SlideShare a Scribd company logo

CCI2018 - Azure Network - Security Best Practices

W
walk2talk srl

Francesco Molfese presented on Azure network security best practices. He discussed how to use Azure networking services like virtual networks, network security groups, application security groups, service endpoints, Azure Firewall, and DDoS protection to implement a zero trust network model. A hub-spoke topology with services in the hub and workloads in the spokes provides segmentation and security. Monitoring, logging, and alerts from services like Network Watcher and Azure Monitor help provide visibility and protection. The presentation provided demos and recommendations on configuring these services to securely network Azure resources.

Technology
1 of 42
SPONSOR
Who am I? Francesco Molfese francesco.molfese@progel.it LinkedIn: https://www.linkedin.com/in/francescomolfese/ Twitter: @FrancescoMolf • Senior Consultant presso Progel S.p.A. • Microsoft MVP Cloud Datacenter Management • Microsoft Certified Trainer (MCT) • Community Lead dello User Group Italiano di System Center e Operations Management Suite (http://www.ugisystemcenter.org)
Azure Network - Security Best Practices Francesco Molfese
Agenda • Network security challenges in the cloud • Azure Networking: which network security offering to use when • Understand Azure network security best practice
Azure Networking and Protection
What we get asked by customers around resource protection How do I control network and application access to resources? How do I embrace a zero trust network security model? How do I enable DDOS protection for my application? How do I protect my application from malicious intent? How do I do segmentation and isolation to protect resources?
Azure Networking Services CDN Front Door Traffic Manager Application Gateway Load Balancer Virtual Network Virtual WAN ExpressRoute VPN DNS Network Watcher ExpressRoute Monitor Azure Monitor Virtual Network TAP DDoS Protection Firewall Network Security Groups Web Application Firewall Virtual Network Endpoints
Virtual Networks Your virtual private network in the cloud • Private isolated logical network • Supports Network ACLs and IP Management • User defined routing for network virtual appliances • Extends on-premises network to the cloud • Provides secure connectivity to Azure services
Hub-spoke network topology in Azure Typical uses for this architecture include: • Workloads deployed in different environments (dev, testing, and production) that require shared services (DNS, IDS, NTP, or AD DS). • Workloads that do not require connectivity to each other, but require access to shared services. • Enterprises that require central control over security aspects, such as a firewall in the hub as a DMZ, and segregated management for the workloads in each spoke.
Hub-spoke benefits • Cost savings by centralizing services that can be shared by multiple workloads, such as network virtual appliances (NVAs) and DNS servers, in a single location. • Overcome subscriptions limits by peering VNets from different subscriptions to the central hub. • Separation of concerns between central IT (SecOps, InfraOps) and workloads (DevOps).
Hub & spoke architecture: native security services
Multiple protection services to enable rich controls • App Gateway with Web Application Firewall (WAF): Web Application Protection • Network & Application Security Groups (NSG): Internal VNET segmentation • Service endpoints: Secure access to public PaaS resources • Azure Firewall: Full VNET egress and ingress (non-http/s) protection • DDoS protection for Public IPs
Application Access Patterns Access private traffic -Networksecurity groups (NSGs) -Application security groups (ASGs) -User-Definedroutes (UDRs) Access to/from Internet -DDoSprotection -Web Application Firewall -Azure Firewall -NetworkVirtual Appliances Access to Azure PaaS services 1 3 2 ServiceEndpoints Backend Connectivity ExpressRoute VPN Gateways Users Internet Your Virtual Network BackEndMid-tierFrontEnd
Application Gateway and web application protection Layer 7 load balancer for web applications
Application Gateway Web application protection • Protects your application against prevalent X- Site Scripting and SQL Injection attacks • Blocks threats based on top 10 OWASP (Open Web Application Security Project) signatures • Integrated with Azure Security Center • Real-time logging with Azure Monitor App Gateway L7 LB WAF • Platform managed built in high availability and scalability • Layer 7 load balancing URL path, host based, round robin, session affinity, redirection • Centralized SSL management SSL offload and SSL policy • Public or ILB public internal or hybrid • Rich diagnostics Azure monitor, Log analytics Web Application Firewall (WAF)
Network Security Groups & Application Security Groups
Network and Application Security Groups Network Security Groups • Protects your workloads with distributed ACLs • Simplified configuration with augmented security rules • Enforced at every host, applied on multiple subnets Application Security Groups • Micro-segmentation for dynamic workloads • Named monikers for groups of VMs • Removes management of IP addresses Service Tags • Named monikers for Azure service IPs • Many Services tagged including AzureCloud Logging and troubleshooting • NSG flow logs for traffic monitoring • Integrated with Network Watcher • JIT access policies with Azure Security Center
Monitoring VMs App Servers Database Servers Log Servers Web Servers Domain Servers Quarantine VMs Domain Clients Network Security Group (NSG) Action Name Source Destination Port Deny QurantineVMs Any QurantineVMs Any Allow AllowInternetToWebServers Internet WebServers 80,443(HTTP) Allow AllowWebToApp WebServers AppServers 443 (HTTPS) Allow AllowAppToDb AppServers DatabaseServers 1443 (MSSQL) Allow AllowAppToLogServers AppServers LogServers 8089 Allow AllowOnPrem 10.10.0.0/16 192.168.10.0/24 MonitoingVMs 80 (HTTP) Deny DenyAllInbound Any Any Any Network security for your VNet traffic
Demo Securing VNet traffic with NSGs
Service Endpoints
Service Endpoints Policies • Prevent unauthorized access to Azure services • Restrict Virtual Network access to specific Azure services • Granular access control over service endpoints VNet 1 Account A SERVICE ENDPOINT Account B, … Allow Account A SERVICE ENDPOINT POLICY Enhanced VNet security for Azure services
Azure services available on Service Endpoints • Azure Storage • Azure SQL Database • Azure CosmosDB • Azure Keyvault • Azure Database services for PostgreSQL • Azure Database services for mySQL • Azure SQL Datawarehouse (Preview) • Azure Event Hubs (Preview) • Azure Service Bus (Preview)
