NSX Integration with OpenStack VMworld 2013: VMware NSX Integration with OpenStack
VMworld 2013: VMware NSX Integration with OpenStack VMworld
 
3 Ways to Connect to the Oracle Cloud
3 Ways to Connect to the Oracle Cloud3 Ways to Connect to the Oracle Cloud
3 Ways to Connect to the Oracle CloudSimon Haslam
 
Integrating security into the application development process
Integrating security into the application development processIntegrating security into the application development process
Integrating security into the application development processJerod Brennen
 
CloudStack European User Group - controlCircle
CloudStack European User Group - controlCircle CloudStack European User Group - controlCircle
CloudStack European User Group - controlCircle ShapeBlue
 
Jeff Green April 2011 May V1
Jeff Green April 2011 May V1Jeff Green April 2011 May V1
Jeff Green April 2011 May V1JeffGreenMichigan
 
Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...
Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...
Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...Amazon Web Services
 
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud ManagementOracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud ManagementMarketingArrowECS_CZ
 
CloudStack Networking at CloudOpen Japan
CloudStack Networking at CloudOpen JapanCloudStack Networking at CloudOpen Japan
CloudStack Networking at CloudOpen JapanKimihiko Kitase
 
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014Amazon Web Services
 

La actualidad más candente (20)

(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOX
 
CloudStack Networking Deepdive CCCEU13
CloudStack Networking Deepdive CCCEU13CloudStack Networking Deepdive CCCEU13
CloudStack Networking Deepdive CCCEU13
 
Deep Dive VPC - Pop-up Loft TLV 2017
Deep Dive VPC - Pop-up Loft TLV 2017Deep Dive VPC - Pop-up Loft TLV 2017
Deep Dive VPC - Pop-up Loft TLV 2017
 
Deep Dive: Amazon Virtual Private Cloud (March 2017)
Deep Dive: Amazon Virtual Private Cloud (March 2017)Deep Dive: Amazon Virtual Private Cloud (March 2017)
Deep Dive: Amazon Virtual Private Cloud (March 2017)
 
Cloud stack networking shapeblue technical deep dive
Cloud stack networking   shapeblue technical deep diveCloud stack networking   shapeblue technical deep dive
Cloud stack networking shapeblue technical deep dive
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)
 
Microsoft az-104 Dumps
Microsoft az-104 DumpsMicrosoft az-104 Dumps
Microsoft az-104 Dumps
 
From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013
From One to Many:  Evolving VPC Design (ARC401) | AWS re:Invent 2013From One to Many:  Evolving VPC Design (ARC401) | AWS re:Invent 2013
From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013
 
Integrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureIntegrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing Infrastructure
 
VMworld 2013: VMware NSX Integration with OpenStack
VMworld 2013: VMware NSX Integration with OpenStack VMworld 2013: VMware NSX Integration with OpenStack
VMworld 2013: VMware NSX Integration with OpenStack
 
3 Ways to Connect to the Oracle Cloud
3 Ways to Connect to the Oracle Cloud3 Ways to Connect to the Oracle Cloud
3 Ways to Connect to the Oracle Cloud
 
Integrating security into the application development process
Integrating security into the application development processIntegrating security into the application development process
Integrating security into the application development process
 
CloudStack European User Group - controlCircle
CloudStack European User Group - controlCircle CloudStack European User Group - controlCircle
CloudStack European User Group - controlCircle
 
Jeff Green April 2011 May V1
Jeff Green April 2011 May V1Jeff Green April 2011 May V1
Jeff Green April 2011 May V1
 
Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...
Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...
Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...
 
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud ManagementOracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
 
CloudStack Networking at CloudOpen Japan
CloudStack Networking at CloudOpen JapanCloudStack Networking at CloudOpen Japan
CloudStack Networking at CloudOpen Japan
 
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
 

Similar a Securely Publishing Azure Services

Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataAidan Finn
 
Azure Networking - The First Technical Challenge
Azure Networking  - The First Technical ChallengeAzure Networking  - The First Technical Challenge
Azure Networking - The First Technical ChallengeAidan Finn
 
A Deepdive into Azure Networking
A Deepdive into Azure NetworkingA Deepdive into Azure Networking
A Deepdive into Azure NetworkingKarim Vaes
 
Hacking apache cloud stack
Hacking apache cloud stackHacking apache cloud stack
Hacking apache cloud stackNitin Mehta
 
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...Amazon Web Services
 
2014-09-15 cloud platform master class
2014-09-15 cloud platform master class2014-09-15 cloud platform master class
2014-09-15 cloud platform master classCitrix
 
Let's Talk About: Azure Networking
Let's Talk About: Azure NetworkingLet's Talk About: Azure Networking
Let's Talk About: Azure NetworkingPedro Sousa
 
VTU Open Elective 6th Sem CSE - Module 2 - Cloud Computing
VTU Open Elective 6th Sem CSE - Module 2 - Cloud ComputingVTU Open Elective 6th Sem CSE - Module 2 - Cloud Computing
VTU Open Elective 6th Sem CSE - Module 2 - Cloud ComputingSachin Gowda
 
Powering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon WorkspacesPowering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon WorkspacesAmazon Web Services
 
Virtualization and cloud computing
Virtualization and cloud computingVirtualization and cloud computing
Virtualization and cloud computingDeep Gupta
 
VMware vCloud Air: Networking
VMware vCloud Air: NetworkingVMware vCloud Air: Networking
VMware vCloud Air: NetworkingVMware
 
A Complete Guide Cloud Computing
A Complete Guide Cloud ComputingA Complete Guide Cloud Computing
A Complete Guide Cloud ComputingSripati Mahapatra
 
ECS19 - Mustafa Toroman, Sasa Kranjac - SOUP TO NUTS: MICROSOFT AZURE POWERCLASS
ECS19 - Mustafa Toroman, Sasa Kranjac - SOUP TO NUTS: MICROSOFT AZURE POWERCLASSECS19 - Mustafa Toroman, Sasa Kranjac - SOUP TO NUTS: MICROSOFT AZURE POWERCLASS
ECS19 - Mustafa Toroman, Sasa Kranjac - SOUP TO NUTS: MICROSOFT AZURE POWERCLASSEuropean Collaboration Summit
 
AWS re:Invent 2016: Advanced Tips for Amazon EC2 Networking and High Availabi...
AWS re:Invent 2016: Advanced Tips for Amazon EC2 Networking and High Availabi...AWS re:Invent 2016: Advanced Tips for Amazon EC2 Networking and High Availabi...
AWS re:Invent 2016: Advanced Tips for Amazon EC2 Networking and High Availabi...Amazon Web Services
 
Community Session: Strategic Private Cloud in SKY UK
Community Session: Strategic Private Cloud in SKY UKCommunity Session: Strategic Private Cloud in SKY UK
Community Session: Strategic Private Cloud in SKY UKVMUG IT
 
Container Orchestration with Traefk on Docker Swarm
Container Orchestration with Traefk on Docker SwarmContainer Orchestration with Traefk on Docker Swarm
Container Orchestration with Traefk on Docker SwarmJakub Hajek
 
20191201 kubernetes managed weblogic revival - part 1
20191201 kubernetes managed weblogic revival - part 120191201 kubernetes managed weblogic revival - part 1
20191201 kubernetes managed weblogic revival - part 1makker_nl
 