Demo Service Endpoint Configuration
Azure Firewall
Azure Firewall Central governance of all traffic flows • Built-in high availability and auto scale • Network and application traffic filtering • Centralized policy across VNets and subscriptions Complete VNET protection • Filter Outbound, Inbound, Spoke-Spoke & Hybrid Connections traffic (VPN and ExpressRoute) Centralized logging • Archive logs to a storage account, stream events to your Event Hub, or send them to Log Analytics or Security Integration and Event Management (SIEM) system of choice Cloud native stateful Firewall as a service Spoke VNets On-Premises
Azure Firewall features (GA) • Application rules • FQDN Filtering • FQDN Tags (e.g. Azure Backup, App Service Environment) • Default infrastructure rule collection • Fully stateful network rules • NAT support • Default Source Network Address Translation (SNAT) • Destination Network Address Translation (DNAT) • Monitoring • Azure Monitor Logging • Azure Monitor Metrics • Support for inbound and hybrid connections • Network watcher integration Coming soon: Azure Security Center Integration (JIT)
FQDN tags in Azure Firewall • An FQDN tag represents a group of fully qualified domain names (FQDNs) associated with well known Microsoft services • FQDN tags can be used in application rules to allow the required outbound network traffic through your firewall • Supported tags: • Windows Update • Windows Diagnostics • Microsoft Active Protection Service (MAPS) • App Service Environment • Azure Backup • Some tags may require additional configuration. For example, ASE has customer-specific Storage and SQL endpoints, which must be enabled using Service endpoints
Inbound traffic filtering recommendation • Application Gateway WAF is the preferred service for inbound application level HTTP/S protection • Use Azure Firewall inbound network level protection for non-HTTP/S protocols (e.g. SSH, RDP, FTP) • Destination Network Address Translation (DNAT) • Inbound traffic filtering is enabled by mapping of your firewall public IP and port to a private IP and port • Known issues • DNAT doesn’t work for port 80 and 22. These can be specified as 80, 22 as the translated ports. For example, you can map public ip:81 to private ip:80. We are working to fix this soon.
Azure Firewall for hybrid links Traffic filtering between Azure VNETs and on-premises networks • Works with either Azure VPN Gateway or Express Route Gateway No support for traffic routing from on- premises to internet • This is a key roadmap feature for Azure Firewall in a Virtual WAN Hub
Hybrid links filtering: recommended configuration • UDR on the spoke subnet pointing to Azure Firewall private IP as default gateway • BGP route propagation must be Disabled on this route table • UDR on the hub gateway subnet pointing to Azure Firewall as next hop to spoke networks • Pointing to Azure Firewall as the default gateway is not supported on gateway subnets • No UDR on Azure Firewall subnet (it learns routes from BGP) • Allow spokes to use VPN/ER gateway in the hub • Set AllowGatewayTransit when peering VNet-Hub to VNet-Spoke • Set UseRemoteGateways when peering VNet-Spoke to VNet-Hub
Demo Azure Firewall
Azure Firewall synergies and recommendations Application Gateway WAF • Provides inbound protection for web applications (L7) • Azure Firewall provides network level protection(L3) for all ports and protocols and application level protection (L7) for outbound HTTP/S. Azure Firewall should be deployed alongside Azure WAF • Azure Firewall can be combined with 3rd party WAF/DDoS solutions Network Security Groups (NSG) • NSG and Azure Firewall are complementary, with both you have defense and in-depth • NSGs provides host based, distributed network layer traffic filtering to limit traffic to resources within virtual networks • Azure Firewall is a fully stateful centralized network firewall as-a-service, providing network and application level protection across virtual networks and subscriptions Service endpoints • Recommended for secure access to Azure PaaS services • Can be leveraged with Azure Firewall for central logging for all traffic by enabling service endpoints in the Azure Firewall subnet and disabling it on the connected spoke VNETs
Azure DDoS Protection
DDoS Attack Trends Attack Frequency Attack Size Attack Vectors 58% Vs. 2017 1.7 Tbps Peak 4X > 50Gbps 56% Multi-vector • Continued growth in frequency, size, sophistication, and impact • Often utilized as ‘cyber smoke screen’ to mask infiltration attacks 400 Gbps (NTP amp) 650 Gbps (Mirai) 1.7 Tbps (Memcached) 2+ Tbps (???) Attack Downtime 35% Businesses impacted
Azure DDoS Protection overview
Azure DDoS Protection Standard DDoS Attack Analytics Mitigation Reports • Near real time attack data snapshot • Stats include attack vectors, protocols, traffic, top sources & ASNs and more • Summary report at the end of the attack Mitigation Flow Logs • Near real time sampled flow logs with details of action taken during attack mitigation • Logs include Source & Destination IP with Port and Action taken DDoS Rapid Response (DRR) • Access to Rapid Response team during an active attack for specialized support • Mitigation policy customizations for anticipated events Recommendations in Azure Security Center to protect Virtual Networks against DDoS attacks Support for Azure Firewall, IPv6 Virtual Networks & VPN Gateway as protected resources
Recap Azure network security best practice
Key Takeaways • Pick network security offerings based on application access patterns • Layer security by mix-and-match based on your requirements • Scale the security model, as your workloads scale
Protection services enabling zero trust Centralized outbound and inbound (non-HTTP/S) network and application (L3-L7) filtering Distributed inbound & outbound network (L3- L4) traffic filtering on VM, Container or subnet Restrict access to Azure service resources (PaaS) to only your Virtual Network Centralized inbound web application protection from common exploits and vulnerabilities Azure FirewallDDoS protection Web Application Firewall Network Security Groups Service Endpoints DDOS protection tuned to your application traffic patterns Prevent SQL injection, stop cross site scripting and an array of other types of attacks using cloud native approach Better central governance of all traffic flows, full devops integration using cloud native high availability with autoscale Full granular distributed end node control at VM/subnet for all network traffic flows Extend your Virtual Network controls to lock down Azure service resources (PaaS) access SegmentationApplication protection
Q & A
Let the past go and step off into the future

Recommended

Microsoft Azure Networking Basics
Microsoft Azure Networking BasicsMicrosoft Azure Networking Basics
Microsoft Azure Networking BasicsSai Kishore Naidu
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewDavid J Rosenthal
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewAllen Brokken
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and ComplianceKarina Matos
 
Azure DDoS Protection Standard
Azure DDoS Protection StandardAzure DDoS Protection Standard
Azure DDoS Protection Standardarnaudlh
 
Building an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance ModelBuilding an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance ModelKarl Ots
 
Securing your cloud perimeter with azure network security brk3185
Securing your cloud perimeter with azure network security brk3185Securing your cloud perimeter with azure network security brk3185
Securing your cloud perimeter with azure network security brk3185jtaylor707
 

Recommended

Microsoft Azure Networking Basics
Microsoft Azure Networking BasicsMicrosoft Azure Networking Basics
Microsoft Azure Networking BasicsSai Kishore Naidu
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewDavid J Rosenthal
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewAllen Brokken
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and ComplianceKarina Matos
 
Azure DDoS Protection Standard
Azure DDoS Protection StandardAzure DDoS Protection Standard
Azure DDoS Protection Standardarnaudlh
 
Building an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance ModelBuilding an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance ModelKarl Ots
 
Securing your cloud perimeter with azure network security brk3185
Securing your cloud perimeter with azure network security brk3185Securing your cloud perimeter with azure network security brk3185
Securing your cloud perimeter with azure network security brk3185jtaylor707
 
Part 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An OverviewPart 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An OverviewNeeraj Kumar
 
Networking deep dive
Networking deep diveNetworking deep dive
Networking deep diveJeroen Niesen
 
Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityBruno Capuano
 
Microsoft azure
Microsoft azureMicrosoft azure
Microsoft azureCharith Suriyakula
 
Azure Storage
Azure StorageAzure Storage
Azure StorageMustafa
 
Azure governance
Azure governanceAzure governance
Azure governancegirish goudar
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
CAF presentation 09 16-2020
CAF presentation 09 16-2020CAF presentation 09 16-2020
CAF presentation 09 16-2020Michael Nichols
 
Azure vnet
Azure vnetAzure vnet
Azure vnetzekeLabs Technologies
 
Azure Compute, Networking and Storage Overview
Azure Compute, Networking and Storage OverviewAzure Compute, Networking and Storage Overview
Azure Compute, Networking and Storage OverviewAzure Riyadh User Group
 
Let's Talk About: Azure Networking
Let's Talk About: Azure NetworkingLet's Talk About: Azure Networking
Let's Talk About: Azure NetworkingPedro Sousa
 
Migrating On-Premises Workloads with Azure Migrate
Migrating On-Premises Workloads with Azure MigrateMigrating On-Premises Workloads with Azure Migrate
Migrating On-Premises Workloads with Azure MigrateDinusha Kumarasiri
 
Microsoft Azure Overview Infographic
Microsoft Azure Overview InfographicMicrosoft Azure Overview Infographic
Microsoft Azure Overview InfographicMicrosoft Azure
 
Stephane Lapointe: Governance in Azure, keep control of your environments
Stephane Lapointe: Governance in Azure, keep control of your environmentsStephane Lapointe: Governance in Azure, keep control of your environments
Stephane Lapointe: Governance in Azure, keep control of your environmentsMSDEVMTL
 
Govern your Azure environment through Azure Policy
Govern your Azure environment through Azure PolicyGovern your Azure environment through Azure Policy
Govern your Azure environment through Azure PolicyMicrosoft Tech Community
 
48. Azure Active Directory - Part 1
48. Azure Active Directory - Part 148. Azure Active Directory - Part 1
48. Azure Active Directory - Part 1Shawn Ismail
 
Microsoft Azure Overview
Microsoft Azure OverviewMicrosoft Azure Overview
Microsoft Azure OverviewShahriar Hossain
 
Azure Introduction
Azure IntroductionAzure Introduction
Azure Introductionbrunoterkaly
 
Azure Stack Fundamentals
Azure Stack FundamentalsAzure Stack Fundamentals
Azure Stack FundamentalsCenk Ersoy
 
Azure 101
Azure 101Azure 101
Azure 101Korry Lavoie
 
Azure F5 Solutions
Azure F5 SolutionsAzure F5 Solutions
Azure F5 SolutionsMarketingArrowECS_CZ
 
Global Azure Bootcamp 2018 - Azure Network Security
Global Azure Bootcamp 2018 - Azure Network SecurityGlobal Azure Bootcamp 2018 - Azure Network Security
Global Azure Bootcamp 2018 - Azure Network SecurityScott Hoag
 

More Related Content

What's hot

Part 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An OverviewPart 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An OverviewNeeraj Kumar
 
Networking deep dive
Networking deep diveNetworking deep dive
Networking deep diveJeroen Niesen
 
Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityBruno Capuano
 
Azure Storage
Azure StorageAzure Storage
Azure StorageMustafa
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
CAF presentation 09 16-2020
CAF presentation 09 16-2020CAF presentation 09 16-2020
CAF presentation 09 16-2020Michael Nichols
 
Azure Compute, Networking and Storage Overview
Azure Compute, Networking and Storage OverviewAzure Compute, Networking and Storage Overview
Azure Compute, Networking and Storage OverviewAzure Riyadh User Group
 
Let's Talk About: Azure Networking
Let's Talk About: Azure NetworkingLet's Talk About: Azure Networking
Let's Talk About: Azure NetworkingPedro Sousa
 
Migrating On-Premises Workloads with Azure Migrate
Migrating On-Premises Workloads with Azure MigrateMigrating On-Premises Workloads with Azure Migrate
Migrating On-Premises Workloads with Azure MigrateDinusha Kumarasiri
 
Microsoft Azure Overview Infographic
Microsoft Azure Overview InfographicMicrosoft Azure Overview Infographic
Microsoft Azure Overview InfographicMicrosoft Azure
 
Stephane Lapointe: Governance in Azure, keep control of your environments
Stephane Lapointe: Governance in Azure, keep control of your environmentsStephane Lapointe: Governance in Azure, keep control of your environments
Stephane Lapointe: Governance in Azure, keep control of your environmentsMSDEVMTL
 
Govern your Azure environment through Azure Policy
Govern your Azure environment through Azure PolicyGovern your Azure environment through Azure Policy
Govern your Azure environment through Azure PolicyMicrosoft Tech Community
 
48. Azure Active Directory - Part 1
48. Azure Active Directory - Part 148. Azure Active Directory - Part 1
48. Azure Active Directory - Part 1Shawn Ismail
 
Azure Introduction
Azure IntroductionAzure Introduction
Azure Introductionbrunoterkaly
 
Azure Stack Fundamentals
Azure Stack FundamentalsAzure Stack Fundamentals
Azure Stack FundamentalsCenk Ersoy
 

What's hot (20)

Part 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An OverviewPart 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An Overview
 
Networking deep dive
Networking deep diveNetworking deep dive
Networking deep dive
 
Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure security
 
Microsoft azure
Microsoft azureMicrosoft azure
Microsoft azure
 
Azure Storage
Azure StorageAzure Storage
Azure Storage
 
Azure governance
Azure governanceAzure governance
Azure governance
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
 