Rami Sayar - Node microservices with Docker
Rami Sayar - Node microservices with DockerRami Sayar - Node microservices with Docker
Rami Sayar - Node microservices with DockerWeb à Québec
 
tcp cloud in AVG
tcp cloud in AVGtcp cloud in AVG
tcp cloud in AVGtcp cloud
 

Similar a Securely Publishing Azure Services (20)

Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And Data
 
Azure Networking - The First Technical Challenge
Azure Networking  - The First Technical ChallengeAzure Networking  - The First Technical Challenge
Azure Networking - The First Technical Challenge
 
10052016115136.pptx
10052016115136.pptx10052016115136.pptx
10052016115136.pptx
 
A Deepdive into Azure Networking
A Deepdive into Azure NetworkingA Deepdive into Azure Networking
A Deepdive into Azure Networking
 
Hacking apache cloud stack
Hacking apache cloud stackHacking apache cloud stack
Hacking apache cloud stack
 
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
 
2014-09-15 cloud platform master class
2014-09-15 cloud platform master class2014-09-15 cloud platform master class
2014-09-15 cloud platform master class
 
Let's Talk About: Azure Networking
Let's Talk About: Azure NetworkingLet's Talk About: Azure Networking
Let's Talk About: Azure Networking
 
VTU Open Elective 6th Sem CSE - Module 2 - Cloud Computing
VTU Open Elective 6th Sem CSE - Module 2 - Cloud ComputingVTU Open Elective 6th Sem CSE - Module 2 - Cloud Computing
VTU Open Elective 6th Sem CSE - Module 2 - Cloud Computing
 
Powering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon WorkspacesPowering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon Workspaces
 
Virtualization and cloud computing
Virtualization and cloud computingVirtualization and cloud computing
Virtualization and cloud computing
 
VMware vCloud Air: Networking
VMware vCloud Air: NetworkingVMware vCloud Air: Networking
VMware vCloud Air: Networking
 
A Complete Guide Cloud Computing
A Complete Guide Cloud ComputingA Complete Guide Cloud Computing
A Complete Guide Cloud Computing
 
ECS19 - Mustafa Toroman, Sasa Kranjac - SOUP TO NUTS: MICROSOFT AZURE POWERCLASS
ECS19 - Mustafa Toroman, Sasa Kranjac - SOUP TO NUTS: MICROSOFT AZURE POWERCLASSECS19 - Mustafa Toroman, Sasa Kranjac - SOUP TO NUTS: MICROSOFT AZURE POWERCLASS
ECS19 - Mustafa Toroman, Sasa Kranjac - SOUP TO NUTS: MICROSOFT AZURE POWERCLASS
 
AWS re:Invent 2016: Advanced Tips for Amazon EC2 Networking and High Availabi...
AWS re:Invent 2016: Advanced Tips for Amazon EC2 Networking and High Availabi...AWS re:Invent 2016: Advanced Tips for Amazon EC2 Networking and High Availabi...
AWS re:Invent 2016: Advanced Tips for Amazon EC2 Networking and High Availabi...
 
Community Session: Strategic Private Cloud in SKY UK
Community Session: Strategic Private Cloud in SKY UKCommunity Session: Strategic Private Cloud in SKY UK
Community Session: Strategic Private Cloud in SKY UK
 
Container Orchestration with Traefk on Docker Swarm
Container Orchestration with Traefk on Docker SwarmContainer Orchestration with Traefk on Docker Swarm
Container Orchestration with Traefk on Docker Swarm
 
20191201 kubernetes managed weblogic revival - part 1
20191201 kubernetes managed weblogic revival - part 120191201 kubernetes managed weblogic revival - part 1
20191201 kubernetes managed weblogic revival - part 1
 
Rami Sayar - Node microservices with Docker
Rami Sayar - Node microservices with DockerRami Sayar - Node microservices with Docker
Rami Sayar - Node microservices with Docker
 
tcp cloud in AVG
tcp cloud in AVGtcp cloud in AVG
tcp cloud in AVG
 

Más de BizTalk360

Optimise Business Activity Tracking – Insights from Smurfit Kappa
Optimise Business Activity Tracking – Insights from Smurfit KappaOptimise Business Activity Tracking – Insights from Smurfit Kappa
Optimise Business Activity Tracking – Insights from Smurfit KappaBizTalk360
 
Optimise Business Activity Tracking – Insights from Smurfit Kappa
Optimise Business Activity Tracking – Insights from Smurfit KappaOptimise Business Activity Tracking – Insights from Smurfit Kappa
Optimise Business Activity Tracking – Insights from Smurfit KappaBizTalk360
 
What's inside "migrating to biz talk server 2020" Book (BizTalk360 Webinar)
What's inside "migrating to biz talk server 2020" Book (BizTalk360 Webinar)What's inside "migrating to biz talk server 2020" Book (BizTalk360 Webinar)
What's inside "migrating to biz talk server 2020" Book (BizTalk360 Webinar)BizTalk360
 
Integration Monday - Logic Apps: Development Experiences
Integration Monday - Logic Apps: Development ExperiencesIntegration Monday - Logic Apps: Development Experiences
Integration Monday - Logic Apps: Development ExperiencesBizTalk360
 
Integration Monday - BizTalk Migrator Deep Dive
Integration Monday - BizTalk Migrator Deep DiveIntegration Monday - BizTalk Migrator Deep Dive
Integration Monday - BizTalk Migrator Deep DiveBizTalk360
 
Testing for Logic App Solutions | Integration Monday
Testing for Logic App Solutions | Integration MondayTesting for Logic App Solutions | Integration Monday
Testing for Logic App Solutions | Integration MondayBizTalk360
 
System Integration using Reactive Programming | Integration Monday
System Integration using Reactive Programming | Integration MondaySystem Integration using Reactive Programming | Integration Monday
System Integration using Reactive Programming | Integration MondayBizTalk360
 
Building workflow solution with Microsoft Azure and Cloud | Integration Monday
Building workflow solution with Microsoft Azure and Cloud | Integration MondayBuilding workflow solution with Microsoft Azure and Cloud | Integration Monday
Building workflow solution with Microsoft Azure and Cloud | Integration MondayBizTalk360
 
Serverless Minimalism: How to architect your apps to save 98% on your Azure b...
Serverless Minimalism: How to architect your apps to save 98% on your Azure b...Serverless Minimalism: How to architect your apps to save 98% on your Azure b...
Serverless Minimalism: How to architect your apps to save 98% on your Azure b...BizTalk360
 
Migrating BizTalk Solutions to Azure: Mapping Messages | Integration Monday
Migrating BizTalk Solutions to Azure: Mapping Messages | Integration MondayMigrating BizTalk Solutions to Azure: Mapping Messages | Integration Monday
Migrating BizTalk Solutions to Azure: Mapping Messages | Integration MondayBizTalk360
 
Integration-Monday-Infrastructure-As-Code-With-Terraform
Integration-Monday-Infrastructure-As-Code-With-TerraformIntegration-Monday-Infrastructure-As-Code-With-Terraform
Integration-Monday-Infrastructure-As-Code-With-TerraformBizTalk360
 
Integration-Monday-Stateful-Programming-Models-Serverless-Functions
Integration-Monday-Stateful-Programming-Models-Serverless-FunctionsIntegration-Monday-Stateful-Programming-Models-Serverless-Functions
Integration-Monday-Stateful-Programming-Models-Serverless-FunctionsBizTalk360
 
Integration-Monday-Serverless-Slackbots-with-Azure-Durable-Functions
Integration-Monday-Serverless-Slackbots-with-Azure-Durable-FunctionsIntegration-Monday-Serverless-Slackbots-with-Azure-Durable-Functions
Integration-Monday-Serverless-Slackbots-with-Azure-Durable-FunctionsBizTalk360
 