CAF presentation 09 16-2020
CAF presentation 09 16-2020CAF presentation 09 16-2020
CAF presentation 09 16-2020
 
Azure vnet
Azure vnetAzure vnet
Azure vnet
 
Azure Compute, Networking and Storage Overview
Azure Compute, Networking and Storage OverviewAzure Compute, Networking and Storage Overview
Azure Compute, Networking and Storage Overview
 
Let's Talk About: Azure Networking
Let's Talk About: Azure NetworkingLet's Talk About: Azure Networking
Let's Talk About: Azure Networking
 
Migrating On-Premises Workloads with Azure Migrate
Migrating On-Premises Workloads with Azure MigrateMigrating On-Premises Workloads with Azure Migrate
Migrating On-Premises Workloads with Azure Migrate
 
Microsoft Azure Overview Infographic
Microsoft Azure Overview InfographicMicrosoft Azure Overview Infographic
Microsoft Azure Overview Infographic
 
Stephane Lapointe: Governance in Azure, keep control of your environments
Stephane Lapointe: Governance in Azure, keep control of your environmentsStephane Lapointe: Governance in Azure, keep control of your environments
Stephane Lapointe: Governance in Azure, keep control of your environments
 
Govern your Azure environment through Azure Policy
Govern your Azure environment through Azure PolicyGovern your Azure environment through Azure Policy
Govern your Azure environment through Azure Policy
 
48. Azure Active Directory - Part 1
48. Azure Active Directory - Part 148. Azure Active Directory - Part 1
48. Azure Active Directory - Part 1
 
Microsoft Azure Overview
Microsoft Azure OverviewMicrosoft Azure Overview
Microsoft Azure Overview
 
Azure Introduction
Azure IntroductionAzure Introduction
Azure Introduction
 
Azure Stack Fundamentals
Azure Stack FundamentalsAzure Stack Fundamentals
Azure Stack Fundamentals
 
Azure 101
Azure 101Azure 101
Azure 101
 

Similar to CCI2018 - Azure Network - Security Best Practices

Global Azure Bootcamp 2018 - Azure Network Security
Global Azure Bootcamp 2018 - Azure Network SecurityGlobal Azure Bootcamp 2018 - Azure Network Security
Global Azure Bootcamp 2018 - Azure Network SecurityScott Hoag
 
Protección y acceso a tu información y aplicaciones en Azure y O365 – Barracuda
Protección y acceso a tu información y aplicaciones en Azure y O365 – BarracudaProtección y acceso a tu información y aplicaciones en Azure y O365 – Barracuda
Protección y acceso a tu información y aplicaciones en Azure y O365 – BarracudaPlain Concepts
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudAlert Logic
 
CCI2019 - Architecting and Implementing Azure Networking
CCI2019 - Architecting and Implementing Azure NetworkingCCI2019 - Architecting and Implementing Azure Networking
CCI2019 - Architecting and Implementing Azure Networkingwalk2talk srl
 
366864108 azure-security
366864108 azure-security366864108 azure-security
366864108 azure-securityober64
 
Azure Stack - Azure Nights User Group
Azure Stack - Azure Nights User GroupAzure Stack - Azure Nights User Group
Azure Stack - Azure Nights User GroupMichael Frank
 
Self service it with v realizeautomation and nsx
Self service it with v realizeautomation and nsxSelf service it with v realizeautomation and nsx
Self service it with v realizeautomation and nsxsolarisyougood
 
Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataAidan Finn
 
Brk30176 enterprise class networking in azure
Brk30176 enterprise class networking in azureBrk30176 enterprise class networking in azure
Brk30176 enterprise class networking in azureAbou CONDE
 
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud Thuan Ng
 
Azure Service Endpoints vs. Private Links
Azure Service Endpoints vs. Private LinksAzure Service Endpoints vs. Private Links
Azure Service Endpoints vs. Private LinksMatthias Güntert
 
Microsoft Azure News - Oct 2016
Microsoft Azure News - Oct 2016Microsoft Azure News - Oct 2016
Microsoft Azure News - Oct 2016Daniel Toomey
 
Connect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft AzureConnect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft AzureK.Mohamed Faizal
 
Interop ITX: Moving applications: From Legacy to Cloud-to-Cloud
Interop ITX: Moving applications: From Legacy to Cloud-to-CloudInterop ITX: Moving applications: From Legacy to Cloud-to-Cloud
Interop ITX: Moving applications: From Legacy to Cloud-to-CloudSusan Wu
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanO365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanNCCOMMS
 
Perth Azure Usergroup Build 2018 updates
Perth Azure Usergroup Build 2018 updatesPerth Azure Usergroup Build 2018 updates
Perth Azure Usergroup Build 2018 updatesNirmal Thewarathanthri
 

Similar to CCI2018 - Azure Network - Security Best Practices (20)

Azure F5 Solutions
Azure F5 SolutionsAzure F5 Solutions
Azure F5 Solutions
 
Global Azure Bootcamp 2018 - Azure Network Security
Global Azure Bootcamp 2018 - Azure Network SecurityGlobal Azure Bootcamp 2018 - Azure Network Security
Global Azure Bootcamp 2018 - Azure Network Security
 
Protección y acceso a tu información y aplicaciones en Azure y O365 – Barracuda
Protección y acceso a tu información y aplicaciones en Azure y O365 – BarracudaProtección y acceso a tu información y aplicaciones en Azure y O365 – Barracuda
Protección y acceso a tu información y aplicaciones en Azure y O365 – Barracuda
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
 
CCI2019 - Architecting and Implementing Azure Networking
CCI2019 - Architecting and Implementing Azure NetworkingCCI2019 - Architecting and Implementing Azure Networking
CCI2019 - Architecting and Implementing Azure Networking
 
366864108 azure-security
366864108 azure-security366864108 azure-security
366864108 azure-security
 
Azure Stack - Azure Nights User Group
Azure Stack - Azure Nights User GroupAzure Stack - Azure Nights User Group
Azure Stack - Azure Nights User Group
 
Self service it with v realizeautomation and nsx
Self service it with v realizeautomation and nsxSelf service it with v realizeautomation and nsx
Self service it with v realizeautomation and nsx
 
Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And Data
 
Brk30176 enterprise class networking in azure
Brk30176 enterprise class networking in azureBrk30176 enterprise class networking in azure
Brk30176 enterprise class networking in azure
 
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
 
Azure Service Endpoints vs. Private Links
Azure Service Endpoints vs. Private LinksAzure Service Endpoints vs. Private Links
Azure Service Endpoints vs. Private Links
 
Microsoft Azure News - Oct 2016
Microsoft Azure News - Oct 2016Microsoft Azure News - Oct 2016
Microsoft Azure News - Oct 2016
 
Connect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft AzureConnect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft Azure
 
10052016115136.pptx
10052016115136.pptx10052016115136.pptx
10052016115136.pptx
 
Interop ITX: Moving applications: From Legacy to Cloud-to-Cloud
Interop ITX: Moving applications: From Legacy to Cloud-to-CloudInterop ITX: Moving applications: From Legacy to Cloud-to-Cloud
Interop ITX: Moving applications: From Legacy to Cloud-to-Cloud
 
Azure Web Apps Advanced Security
Azure Web Apps Advanced SecurityAzure Web Apps Advanced Security
Azure Web Apps Advanced Security
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanO365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
 
Segmentation on azure platform
Segmentation on azure platformSegmentation on azure platform
Segmentation on azure platform
 
Perth Azure Usergroup Build 2018 updates
Perth Azure Usergroup Build 2018 updatesPerth Azure Usergroup Build 2018 updates
Perth Azure Usergroup Build 2018 updates
 

More from walk2talk srl

CCI 2019 - SQL Injection - Black Hat Vs White Hat
CCI 2019 - SQL Injection - Black Hat Vs White HatCCI 2019 - SQL Injection - Black Hat Vs White Hat
CCI 2019 - SQL Injection - Black Hat Vs White Hatwalk2talk srl
 
CCI 2019 - Exploiting Custom Vision SDK in Python to create an efficient imag...
CCI 2019 - Exploiting Custom Vision SDK in Python to create an efficient imag...CCI 2019 - Exploiting Custom Vision SDK in Python to create an efficient imag...
CCI 2019 - Exploiting Custom Vision SDK in Python to create an efficient imag...walk2talk srl
 
CCI 2019 - Come ottimizzare i propri workload su Azure
CCI 2019 - Come ottimizzare i propri workload su AzureCCI 2019 - Come ottimizzare i propri workload su Azure
CCI 2019 - Come ottimizzare i propri workload su Azurewalk2talk srl
 
CCI 2019 - Exchange 2019 da 0 ad HA in 1 ora
CCI 2019 - Exchange 2019 da 0 ad HA in 1 oraCCI 2019 - Exchange 2019 da 0 ad HA in 1 ora
CCI 2019 - Exchange 2019 da 0 ad HA in 1 orawalk2talk srl
 
CCI 2019 - PowerApps for Enterprise Developers
CCI 2019 - PowerApps for Enterprise DevelopersCCI 2019 - PowerApps for Enterprise Developers
CCI 2019 - PowerApps for Enterprise Developerswalk2talk srl
 
CCI 2019 - Architettare componenti in SPFx, esperienze sul campo
CCI 2019 - Architettare componenti in SPFx, esperienze sul campoCCI 2019 - Architettare componenti in SPFx, esperienze sul campo
CCI 2019 - Architettare componenti in SPFx, esperienze sul campowalk2talk srl
 
CCI 2019 - Step by step come attivare un servizio voce in MS Teams
CCI 2019 - Step by step come attivare un servizio voce in MS TeamsCCI 2019 - Step by step come attivare un servizio voce in MS Teams
CCI 2019 - Step by step come attivare un servizio voce in MS Teamswalk2talk srl
 
CCI 2019 - Strumenti Azure per l'Anomaly Detection in ambito Industria 4.0
CCI 2019 - Strumenti Azure per l'Anomaly Detection in ambito Industria 4.0CCI 2019 - Strumenti Azure per l'Anomaly Detection in ambito Industria 4.0
CCI 2019 - Strumenti Azure per l'Anomaly Detection in ambito Industria 4.0walk2talk srl
 
CCI2019 - I've got the Power! I've got the Shell!
CCI2019 - I've got the Power! I've got the Shell!CCI2019 - I've got the Power! I've got the Shell!
CCI2019 - I've got the Power! I've got the Shell!walk2talk srl
 
CCI2019 - Sistema di controllo del traffico con architettura Big Data
CCI2019 - Sistema di controllo del traffico con architettura Big DataCCI2019 - Sistema di controllo del traffico con architettura Big Data
CCI2019 - Sistema di controllo del traffico con architettura Big Datawalk2talk srl
 
CCI2019 - Governance di una Conversational AI
CCI2019 - Governance di una Conversational AICCI2019 - Governance di una Conversational AI
CCI2019 - Governance di una Conversational AIwalk2talk srl
 
CCI2019 - SQL Server ed Azure: Disaster Recovery per tutti
CCI2019 - SQL Server ed Azure: Disaster Recovery per tuttiCCI2019 - SQL Server ed Azure: Disaster Recovery per tutti
CCI2019 - SQL Server ed Azure: Disaster Recovery per tuttiwalk2talk srl
 
CCI2019 - Reagire agli eventi generati dalla propria infrastruttura con Azure...
CCI2019 - Reagire agli eventi generati dalla propria infrastruttura con Azure...CCI2019 - Reagire agli eventi generati dalla propria infrastruttura con Azure...
CCI2019 - Reagire agli eventi generati dalla propria infrastruttura con Azure...walk2talk srl
 
CCI2019 - What's new in Remote Desktop Services on Windows Server 2019 and Azure
CCI2019 - What's new in Remote Desktop Services on Windows Server 2019 and AzureCCI2019 - What's new in Remote Desktop Services on Windows Server 2019 and Azure
CCI2019 - What's new in Remote Desktop Services on Windows Server 2019 and Azurewalk2talk srl
 
CCI2019 - Teams Direct Routing e servizi fonia avanzati
CCI2019 - Teams Direct Routing e servizi fonia avanzatiCCI2019 - Teams Direct Routing e servizi fonia avanzati
CCI2019 - Teams Direct Routing e servizi fonia avanzatiwalk2talk srl
 
CCI2019 - Microservizi: Idee per un'architettura con al centro l'utente
CCI2019 - Microservizi: Idee per un'architettura con al centro l'utenteCCI2019 - Microservizi: Idee per un'architettura con al centro l'utente
CCI2019 - Microservizi: Idee per un'architettura con al centro l'utentewalk2talk srl
 