Integration-Monday-Building-Stateful-Workloads-Kubernetes
Integration-Monday-Building-Stateful-Workloads-KubernetesIntegration-Monday-Building-Stateful-Workloads-Kubernetes
Integration-Monday-Building-Stateful-Workloads-KubernetesBizTalk360
 
Integration-Monday-Logic-Apps-Tips-Tricks
Integration-Monday-Logic-Apps-Tips-TricksIntegration-Monday-Logic-Apps-Tips-Tricks
Integration-Monday-Logic-Apps-Tips-TricksBizTalk360
 
Integration-Monday-Terraform-Serverless
Integration-Monday-Terraform-ServerlessIntegration-Monday-Terraform-Serverless
Integration-Monday-Terraform-ServerlessBizTalk360
 
Integration-Monday-Microsoft-Power-Platform
Integration-Monday-Microsoft-Power-PlatformIntegration-Monday-Microsoft-Power-Platform
Integration-Monday-Microsoft-Power-PlatformBizTalk360
 
One name unify them all
One name unify them allOne name unify them all
One name unify them allBizTalk360
 
Integration-Monday-BizTalk-Server-2020
Integration-Monday-BizTalk-Server-2020Integration-Monday-BizTalk-Server-2020
Integration-Monday-BizTalk-Server-2020BizTalk360
 

Más de BizTalk360 (20)

Optimise Business Activity Tracking – Insights from Smurfit Kappa
Optimise Business Activity Tracking – Insights from Smurfit KappaOptimise Business Activity Tracking – Insights from Smurfit Kappa
Optimise Business Activity Tracking – Insights from Smurfit Kappa
 
Optimise Business Activity Tracking – Insights from Smurfit Kappa
Optimise Business Activity Tracking – Insights from Smurfit KappaOptimise Business Activity Tracking – Insights from Smurfit Kappa
Optimise Business Activity Tracking – Insights from Smurfit Kappa
 
What's inside "migrating to biz talk server 2020" Book (BizTalk360 Webinar)
What's inside "migrating to biz talk server 2020" Book (BizTalk360 Webinar)What's inside "migrating to biz talk server 2020" Book (BizTalk360 Webinar)
What's inside "migrating to biz talk server 2020" Book (BizTalk360 Webinar)
 
Integration Monday - Logic Apps: Development Experiences
Integration Monday - Logic Apps: Development ExperiencesIntegration Monday - Logic Apps: Development Experiences
Integration Monday - Logic Apps: Development Experiences
 
Integration Monday - BizTalk Migrator Deep Dive
Integration Monday - BizTalk Migrator Deep DiveIntegration Monday - BizTalk Migrator Deep Dive
Integration Monday - BizTalk Migrator Deep Dive
 
Testing for Logic App Solutions | Integration Monday
Testing for Logic App Solutions | Integration MondayTesting for Logic App Solutions | Integration Monday
Testing for Logic App Solutions | Integration Monday
 
No-Slides
No-SlidesNo-Slides
No-Slides
 
System Integration using Reactive Programming | Integration Monday
System Integration using Reactive Programming | Integration MondaySystem Integration using Reactive Programming | Integration Monday
System Integration using Reactive Programming | Integration Monday
 
Building workflow solution with Microsoft Azure and Cloud | Integration Monday
Building workflow solution with Microsoft Azure and Cloud | Integration MondayBuilding workflow solution with Microsoft Azure and Cloud | Integration Monday
Building workflow solution with Microsoft Azure and Cloud | Integration Monday
 
Serverless Minimalism: How to architect your apps to save 98% on your Azure b...
Serverless Minimalism: How to architect your apps to save 98% on your Azure b...Serverless Minimalism: How to architect your apps to save 98% on your Azure b...
Serverless Minimalism: How to architect your apps to save 98% on your Azure b...
 
Migrating BizTalk Solutions to Azure: Mapping Messages | Integration Monday
Migrating BizTalk Solutions to Azure: Mapping Messages | Integration MondayMigrating BizTalk Solutions to Azure: Mapping Messages | Integration Monday
Migrating BizTalk Solutions to Azure: Mapping Messages | Integration Monday
 
Integration-Monday-Infrastructure-As-Code-With-Terraform
Integration-Monday-Infrastructure-As-Code-With-TerraformIntegration-Monday-Infrastructure-As-Code-With-Terraform
Integration-Monday-Infrastructure-As-Code-With-Terraform
 
Integration-Monday-Stateful-Programming-Models-Serverless-Functions
Integration-Monday-Stateful-Programming-Models-Serverless-FunctionsIntegration-Monday-Stateful-Programming-Models-Serverless-Functions
Integration-Monday-Stateful-Programming-Models-Serverless-Functions
 
Integration-Monday-Serverless-Slackbots-with-Azure-Durable-Functions
Integration-Monday-Serverless-Slackbots-with-Azure-Durable-FunctionsIntegration-Monday-Serverless-Slackbots-with-Azure-Durable-Functions
Integration-Monday-Serverless-Slackbots-with-Azure-Durable-Functions
 
Integration-Monday-Building-Stateful-Workloads-Kubernetes
Integration-Monday-Building-Stateful-Workloads-KubernetesIntegration-Monday-Building-Stateful-Workloads-Kubernetes
Integration-Monday-Building-Stateful-Workloads-Kubernetes
 
Integration-Monday-Logic-Apps-Tips-Tricks
Integration-Monday-Logic-Apps-Tips-TricksIntegration-Monday-Logic-Apps-Tips-Tricks
Integration-Monday-Logic-Apps-Tips-Tricks
 
Integration-Monday-Terraform-Serverless
Integration-Monday-Terraform-ServerlessIntegration-Monday-Terraform-Serverless
Integration-Monday-Terraform-Serverless
 
Integration-Monday-Microsoft-Power-Platform
Integration-Monday-Microsoft-Power-PlatformIntegration-Monday-Microsoft-Power-Platform
Integration-Monday-Microsoft-Power-Platform
 
One name unify them all
One name unify them allOne name unify them all
One name unify them all
 
Integration-Monday-BizTalk-Server-2020
Integration-Monday-BizTalk-Server-2020Integration-Monday-BizTalk-Server-2020
Integration-Monday-BizTalk-Server-2020
 

Último

The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServiceRenan Moreira de Oliveira
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 

Último (20)