CCI2019i - Implementare Azure Multi-Factor Authentication Lettere dal Fronte
CCI2019i - Implementare Azure Multi-Factor Authentication Lettere dal FronteCCI2019i - Implementare Azure Multi-Factor Authentication Lettere dal Fronte
CCI2019i - Implementare Azure Multi-Factor Authentication Lettere dal Frontewalk2talk srl
 
CCI2019 - Monitorare SQL Server Senza Andare in Bancarotta
CCI2019 - Monitorare SQL Server Senza Andare in BancarottaCCI2019 - Monitorare SQL Server Senza Andare in Bancarotta
CCI2019 - Monitorare SQL Server Senza Andare in Bancarottawalk2talk srl
 
CCI2019 - Teams e lo Shadow IT
CCI2019 - Teams e lo Shadow ITCCI2019 - Teams e lo Shadow IT
CCI2019 - Teams e lo Shadow ITwalk2talk srl
 
CCI2018 - La "moderna" Sicurezza informatica & Microsoft
CCI2018 - La "moderna" Sicurezza informatica & MicrosoftCCI2018 - La "moderna" Sicurezza informatica & Microsoft
CCI2018 - La "moderna" Sicurezza informatica & Microsoftwalk2talk srl
 

More from walk2talk srl (20)

CCI 2019 - SQL Injection - Black Hat Vs White Hat
CCI 2019 - SQL Injection - Black Hat Vs White HatCCI 2019 - SQL Injection - Black Hat Vs White Hat
CCI 2019 - SQL Injection - Black Hat Vs White Hat
 
CCI 2019 - Exploiting Custom Vision SDK in Python to create an efficient imag...
CCI 2019 - Exploiting Custom Vision SDK in Python to create an efficient imag...CCI 2019 - Exploiting Custom Vision SDK in Python to create an efficient imag...
CCI 2019 - Exploiting Custom Vision SDK in Python to create an efficient imag...
 
CCI 2019 - Come ottimizzare i propri workload su Azure
CCI 2019 - Come ottimizzare i propri workload su AzureCCI 2019 - Come ottimizzare i propri workload su Azure
CCI 2019 - Come ottimizzare i propri workload su Azure
 
CCI 2019 - Exchange 2019 da 0 ad HA in 1 ora
CCI 2019 - Exchange 2019 da 0 ad HA in 1 oraCCI 2019 - Exchange 2019 da 0 ad HA in 1 ora
CCI 2019 - Exchange 2019 da 0 ad HA in 1 ora
 
CCI 2019 - PowerApps for Enterprise Developers
CCI 2019 - PowerApps for Enterprise DevelopersCCI 2019 - PowerApps for Enterprise Developers
CCI 2019 - PowerApps for Enterprise Developers
 
CCI 2019 - Architettare componenti in SPFx, esperienze sul campo
CCI 2019 - Architettare componenti in SPFx, esperienze sul campoCCI 2019 - Architettare componenti in SPFx, esperienze sul campo
CCI 2019 - Architettare componenti in SPFx, esperienze sul campo
 
CCI 2019 - Step by step come attivare un servizio voce in MS Teams
CCI 2019 - Step by step come attivare un servizio voce in MS TeamsCCI 2019 - Step by step come attivare un servizio voce in MS Teams
CCI 2019 - Step by step come attivare un servizio voce in MS Teams
 
CCI 2019 - Strumenti Azure per l'Anomaly Detection in ambito Industria 4.0
CCI 2019 - Strumenti Azure per l'Anomaly Detection in ambito Industria 4.0CCI 2019 - Strumenti Azure per l'Anomaly Detection in ambito Industria 4.0
CCI 2019 - Strumenti Azure per l'Anomaly Detection in ambito Industria 4.0
 
CCI2019 - I've got the Power! I've got the Shell!
CCI2019 - I've got the Power! I've got the Shell!CCI2019 - I've got the Power! I've got the Shell!
CCI2019 - I've got the Power! I've got the Shell!
 
CCI2019 - Sistema di controllo del traffico con architettura Big Data
CCI2019 - Sistema di controllo del traffico con architettura Big DataCCI2019 - Sistema di controllo del traffico con architettura Big Data
CCI2019 - Sistema di controllo del traffico con architettura Big Data
 
CCI2019 - Governance di una Conversational AI
CCI2019 - Governance di una Conversational AICCI2019 - Governance di una Conversational AI
CCI2019 - Governance di una Conversational AI
 
CCI2019 - SQL Server ed Azure: Disaster Recovery per tutti
CCI2019 - SQL Server ed Azure: Disaster Recovery per tuttiCCI2019 - SQL Server ed Azure: Disaster Recovery per tutti
CCI2019 - SQL Server ed Azure: Disaster Recovery per tutti
 
CCI2019 - Reagire agli eventi generati dalla propria infrastruttura con Azure...
CCI2019 - Reagire agli eventi generati dalla propria infrastruttura con Azure...CCI2019 - Reagire agli eventi generati dalla propria infrastruttura con Azure...
CCI2019 - Reagire agli eventi generati dalla propria infrastruttura con Azure...
 
CCI2019 - What's new in Remote Desktop Services on Windows Server 2019 and Azure
CCI2019 - What's new in Remote Desktop Services on Windows Server 2019 and AzureCCI2019 - What's new in Remote Desktop Services on Windows Server 2019 and Azure
CCI2019 - What's new in Remote Desktop Services on Windows Server 2019 and Azure
 
CCI2019 - Teams Direct Routing e servizi fonia avanzati
CCI2019 - Teams Direct Routing e servizi fonia avanzatiCCI2019 - Teams Direct Routing e servizi fonia avanzati
CCI2019 - Teams Direct Routing e servizi fonia avanzati
 
CCI2019 - Microservizi: Idee per un'architettura con al centro l'utente
CCI2019 - Microservizi: Idee per un'architettura con al centro l'utenteCCI2019 - Microservizi: Idee per un'architettura con al centro l'utente
CCI2019 - Microservizi: Idee per un'architettura con al centro l'utente
 
CCI2019i - Implementare Azure Multi-Factor Authentication Lettere dal Fronte
CCI2019i - Implementare Azure Multi-Factor Authentication Lettere dal FronteCCI2019i - Implementare Azure Multi-Factor Authentication Lettere dal Fronte
CCI2019i - Implementare Azure Multi-Factor Authentication Lettere dal Fronte
 