The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 

Securely Publishing Azure Services

  • 1. Micro-Segmentation of Services& Datain Azure © Cloud Mechanix www.cloudmechanix.co Aidan Finn, MVP Cloud Mechanix & Innofactor Norway
  • 2. • 12 year MVP – currently Microsoft Azure (3) • Previously Hyper-V and SCCM • Onwer of Cloud Mechanix • Custom-written Azure training • Principal Consultant for Innofactor Norway • Azure infrastructure – networking & security • Working as consultant/sys admin since 1996 • Windows Server, Hyper-V, System Center, desktop managment, and Azure • http://aidanfinn.com • http://innofactor.com • http://www.cloudmechanix.com • @joe_elway Aidan Finn Introduction © Cloud Mechanix www.cloudmechanix.co
  • 3. Infrastructure andPlatform © Cloud Mechanix www.cloudmechanix.co
  • 4. • Networks: • Connection to/from Internet • Between components of your service • Resource include (but not limited to): • Virtual machines • App Services • Azure Kubernetes Service • Logic Apps • And everything else © Cloud Mechanix www.cloudmechanix.co There IsAlwaysA Network It’s The Cloud!
  • 5. • Control: • Inbound flows • Flows between components of your service • Data access • Outbound flows • Log & report: • Flows • Classification of threats • Alert • Security threats © Cloud Mechanix www.cloudmechanix.co Network Security Taking control
  • 6. • Usual data center approach: • “Open up everything inside the network” • It’s easy for admins … and malware and attackers • Micro-Segmentation • Breaking up a network into smaller secure zones • Right down to the workload • Yes, I know “secure zone” is a special term in Norway! © Cloud Mechanix www.cloudmechanix.co Essential TermOf The Day Micro-segmentation
  • 7. BackToBasics– Virtual Network (VNet) © Cloud Mechanix www.cloudmechanix.co
  • 8. • I have never created a VLAN • Never! • But I am the Azure networking guy at work • Who struggles with Azure networking? • The network admin • Who ends up being best at Azure networking? • The person who forgets/doesn’t know on- prem networking YourOn-PremisesNetwork Knowledge To keep or not to keep, that is the question © Cloud Mechanix www.cloudmechanix.co
  • 9. • NSX • An abstraction of physical network • Overlapping address ranges are possible (if not routed) • Data transmission is encapsulated on a physical network • A memory transfer between physical hosts • There is no Default gateway • Handled in the fabric: • Routing • Load balancing © Cloud Mechanix www.cloudmechanix.co Virtual Network Software Defined
  • 10. • Yes: • VNets are needed for virtual machines • The useful: • VNet-integrated PaaS resources • The hidden: • Platform services are often built using VMs under-the- covers • VMs require VNets! © Cloud Mechanix www.cloudmechanix.co Virtual Network Scenarios Not just VMs/IaaS
  • 11. • A threat against business of all sizes • Attackers: • State-sponsored • Professional criminals • Amateurs: rented botnets! © Cloud Mechanix www.cloudmechanix.co Distributed Denial of Service(DDoS)Attacks Our first security feature
  • 12. • Every VNet has DDoS Basic • You pay (a lot) for Standard • Enabled on VNets with public IP • It takes 2 weeks for the machine • Don’t wait until you are attacked! addresses learning to “learn” your network AzureDDoSProtectionOptions Choosing a tier https://docs.microsoft.com/en-us/azure/virtual-network/ddos-protection- overview © Cloud Mechanix www.cloudmechanix.co
  • 13. Public IPAddresses © Cloud Mechanix www.cloudmechanix.co
  • 14. • Azure services tend to be public by default • A public IP address (PIP) • Limit your attack surface: • Centralise PIPs • Limit creation by Azure Policy • Force everything through a secure network core © Cloud Mechanix www.cloudmechanix.co Long-Story-Short How many on-premises services have their own public IP?
  • 15. Network Security Groups(NSGs) © Cloud Mechanix www.cloudmechanix.co
  • 16. • An NSG resource associated with a subnet • Best practice: 1 NSG : 1 Subnet • Contains inbound and outbound rules • Inbound default rules: • Allow everything from VNet in, allow Azure load balancer in, deny everything else • Outbound default rules: • Allow everything out © Cloud Mechanix www.cloudmechanix.co BasicLayer-4 Security A free form of allow/deny Layer-4 firewall
  • 17. • Priority • Order that rules are applied: low (1) to high (4096) • Name • User friendly label • Port • TCP/UDP port • Protocol • TCP, UCP, ICMP, Any • Source • IP address, range, CIDR, service tag, application security group • Destination • IP address, range, CIDR, service tag, application security group • Action • Allow | Deny © Cloud Mechanix www.cloudmechanix.co RuleComponents Basic firewall components
  • 18. • Source/Destination IP addresses can be unfriendly: • Complex subnets with many Azure virtual machines • Azure services • Service Tags • Abstracts the IP addresses of Azure Services, e.g. AzureLoadBalancer, GatewayManager, VirtualNetwork, Internet • Application Security Groups • A label, associated with NICs of Azure virtual machines • Can be used to more-easily micro-segment a single subnet © Cloud Mechanix www.cloudmechanix.co UserFriendly Labels Abstraction of many IPv4 addresses
  • 19. • It’s not just the virtual network! • It’s the current virtual PLUS: • Every other connected virtual network • Peering • ExpressRoute • VPN • So the default rule of AllowVnetInbound breaks micro- segmentation © Cloud Mechanix www.cloudmechanix.co TheVirtualNetwork Service Tag Understanding this is important
  • 20. Building Up ASimple NSGRuleset Note the DenyEverythingElse rule VNet-0 10.2.0.0/1 6 WebServerSubn et 10.0.0.0/24 SqlServerSubn et 10.0.2.0/24 Priority Name Port Protocol Source Destination Action 100 AllowHttpAndHttps 80, 443 TCP Internet WebServersAsg Allow 200 AllowLoadBalancer Any Any AzureLoadBalancer WebServersAsg Allow 300 DenyEverythingElse Any Any Any Any Deny © Cloud Mechanix www.cloudmechanix.co
  • 21. Building Up ASimple NSGRuleset Note the use of Application Security Groups & Service Tags VNet-0 10.2.0.0/1 6 WebServerSubn et 10.0.0.0/24 SqlServerSubn et 10.0.2.0/24 Priority Name Port Protocol Source Destination Action 100 AllowSQLFromWeb 1433 TCP WebServersAsg SqlServersAsg Allow 200 AllowLoadBalancer Any Any AzureLoadBalancer SqlServersAsg Allow 300 DenyEverythingElse Any Any Any Any Deny Priority Name Port Protocol Source Destination Action 100 AllowHttpAndHttps 80, 443 TCP Internet WebServersAsg Allow 200 AllowLoadBalancer Any Any AzureLoadBalancer WebServersAsg Allow 300 DenyEverythingElse Any Any Any Any Deny © Cloud Mechanix www.cloudmechanix.co