CCI2019 - Monitorare SQL Server Senza Andare in Bancarotta
CCI2019 - Monitorare SQL Server Senza Andare in BancarottaCCI2019 - Monitorare SQL Server Senza Andare in Bancarotta
CCI2019 - Monitorare SQL Server Senza Andare in Bancarotta
 
CCI2019 - Teams e lo Shadow IT
CCI2019 - Teams e lo Shadow ITCCI2019 - Teams e lo Shadow IT
CCI2019 - Teams e lo Shadow IT
 
CCI2018 - La "moderna" Sicurezza informatica & Microsoft
CCI2018 - La "moderna" Sicurezza informatica & MicrosoftCCI2018 - La "moderna" Sicurezza informatica & Microsoft
CCI2018 - La "moderna" Sicurezza informatica & Microsoft
 

Recently uploaded

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 

CCI2018 - Azure Network - Security Best Practices

  • 1.
  • 3. Who am I? Francesco Molfese francesco.molfese@progel.it LinkedIn: https://www.linkedin.com/in/francescomolfese/ Twitter: @FrancescoMolf • Senior Consultant presso Progel S.p.A. • Microsoft MVP Cloud Datacenter Management • Microsoft Certified Trainer (MCT) • Community Lead dello User Group Italiano di System Center e Operations Management Suite (http://www.ugisystemcenter.org)
  • 4. Azure Network - Security Best Practices Francesco Molfese
  • 5. Agenda • Network security challenges in the cloud • Azure Networking: which network security offering to use when • Understand Azure network security best practice
  • 6. Azure Networking and Protection
  • 7. What we get asked by customers around resource protection How do I control network and application access to resources? How do I embrace a zero trust network security model? How do I enable DDOS protection for my application? How do I protect my application from malicious intent? How do I do segmentation and isolation to protect resources?
  • 8. Azure Networking Services CDN Front Door Traffic Manager Application Gateway Load Balancer Virtual Network Virtual WAN ExpressRoute VPN DNS Network Watcher ExpressRoute Monitor Azure Monitor Virtual Network TAP DDoS Protection Firewall Network Security Groups Web Application Firewall Virtual Network Endpoints
  • 9. Virtual Networks Your virtual private network in the cloud • Private isolated logical network • Supports Network ACLs and IP Management • User defined routing for network virtual appliances • Extends on-premises network to the cloud • Provides secure connectivity to Azure services
  • 10. Hub-spoke network topology in Azure Typical uses for this architecture include: • Workloads deployed in different environments (dev, testing, and production) that require shared services (DNS, IDS, NTP, or AD DS). • Workloads that do not require connectivity to each other, but require access to shared services. • Enterprises that require central control over security aspects, such as a firewall in the hub as a DMZ, and segregated management for the workloads in each spoke.
  • 11. Hub-spoke benefits • Cost savings by centralizing services that can be shared by multiple workloads, such as network virtual appliances (NVAs) and DNS servers, in a single location. • Overcome subscriptions limits by peering VNets from different subscriptions to the central hub. • Separation of concerns between central IT (SecOps, InfraOps) and workloads (DevOps).
  • 12. Hub & spoke architecture: native security services
  • 13. Multiple protection services to enable rich controls • App Gateway with Web Application Firewall (WAF): Web Application Protection • Network & Application Security Groups (NSG): Internal VNET segmentation • Service endpoints: Secure access to public PaaS resources • Azure Firewall: Full VNET egress and ingress (non-http/s) protection • DDoS protection for Public IPs
  • 14. Application Access Patterns Access private traffic -Networksecurity groups (NSGs) -Application security groups (ASGs) -User-Definedroutes (UDRs) Access to/from Internet -DDoSprotection -Web Application Firewall -Azure Firewall -NetworkVirtual Appliances Access to Azure PaaS services 1 3 2 ServiceEndpoints Backend Connectivity ExpressRoute VPN Gateways Users Internet Your Virtual Network BackEndMid-tierFrontEnd
  • 15. Application Gateway and web application protection Layer 7 load balancer for web applications
  • 16. Application Gateway Web application protection • Protects your application against prevalent X- Site Scripting and SQL Injection attacks • Blocks threats based on top 10 OWASP (Open Web Application Security Project) signatures • Integrated with Azure Security Center • Real-time logging with Azure Monitor App Gateway L7 LB WAF • Platform managed built in high availability and scalability • Layer 7 load balancing URL path, host based, round robin, session affinity, redirection • Centralized SSL management SSL offload and SSL policy • Public or ILB public internal or hybrid • Rich diagnostics Azure monitor, Log analytics Web Application Firewall (WAF)
  • 17. Network Security Groups & Application Security Groups
  • 18. Network and Application Security Groups Network Security Groups • Protects your workloads with distributed ACLs • Simplified configuration with augmented security rules • Enforced at every host, applied on multiple subnets Application Security Groups • Micro-segmentation for dynamic workloads • Named monikers for groups of VMs • Removes management of IP addresses Service Tags • Named monikers for Azure service IPs • Many Services tagged including AzureCloud Logging and troubleshooting • NSG flow logs for traffic monitoring • Integrated with Network Watcher • JIT access policies with Azure Security Center
  • 19. Monitoring VMs App Servers Database Servers Log Servers Web Servers Domain Servers Quarantine VMs Domain Clients Network Security Group (NSG) Action Name Source Destination Port Deny QurantineVMs Any QurantineVMs Any Allow AllowInternetToWebServers Internet WebServers 80,443(HTTP) Allow AllowWebToApp WebServers AppServers 443 (HTTPS) Allow AllowAppToDb AppServers DatabaseServers 1443 (MSSQL) Allow AllowAppToLogServers AppServers LogServers 8089 Allow AllowOnPrem 10.10.0.0/16 192.168.10.0/24 MonitoingVMs 80 (HTTP) Deny DenyAllInbound Any Any Any Network security for your VNet traffic
  • 22. Service Endpoints Policies • Prevent unauthorized access to Azure services • Restrict Virtual Network access to specific Azure services • Granular access control over service endpoints VNet 1 Account A SERVICE ENDPOINT Account B, … Allow Account A SERVICE ENDPOINT POLICY Enhanced VNet security for Azure services
  • 23. Azure services available on Service Endpoints • Azure Storage • Azure SQL Database • Azure CosmosDB • Azure Keyvault • Azure Database services for PostgreSQL • Azure Database services for mySQL • Azure SQL Datawarehouse (Preview) • Azure Event Hubs (Preview) • Azure Service Bus (Preview)