  • 22. • Real-world experience: • There’s always more than just the basic rules • Get comfortable with IPv4 subnetting • Migration scenarios: • Log Analytics Service Map • Troubleshooting • NSG Traffic Analytics © Cloud Mechanix www.cloudmechanix.co But There’s Likely Much More! My examples were simple illustrations Priority Name Port Protocol Source Destination Action 100 AllowHttpAndHttps 80, 443 TCP Internet WebServersAsg Allow 200 AllowDnsResponses 53 UDP DnsServersAsg WebServersAsg Allow 300 AllowMonitoring 5001 TCP MonitoringAsg WebServersAsg Allow 400 CiCd … … … … … … … … … … … … 1200 AllowLoadBalancer Any Any AzureLoadBalancer WebServersAsg Allow 1300 DenyEverythingElse Any Any Any Any Deny
  • 23. BackToBasics– Routing © Cloud Mechanix www.cloudmechanix.co
  • 24. • In the physical data centre • Cables control the connections • In the cloud: • Software-defined networks • We have no access to cables! • Packets go from A-Z directly • Azure VNets are flat & open • We control flows using routing • This is the most important thing you will learn today! TheImportance of Routing What controls the flow of packets between devices? © Cloud Mechanix www.cloudmechanix.co
  • 25. • Configuring routing in a guest OS has no influence • The fabric takes over when the packet hits the NIC • Routing is only done in the fabric • Per-subnet route tables are always present • Route table: • Destination • Next hop instruction • Route chosen: • Longest path first (LPF) • Route type © Cloud Mechanix www.cloudmechanix.co How Routing Works Forget what you know about on-premises routing
  • 26. • Example …. • You want to get to 10.0.1.4 • Two routes exist: • 10.0.0.0/8 … 16-bit match • 10.0.1.0/24 … 32-bit match • The chosen route is 10.0.1.0/24 © Cloud Mechanix www.cloudmechanix.co Longest PathFirst (LPF) First rule of Azure routing
  • 27. 1. Default routes 2. BGP 3. User-defined routes © Cloud Mechanix www.cloudmechanix.co Route Type Second Rule of Azure routing
  • 28. • Simply there for basic functionality • Added when you enabled Azure features © Cloud Mechanix www.cloudmechanix.co Default / SystemRoutes Routes that exist automatically
  • 29. VNet-0 10.0.0.0/16 Example Simple Default Routes Subnet-1 10.0.1.0/24 Subnet-2 10.0.2.0/24 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet © Cloud Mechanix www.cloudmechanix.co
  • 30. VNet-0 10.0.0.0/1 6 Example Simple Default Routes | VNet Peering Subnet-1 10.0.1.0/2 4 Subnet-2 10.0.2.0/2 4 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet VNet-1 10.1.0.0/1 6 Subnet-A 10.1.1.0/24 Subnet-B 10.1.2.0/2 4 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet © Cloud Mechanix www.cloudmechanix.co
  • 31. VNet-0 10.0.0.0/1 6 Example– Simple Default Routes| VNet Peering Subnet-1 10.0.1.0/2 4 Subnet-2 10.0.2.0/2 4 Source State Address Prefixes Next Hop Type Next Hop IP Address Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Default Active 0.0.0.0 Internet Default © Cloud Active 2020 10.1.0.0/16 Peering Default Active 10.1.0.0/16 Peering www.cloudmechanix.co VNet-1 10.1.0.0/1 6 Subnet-A 10.1.1.0/24 Subnet-B 10.1.2.0/2 4 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Default Active 10.0.0.0/16 Peering Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Default Active 10.0.0.0/16 Peering
  • 32. • BGP is used when there is site-to-site networking • ExpressRoute • VPN • Ways: • Propagate routes from to/from on-premises • ExpressRoute: required • VPN: Optional • Propagate routes from the GatewaySubnet to other subnets/VNets • Even if you don’t enable BGP in S2S VPN © Cloud Mechanix www.cloudmechanix.co BGPRoutes Bi-directional site-to-site routing
  • 33. • A list of routes is maintained in a route table • Routes are propagated to a neighbour(s) • That neighbour propagates routes to it’s neighbour(s) • The network learns how to get to any remote destination • Possibly over many hops © Cloud Mechanix www.cloudmechanix.co BGPSummary Basic explainer
  • 34. BGP& Site-to-Site BGP routes propagate from on-premises to GatewaySubnet VNet-0 10.0.0.0/1 6 GatewaySubn et 10.0.0.0/24 ExpressRoute/V PN 172.16.0.0/1 2 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet BGP Active 172.16.0.0/12 VirtualNetworkGateway © Cloud Mechanix www.cloudmechanix.co
  • 35. www.cloud echanix.c BGP& Site-to-Site BGP routes propagate from GatewaySubnet to all connected subnets VNet-0 10.0.0.0/1 6 GatewaySubn et 10.0.0.0/24 ExpressRoute/V PN 172.16.0.0/1 2 VNet-1 10.1.0.0/1 6 Subnet-1 10.1.1.0/24 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Default Active 10.0.0.0/16 Peering BGP Active 172.16.0.0/12 VirtualNetworkGateway Sourc e Stat e Address Prefixes Next Hop Type Next Hop IP Source State Address Prefixes Next Hop Type Next Hop IP Address VNet-2 10.2.0.0/1 6 Subnet-1 Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Address Default Active 10.1.0.0/16 Peering Default Active 10.0.0.0/16 Virtual Network Default Active 10.2.0.0/16 Peering Default Active 0.0.0.0 Internet BGP © Cloud Active Mech 172.16.0.0/12 nix VirtualNetworkGateway Default BGP Active Active 10.0.0.0/16 172.16.0.0/12 Peering VirtualNetworkGateway VNet PeeringUse Remote Gateway Gateway Transit
  • 36. • A BGP route that matches a Default Route beats the Default Route • Scenario: • A Default route exists for 10.1.0.0/16 • A BGP route to 10.1.0.0/16 propagates to the subnet • The Default route is marked by Azure as Invalid (disabled) • The BGP route is chosen instead © Cloud Mechanix www.cloudmechanix.co BGPBeatsDefault Applying the second rule of routing (part 1)
  • 37. • Sometimes you need force traffic via a particular destination • This is always the case when you use a firewall … ah- ha! • Third-party firewall appliance • Azure Firewall • And also when you use third-party routers/VPN appliances © Cloud Mechanix www.cloudmechanix.co User-Defined Routes (UDRs) Cabling our Azure devices
  • 38. • Associated with a subnet • Tip: 1 subnet per Route Table only! • Common mistake: • People think the route table contains the only routes in a subnet • Don’t forget about Default and BGP routes hidden in the fabric! © Cloud Mechanix www.cloudmechanix.co Route Tables An Azure resource that contains UDRs
  • 39. • Name: A human friendly label • Address Prefix: CIDR destination • Next Hop Type: • Virtual Network Gateway • Virtual Network • Internet • Virtual Appliance * • None (black hole) • * Next Hop IP Address • * Virtual Appliance IPv4 address © Cloud Mechanix www.cloudmechanix.co UDRComponents Pretty simple
  • 40. Inbound FlowsVia Firewall Force traffic from on-premises in via firewall VNet-0 10.0.0.0/1 6 GatewaySubn et 10.0.0.0/24 ExpressRoute/V PN 172.16.0.0/1 2 VNet-1 10.1.0.0/1 6 Subnet-1 10.1.1.0/2 4 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Default Inactive 10.1.0.0/16 Peering BGP Active 172.16.0.0/12 VirtualNetworkGateway User Active 10.1.0.0/16 Virtual Appliance 10.0.1.4 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Default Active 10.0.0.0/16 Peering BGP Active 172.16.0.0/12 VirtualNetworkGateway AzureFirewallSubn et 10.0.1.0/24 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Inactive 0.0.0.0 Internet Default Inactive 10.1.0.0/16 Peering BGP Active 172.16.0.0/12 VirtualNetworkGateway User Active 0.0.0.0/0 Internet 10.0.1. 4 © Cloud Mechanix www.cloudmechanix.co
  • 41. Outbound FlowsVia Firewall Common mistake for outbound flows – remember LPF? VNet-0 10.0.0.0/1 6 GatewaySubn et 10.0.0.0/24 ExpressRoute/V PN 172.16.0.0/1 2 VNet-1 10.1.0.0/1 6 Subnet-1 10.1.1.0/2 4 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Default Inactive 10.1.0.0/16 Peering BGP Active 172.16.0.0/12 VirtualNetworkGateway User Active 10.1.0.0/16 Virtual Appliance 10.0.1.4 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Inactive 0.0.0.0 Internet Default Active 10.0.0.0/16 Peering BGP Active 172.16.0.0/12 VirtualNetworkGateway User Active 0.0.0.0/0 Virtual Appliance 10.0.1.4 AzureFirewallSubn et 10.0.1.0/24 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Inactive 0.0.0.0 Internet Default Inactive 10.1.0.0/16 Peering BGP Active 172.16.0.0/12 VirtualNetworkGateway User Active 0.0.0.0/0 Internet 10.0.1. 4 © Cloud Mechanix www.cloudmechanix.co
  • 42. • A UDR route that matches a BGP/Default Route beats the BGP/Default Route • Scenario: • A Default route exists for 10.1.0.0/16 • A BGP route to 10.1.0.0/16 propagates to the subnet • You add a UDR to 10.1.0.0/16 • The Default route is marked by Azure as Invalid (disabled) • The BGP route is marked by Azure as Invalid (disabled) • The UDR is chosen instead © Cloud Mechanix www.cloudmechanix.co UDRBeatsBGP&Default Applying the second rule of routing (part 2)
  • 43. • A BGP route that matches a Default Route beats the Default Route • Scenario: • A Default route exists for 10.1.0.0/16 • A BGP route to 10.1.0.0/16 propagates to the subnet • You add a UDR to 0.0.0.0/0 • Send a packet to 10.1.1.4 • The Default route is marked by Azure as Invalid (disabled) • The BGP route is a 16-bit match • The UDR is a 0-bit match • The BGP route is chosen! © Cloud Mechanix www.cloudmechanix.co But Remember – TheMost Accurate RouteWins! Rule 1 and Rule 2 together
  • 44. VNet-0 10.0.0.0/1 6 GatewaySubn et 10.0.0.0/24 VNet-1 10.1.0.0/1 6 Subnet-1 10.1.1.0/2 4 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Default Inactive 10.1.0.0/16 Peering BGP Active 172.16.0.0/12 VirtualNetworkGateway User Active 10.1.0.0/16 Virtual Appliance 10.0.1.4 AzureFirewallSubn et 10.0.1.0/24 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Inactive 0.0.0.0 Internet Default Inactive 10.1.0.0/16 Peering BGP Active 172.16.0.0/12 VirtualNetworkGateway User Active 0.0.0.0/0 Internet 10.0.1. 4 Outbound FlowsVia Firewall Disabling BGP propagation in a spoke Route Table Route Table > Disable Source BGP Propaga State tion Addres s Prefixe s Ne xt Hop Type Next Hop IP Address Default Active 10.0.0.0/16 V irtual Network 172.16.0.0/12 ExpressRoute/VPN Public IP Address Default Inactive 0.0.0.0 I nternet Default Active 10.0.0.0/16 P e ering User Active 0.0.0.0/0 V irtual Appliance 10.0.1.4 © Cloud Mechanix www.cloudmechanix.co
  • 45. • Today: • Only possible via the NIC of an allocated (running) VM • Desired: • See it via any subnet • Tips: 1. LEARN how routing really works (see previous) 2. Try it out 3. Draw how it works 4. Put a “canary” subnet/VM into a complex VNet so you can see effective routes • VMs cannot be added to GatewaySubnet or AzureFirewallSubnet © Cloud Mechanix www.cloudmechanix.co Viewing Effective Route Tables How do you see the actual route table?
  • 46. • ExpressRoute • View/export routes propagated from on-premises • Circuit > Peerings > Private Peering • VPN • Non-BGP: See Local Network Gateway • BGP: Query Log Analytics … AzureDiagnostics | where OperationName == "BgpRouteUpdate" © Cloud Mechanix www.cloudmechanix.co ExpressRoute& VPN See the routes associated with site-to-site networking
  • 47. Firewalls © Cloud Mechanix www.cloudmechanix.co
  • 48. • Ideally – yes! • Central point of: • Network security • Routing • Can offer more than just simple “Allow TCP From X To Y” • Centrally control outbound and east-west flows • FQDN support for SQL and Web © Cloud Mechanix www.cloudmechanix.co DoI Need AFirewall? Great question!
  • 49. Platform VersusAppliance I prefer the platform option – Azure Firewall © Cloud Mechanix www.cloudmechanix.co Feature Appliance Azure Firewall Type Virtual machines Platform Complexity High None High availability None to challenging Availability Set/Zones Scale-Out 1-2 Automatic Maintenance/Upgrades You (Guest OS) Microsoft (Platform) Layer-7 None-Little Little (see Azure WAFv2) IDS/IPS Maybe Azure Security Center/Sentinel Documentation Mostly awful Good Max throughput Varies 30 Gbps (more with Support call)
  • 50. • Architecture • Single subnet / Private IP • 1-100 Public IPv4 (SNAT and DNAT scale-out) • Availability sets/zones • Features: • NAT Rules • DNAT from Internet • Network Rules • Layer-4 protection at central location • Application Rules • FQDN HTTP/S and SQL Server traffic • FQDN Tags • Threat Intelligence • Machine learning based alerting/blocking • Logging • Storage account, Event Hub, Log Analytics © Cloud Mechanix www.cloudmechanix.co Azure Firewall A platform-based firewall
  • 51. • Network • A single resource • Managed via the resource • Secure Virtual Hub (Preview) • A hub (hub and spoke) • Firewall and Azure WAN hub • Managed via hub and Azure Firewall Policy • AFP not in the Network SKU © Cloud Mechanix www.cloudmechanix.co AzureFirewall SKUS Ways to deploy the same resource type
  • 52. • It depends – consult whatever documentation the vendor has • Caution: some major vendors sell you ticking timebombs! • Beware of appliance clusters that don’t have 2 Azure load balancers • And don’t use any brand that expects you to program Azure UDRs via their appliance © Cloud Mechanix www.cloudmechanix.co Third-Party Firewall ApplianceArchitecture If you insist on unnecessary work, scalability & complexity issues
  • 53. Simple Firewall Appliance Architecture Single firewall appliance VNet-0 10.0.0.0/1 6 GatewaySubn et 10.0.0.0/24 FirewallSubn et 10.0.1.0/24 Public IP Address 10.0.1.4 VM: Typically D4v2 © Cloud Mechanix www.cloudmechanix.co
  • 54. www.cloudmechanix.coN©oteC:lAoduditdionMalefircehwaalnlmixan2a0ge2m0ent subnet typically Split-Subnet Firewall Appliance Architecture Is this really required in The Cloud? VNet-0 10.0.0.0/1 6 GatewaySubn et 10.0.0.0/24 FirewallExternalSubn et 10.0.1.0/24 Public IP Address FirewallInternalSubn et 10.0.2.0/24 10.0.1.4 10.0.2.4 VM: Typically D4v2
  • 55. © Cloud Mechanix www.cloudmechanix.co • GatewaySubnet • Address Prefix : Spoke CIDR • Next Hop Type: Virtual Appliance • Next Hop IP Address: External NIC private IP address • Spoke Subnets • Address Prefix : 0.0.0.0/0 • Next Hop Type: Virtual Appliance • Next Hop IP Address: Internal NIC private IP address UDRsFor ThisScenario Still required … and maybe dangerous, depending on your appliance