  • 26. Azure Firewall Central governance of all traffic flows • Built-in high availability and auto scale • Network and application traffic filtering • Centralized policy across VNets and subscriptions Complete VNET protection • Filter Outbound, Inbound, Spoke-Spoke & Hybrid Connections traffic (VPN and ExpressRoute) Centralized logging • Archive logs to a storage account, stream events to your Event Hub, or send them to Log Analytics or Security Integration and Event Management (SIEM) system of choice Cloud native stateful Firewall as a service Spoke VNets On-Premises
  • 27. Azure Firewall features (GA) • Application rules • FQDN Filtering • FQDN Tags (e.g. Azure Backup, App Service Environment) • Default infrastructure rule collection • Fully stateful network rules • NAT support • Default Source Network Address Translation (SNAT) • Destination Network Address Translation (DNAT) • Monitoring • Azure Monitor Logging • Azure Monitor Metrics • Support for inbound and hybrid connections • Network watcher integration Coming soon: Azure Security Center Integration (JIT)
  • 28. FQDN tags in Azure Firewall • An FQDN tag represents a group of fully qualified domain names (FQDNs) associated with well known Microsoft services • FQDN tags can be used in application rules to allow the required outbound network traffic through your firewall • Supported tags: • Windows Update • Windows Diagnostics • Microsoft Active Protection Service (MAPS) • App Service Environment • Azure Backup • Some tags may require additional configuration. For example, ASE has customer-specific Storage and SQL endpoints, which must be enabled using Service endpoints
  • 29. Inbound traffic filtering recommendation • Application Gateway WAF is the preferred service for inbound application level HTTP/S protection • Use Azure Firewall inbound network level protection for non-HTTP/S protocols (e.g. SSH, RDP, FTP) • Destination Network Address Translation (DNAT) • Inbound traffic filtering is enabled by mapping of your firewall public IP and port to a private IP and port • Known issues • DNAT doesn’t work for port 80 and 22. These can be specified as 80, 22 as the translated ports. For example, you can map public ip:81 to private ip:80. We are working to fix this soon.
  • 30. Azure Firewall for hybrid links Traffic filtering between Azure VNETs and on-premises networks • Works with either Azure VPN Gateway or Express Route Gateway No support for traffic routing from on- premises to internet • This is a key roadmap feature for Azure Firewall in a Virtual WAN Hub
  • 31. Hybrid links filtering: recommended configuration • UDR on the spoke subnet pointing to Azure Firewall private IP as default gateway • BGP route propagation must be Disabled on this route table • UDR on the hub gateway subnet pointing to Azure Firewall as next hop to spoke networks • Pointing to Azure Firewall as the default gateway is not supported on gateway subnets • No UDR on Azure Firewall subnet (it learns routes from BGP) • Allow spokes to use VPN/ER gateway in the hub • Set AllowGatewayTransit when peering VNet-Hub to VNet-Spoke • Set UseRemoteGateways when peering VNet-Spoke to VNet-Hub
  • 33. Azure Firewall synergies and recommendations Application Gateway WAF • Provides inbound protection for web applications (L7) • Azure Firewall provides network level protection(L3) for all ports and protocols and application level protection (L7) for outbound HTTP/S. Azure Firewall should be deployed alongside Azure WAF • Azure Firewall can be combined with 3rd party WAF/DDoS solutions Network Security Groups (NSG) • NSG and Azure Firewall are complementary, with both you have defense and in-depth • NSGs provides host based, distributed network layer traffic filtering to limit traffic to resources within virtual networks • Azure Firewall is a fully stateful centralized network firewall as-a-service, providing network and application level protection across virtual networks and subscriptions Service endpoints • Recommended for secure access to Azure PaaS services • Can be leveraged with Azure Firewall for central logging for all traffic by enabling service endpoints in the Azure Firewall subnet and disabling it on the connected spoke VNETs
  • 35. DDoS Attack Trends Attack Frequency Attack Size Attack Vectors 58% Vs. 2017 1.7 Tbps Peak 4X > 50Gbps 56% Multi-vector • Continued growth in frequency, size, sophistication, and impact • Often utilized as ‘cyber smoke screen’ to mask infiltration attacks 400 Gbps (NTP amp) 650 Gbps (Mirai) 1.7 Tbps (Memcached) 2+ Tbps (???) Attack Downtime 35% Businesses impacted
  • 37. Azure DDoS Protection Standard DDoS Attack Analytics Mitigation Reports • Near real time attack data snapshot • Stats include attack vectors, protocols, traffic, top sources & ASNs and more • Summary report at the end of the attack Mitigation Flow Logs • Near real time sampled flow logs with details of action taken during attack mitigation • Logs include Source & Destination IP with Port and Action taken DDoS Rapid Response (DRR) • Access to Rapid Response team during an active attack for specialized support • Mitigation policy customizations for anticipated events Recommendations in Azure Security Center to protect Virtual Networks against DDoS attacks Support for Azure Firewall, IPv6 Virtual Networks & VPN Gateway as protected resources
  • 38. Recap Azure network security best practice
  • 39. Key Takeaways • Pick network security offerings based on application access patterns • Layer security by mix-and-match based on your requirements • Scale the security model, as your workloads scale
  • 40. Protection services enabling zero trust Centralized outbound and inbound (non-HTTP/S) network and application (L3-L7) filtering Distributed inbound & outbound network (L3- L4) traffic filtering on VM, Container or subnet Restrict access to Azure service resources (PaaS) to only your Virtual Network Centralized inbound web application protection from common exploits and vulnerabilities Azure FirewallDDoS protection Web Application Firewall Network Security Groups Service Endpoints DDOS protection tuned to your application traffic patterns Prevent SQL injection, stop cross site scripting and an array of other types of attacks using cloud native approach Better central governance of all traffic flows, full devops integration using cloud native high availability with autoscale Full granular distributed end node control at VM/subnet for all network traffic flows Extend your Virtual Network controls to lock down Azure service resources (PaaS) access SegmentationApplication protection
  • 41. Q & A
  • 42. Let the past go and step off into the future

Editor's Notes

  1. Hyperfish intro We are really excited to bring you something great
  2. Founded 2015 Co-Founders Brian Cook & Chris Johnson Brian was the founder and CEO of Workflow company Nintex, Chris Johnson was a Group Product Management in Office 365 & SharePoint Joining them were
  3. 18
  4. Service Tags
  5. Service Tags
  6. 26
  7. Service Tags