  • 56. www.cloudmechanix.coN©oteC:lAoduditdionMalefircehwaalnlmixan2a0ge2m0ent subnet typically HAFirewall Appliance Architecture Assuming your firewall appliance supports this VNet-0 10.0.0.0/1 6 GatewaySubn et 10.0.0.0/24 FirewallExternalSubn et 10.0.1.0/24 BasicAzure Load Balancer Public IP Address FirewallInternalSubn et 10.0.2.0/24 Standard AzureLoad Balancer 10.0.1.4 10.0.2.4 VM: Typically D4v2
  • 57. • GatewaySubnet • Address Prefix : Spoke CIDR • Next Hop Type: Virtual Appliance • Next Hop IP Address: External Load Balancer Private IP address • Spoke Subnets • Address Prefix : 0.0.0.0/0 • Next Hop Type: Virtual Appliance • Next Hop IP Address: Internal Load Balancer Private IP address © Cloud Mechanix www.cloudmechanix.co UDRsFor ThisScenario Beware of HA firewalls that must manage the UDRs themselves
  • 58. • Most vendors will add management subnet/NICs • Not load balanced • Some vendors require Azure Service Bus for configuration replication • There is an option for another subnet with load balanced NICs: • Internet traffic • ExpressRoute/VPN traffic © Cloud Mechanix www.cloudmechanix.co Variations OnThis Scenario Consult your vendor … assuming they even know
  • 59. Layer-7WebApplication Firewall (WAF) © Cloud Mechanix www.cloudmechanix.co
  • 60. • Specialised firewall for HTTP/S traffic • Think of it as a reverse proxy with firewall features for HTTP/S servers • Different to your firewall • Focused on simple allow/deny traffic • WAF focus: • Attacks on HTTP/S servers © Cloud Mechanix www.cloudmechanix.co What is aWAF? Web Application Firewall
  • 61. Options VNet, Microsoft or partner, and location © Cloud Mechanix www.cloudmechanix.co Type Vendor Location Third-party WAF Third-Party Virtual Network Third-party cloud service Third-Party 1+ locations Azure Application Gateway WAF Microsoft Virtual Network Azure Frontdoor WAF Microsoft 170+ edge data centres
  • 62. • Azure Frontdoor: • Located at every Microsoft edge data centre • Reduce latency between global customers and your service • Keeping the threat further from your assets • SSL Offload • End-to-end encryption • WAF Policy: • OWASP 3.1 rules, SQL injection, malformed requests, etc • Extended rules customisation • Bot protection rule (preview) • Geo-match filtering (preview) © Cloud Mechanix www.cloudmechanix.co AzureFront Door WAFFeatures Deployed in Microsoft’s 170+ edge data centres
  • 63. • Application Gateway: • Availability sets/zones • SSL Offload • SSL storage in Azure Key Vault – delegated access via User Managed ID • End-to-end encryption • WAF: • OWASP 3.1 rules, SQL injection, malformed requests, etc • Extends DDoS Standard Tier to Layer-7 • Optional management via WAF Policy resource • Extended rules customisation • Bot protection rule (preview) • Geomatch filtering (limited region preview) © Cloud Mechanix www.cloudmechanix.co AzureApplication Gateway WAFv2Features Focus in this presentation
  • 64. • Where will you place the WAF? • Centrally: • Managed by security experts • Requires process for change requests • With each application • Flexible for Devs/Operators • Security handled by the wrong people! • Typically not in-front or behind the network firewall • Isolated flow to protect against DDoS • Protected at Layer-4 by NSG © Cloud Mechanix www.cloudmechanix.co WAFPlacement Question you need to ask yourself
  • 65. NSG,WAF,and Firewall Name of service resolves to WAF VNet-0 10.0.0.0/1 6 GatewaySubn et 10.0.0.0/24 ExpressRoute/V PN172.16.0.0/1 2 AzureFirewallSubn et 10.0.1.0/24 10.0.1. 4 Public IP Address InternalWafSubne t 10.0.2.0/24 Source State Address Prefixes Next Hop Type Next Hop IP Address User Active 10.19.3.0/24 Virtual Appliance 10.0.1.4 User Active 10.0.2.0/24 Virtual Network © Cloud Mechanix www.cloudmechanix.co Priority Name Port Protocol Source Destination Action 100 AllowHealthProbe 65200-65535 TCP GatewayManager Any Allow 200 AllowWeb 80, 443 TCP 172.16.0.0/12 10.0.2.0/24 Allow 300 AllowLoadBalancer Any Any AzureLoadBalancer 10.0.2.0/24 Allow 400 DenyEverythingElse Any Any Any Any Deny A, internal.joeelway.com = 10.0.2.4 A, sql.joeelway.com = 10.19.3.8
  • 66. NSG,WAF,and Firewall Name of service resolv VNet-0 10.0.0.0/1 6 GatewaySubn et 10.0.0.0/24 ExpressRoute/V PN172.16.0.0/1 2 AzureFirewallSubn et 10.0.1.0/24 10.0.1. 4 Public IP Address InternalWafSubnet 10.0.2.0/24 Source State Address Prefixes Next Hop Type Next Hop IP Address User Active 10.19.3.0/24 Virtual Appliance 10.0.1.4 User Active 10.0.2.0/24 Virtual Network © Cloud Mechanix www.cloudmechanix.co Priority Name Port Protocol Source Destination Action 100 AllowHealthProbe 65200-65535 TCP GatewayManager Any Allow 200 AllowWeb 80, 443 TCP 172.16.0.0/12 10.0.2.0/24 Allow 300 AllowLoadBalancer Any Any AzureLoadBalancer 10.0.2.0/24 Allow 400 DenyEverythingElse Any Any Any Any Deny A, internal.joeelway.com = 10.0.2.4 A, sql.joeelway.com = 10.19.3.8
  • 67. Service Endpoints © Cloud Mechanix www.cloudmechanix.co
  • 68. How AVNet ResourceTalksToAzure Services The long way there VNet-1 10.1.0.0/1 6 Subnet- 1 10.1.1.0/2 4 App Service (ASE or VNet Integration) AzureSQL Storage(Azure) Public Azure Backbone © Cloud Mechanix www.cloudmechanix.co
  • 69. • Enabled per-subnet • A trick of routing • Kind of the same idea as ExpressRoute Azure Public Peering • Uses Default routes • Redirects traffic to certain Azure services • Direct path: not public, lower latency • Extend network security to PaaS (see Access Rules) © Cloud Mechanix www.cloudmechanix.co Service Endpoints Routing shortcut to Azure services
  • 70. How AVNet ResourceTalksToAzure Services The short way there VNet-1 10.1.0.0/1 6 Subnet- 1 10.1.1.0/2 4 App Service (ASE or VNet Integration) AzureSQL Storage(Azure) Public Azure Backbone Private Azure Backbone Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Default Active [Microsoft.SQL] VirtualNetworkServiceEndpoint Default Active [Microsoft.Storage] VirtualNetworkServiceEndpoint © Cloud Mechanix www.cloudmechanix.co
  • 71. ResourceAccess Policies © Cloud Mechanix www.cloudmechanix.co
  • 72. • PaaS resources run on a VNet • We cannot see that VNet • But we can enable “firewall rules” on the PaaS resources: • App Service access rules • Azure SQL firewall rules • And more • Often used with Service Endpoints © Cloud Mechanix www.cloudmechanix.co Platform ServicesHidden Networking Azure PaaS is built on many Azure resources that you can use
  • 73. How AVNet ResourceTalksToAzure Services Control inbound connections at the PaaS instance VNet-1 10.1.0.0/1 6 Subnet- 1 10.1.1.0/2 4 App Service (ASE or VNet Integration) AzureSQL Storage(Azure) Public Azure Backbone Private Azure Backbone Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Default Active [Microsoft.SQL] VirtualNetworkServiceEndpoint Firewall Rule: Allow 10.1.1.0/24 © Cloud Mechanix www.cloudmechanix.co
  • 74. Private Link & PrivateEndpoints © Cloud Mechanix www.cloudmechanix.co
  • 75. • PaaS is the cloud of services in The Cloud • PaaS is natively public: • Your internal application is on The Internet • The Data Lake is publicly addressable • That database is addressable by everyone © Cloud Mechanix www.cloudmechanix.co Challengeof Platform-as-a-Service(PaaS) The default setting is public
  • 76. • VNet integration • Expensive SKUs • Access Policies • Basic Layer-4 filters • Service Endpoints • Maps an entire service, not an instance • WAF with Service Endpoints, Access Policies, and basic VNet connectivity • Doesn’t control all network flows • Hybrid connectivity agents • Only protects PaaS outbound connections to private services • ExpressRoute Microsoft Peering with Access Policies • Maps an entire service, not an instance • ExpressRoute is less popular thanks to cost and SD-WAN (Azure WAN) option © Cloud Mechanix www.cloudmechanix.co PaaSPrivacyOptions So many options
  • 77. Private PaaS(PartlyGA) Private Link (the service) GA, Private Endpoints (the method) preview Virtual Network (10.0.0.0/16) AzurePaaS Internet Virtual Network (10.0.0.0/16) AzurePaaS InternetSERVICE ENDPOINT PRIVATE LINK – PRIVATE ENDPOINT VNettoPaaSserviceviatheMicrosoftbackbone DestinationisstillapublicIPaddress.NSGopenedto Service Tags NeedtopassNVA/Firewallfor exfiltrationprotection VNetPaasviatheMicrosoftbackbone PaaSresourcemappedtoPrivateIPAddress.NSGs restrictedtoVNetspace In-built dataexfiltration protection PRIVATE © Cloud Mechanix www.cloudmechanix.co
  • 78. • From Azure VMs to Azure PaaS resources • Secure connection over VPN, SD-WAN, ExpressRoute via VNet Gateway • Services shared via Standard tier Azure Load Balancer: • Enable overlapping IP address spaces • Privately share IaaS/PaaS as SaaS with customers © Cloud Mechanix www.cloudmechanix.co Scenarios Interesting future
  • 79. • Private Link • The fabric service that allows mapping • Private Endpoint • The IP address for your PaaS resource in your VNet • Private Endpoint maps a specific resource • Not just an instance like Service Endpoint or ExpressRoute Microsoft Peering • Provides protection against data exfiltration © Cloud Mechanix www.cloudmechanix.co Points ToNote How it’s different to Service Endpoints
  • 80. • Limited preview with mixed support of: • Resources • Regions • No support for NSG rules • Still can use NSG Flow Logs • VNet Peering • Requires 1+ VMs on the Private Endpoint VNet • Private Endpoint not addressable by some resource types: • App Service Plan, Azure Container Instance, Azure NetApp Files, Azure Dedicated HSM© Cloud Mechanix www.cloudmechanix.co Preview Limitations Documentation still not updated for GA
  • 81. Security Management & Monitoring © Cloud Mechanix www.cloudmechanix.co
  • 82. • Features: • Compliance reporting • Recommendations • Monitoring • An Azure IDS that runs across the subscription • Not focused on just 1 virtual appliance! • Be careful: • Some recommendations are not based on product best practices • Example: NSG should be per-subnet, NOT per-NIC • Example 2: Be careful of enabling Storage Account firewall feature © Cloud Mechanix www.cloudmechanix.co Security Center Security monitoring
  • 83. • Log Analytics • Send diagnostic & metrics data to a single Workspace • Add solutions – some from “OMS” gallery in Marketplace, some from GitHub • Add saved queries • Build workbooks for reporting • NSG Flows • NSG Flow Logs: Send data to GPv2 storage account • Traffic Analytics: Forward blob data to Log Analytics © Cloud Mechanix www.cloudmechanix.co Monitoring It’s not managed if it’s not monitored
  • 84. • Azure Sentinel • Features: • Log Analytics Workspace solution • Connect to Azure & third-party resources • Threat hunting • Automated responses • Alerting © Cloud Mechanix www.cloudmechanix.co Security Alerting Security Information & Event Management (SIEM)
  • 85. • Azure Firewall • Traces in Log Analytics … AzureDiagnostics | where Category == "AzureFirewallNetworkRule" • Service Map to identify network requirements pre-migration • NSGs • Traffic Analytics … AzureNetworkAnalytics_CL | where SubType_s == 'FlowLog' • Routing • Effective Routes • VM NICs only • Truly understand routing to map it mentally/on-paper • Traffic Analytics • I don’t find Network Watcher to be useful • WAF • Traces in Log Analytics … AzureDiagnostics | where Category == "ApplicationGatewayFirewallLog" • Most common problem is false positive SQL injection attack detection © Cloud Mechanix www.cloudmechanix.co Troubleshooting Some tips
  • 86. Micro-Segmentation © Cloud Mechanix www.cloudmechanix.co
  • 87. • Hard on the outside, gooey on the inside • Firewall at the edge • No port/VLAN protection • Windows/Linux firewall disabled • Direct remote access to machines • How do attacks happen? • Find a weak spot (human) to bypass the firewall • Spread across open network in minutes • Used to be 24 hours for complete compromise © Cloud Mechanix www.cloudmechanix.co TheTypicalOn-PremisesServer Network Everyone knew better but …
  • 88. • Not a new concept • Implement network protections throughout the entire network • Not just the edge • Easier to do in the cloud: • Deployment via infrastructure-as-code (IaC) • CI/CD via Azure DevOps, GitHub, etc • Enforcement via Azure Policy © Cloud Mechanix www.cloudmechanix.co Micro-Segmentation The way we knew it should be done
  • 89. SimpleExample At the resource level VNet-0 10.0.0.0/1 6 GatewaySubn et 10.0.0.0/24 ExpressRoute/V PN VNet-1 10.1.0.0/1 6 FrontSubnet 10.1.1.0/24 VNet-2 10.2.0.0/1 6 FrontSubnet 10.2.1.0/24 VNet Peering AzureFirewallSubn et 10.0.1.0/24 InternalWafSubnet 10.0.2.0/24 BackSubnet 10.1.2.0/24 BackSubnet 10.2.2.0/24 NSG NSG NSG NSG NSG WAFv2 VM VM Window s Firewall Linux Firewall AppSvc Azure SQL Access Rules Server Firewall Microsoft.Web Service Endpoint © Cloud Mechanix www.cloudmechanix.co
  • 90. Micro-Segmentation In ASubnet In more depth VNet-1 10.1.0.0/1 6 FrontSubn et 10.1.1.0/24 BackSubn et 10.1.2.0/2 4 Web VMs App VMs Logic VMs Batch VMs SQL VMs NSG NSG Web- ASG App- ASG Logic- ASG Batch- ASG SQL- ASG Priority Name Port Protocol Source Destination Action 100 AllowWebToApp 443 TCP Web-Asg App-Asg Allow 200 AllowAppToLogic 443 TCP App-Asg Logic-Asg Allow 300 AllowLogicToBatch 443 TCP Logic-Asg Batch-Asg Allow 400 AllowLogicToSql 1433 TCP Logic-Asg SQL-Asg Allow 4096 DenyEverythingElse Any Any Any Any Deny © Cloud Mechanix www.cloudmechanix.co
  • 91. Wrapping Up © Cloud Mechanix www.cloudmechanix.co
  • 92. • There’s a lot to learn • Take the deck (when it’s shared) and read through the stuff I skipped • Read lots! • Play with the tech in a lab • Don’t assume something works • Try the positive and negative tests © Cloud Mechanix www.cloudmechanix.co Summary We could have used 1-2 days on this topic!
  • 93. • http://aidanfinn.com • http://www.cloudmechanix.co m • http://www.innofactor.com • @joe_elway Thank You! Aidan Finn, Cloud Mechanix © Cloud Mechanix www.cloudmechanix.co