Blogs by Ashwin

  To read part 1 please click  here To read part 2 please click  here Azure Application Gateway It is a web traffic load balancer that allows you to manage traffic to your web applications. Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example URI path or host headers. Application Gateway includes the following features: Secure Socket Layer (SSL/TLS) termination- Application Gateway supports SSL/TLS termination at the gateway, after which the traffic typically flows unencrypted to the backend servers and also allows web servers to be unburdened from costly encryption and decryption overhead. Autoscaling- Application Gateway Standard_v2 supports autoscaling and can scale up or down based on changing traffic load patterns and also removes the requirement to choose a deployment size or instance count during provisioning. Zone redundancy- Standard_v2 Application Gateway can span multiple Availability Zones, offering better fault resil

  To read part 1 please click  here To read part 3 please click  here Application Security Groups or ASGs ASGs enables you to configure network security as a natural extension of an application's structure and then you can easily group VMs and define network security policies based on those groups while also allowing you to reuse your security policy at scale without any manual maintenance of explicit IP addresses. NSG1 is associated to both subnets and contains following rules: Allow-HTTP-Inbound-Internet Deny-Database-All Allow-Database-BusinessLogic  The rules that specify an ASG as the source or destination are only applied to the network interfaces that are members of the ASG, but if they are not a member of an ASG, the rule is not applied to the network interface even though the network security group (NSG) is associated to the subnet.  ASGs have the following constraints There are limits to the number of ASGs you can have in a subscription, in addition to the other limits re

  To read part 2 please click  here To read part 3 please click  here Network Security Groups (NSGs) Network traffic can be filtered to and from Azure resources in an Azure virtual network with the help of a network security group while also providing an advanced security for the VMs you create via deployment model (Resource Manager or classic) and controls inbound and outbound traffic passing through a network adapter (in the Resource Manager deployment model), a VM (in the classic deployment model), or a subnet (in both deployment models). Network Security Group Rules NSGs contains rules that specify whether the traffic will be approved or denied. each rule consists of the following properties: Name- This is a unique identifier for the rule. Direction- This specifies whether the traffic is inbound or outbound. Priority- If multiple rules match the traffic, rules with a higher priority apply. Access- This specifies whether the traffic is allowed or denied. Source IP address prefix- Th

  To read part 1 please click  here Azure Firewall Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. By default, Azure Firewall blocks traffic. The Azure Firewall features include: Built-in high availability- As high availability is built in, no additional load balancers are required and there is nothing you need to configure. Unrestricted cloud scalability- Azure Firewall can scale up as much as you need, to accommodate changing network traffic flows so you don't need to budget for your peak traffic. Application FQDN  filtering rules- You can limit outbound HTTP/S traffic to a specified list of FQDNs, including wild cards. This feature does not require SSL termination. Network traffic filtering rules- You can centrally create, allow, or deny network filtering rules by source and destination IP address, port, and protocol. Rules are enforced and logged across multiple subscriptions and virtual networks. FQDN tags-

  To read part 2 please click  here Defense In Depth The defense in depth approach includes additional controls in the design to mitigate risk to the organization in the event if primary security control fails. All services in Azure are designed and operated to support multiple layers of defense, spanning your data apps, virtual machines, network perimeter related policies, and physical security within our data centers. As more and more of a company's digital resources reside outside the corporate network, in the cloud and on personal devices, it becomes obvious that a perimeter only based security like firewalls, DMZ, VNets, etc. are no longer adequate to do the job. The adoption of software-defined networking (SDN) and software-defined data center (SDDC) technologies are driving Network Segmentation concepts to be more granular, i.e. Network Micro-Segmentation. Network Micro-Segmentation Micro-segmentation is a way to create secure zones in data centers and Azure deployments that

  Azure AD Connect It can integrate your on-premises directories with Azure Active Directory. Azure AD Connect provides the following features: Password Hash Synchronization- It is a sign-in method that synchronizes a hash of the users on-premises AD password with Azure AD. Pass-through Authentication- This sign-in method allows users to use the same password on-premises and in the cloud, but it doesn't require the additional infrastructure of a federated environment. Federation integration- Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. Synchronization- It is responsible for creating users, group, and other objects as well as making sure that identity information for your on-premises users and groups is matching the cloud while including password hashes. Health Monitoring- It can provide robust monitoring and a central location in the Azure portal to view this activity.  When you integ

  To read part 1 please click  here Microsoft Identity Management Microsoft Identity Management or MIM helps organizations to manage the users, credentials, policies, and access within their organization and hybrid environments.  MIM enables Active Directory Domain Services to help the right users and right accesses for on-premises apps. Azure AD Connect can then make those users and permissions available in Azure AD for Microsoft 365 and cloud-hosted apps. Identity has become a common factor among many services, like Microsoft 365 and Xbox Live, where the person is the center of the services. Your digital identity is the combination of who you are and what you are allowed to do. That is Credentials+ Privileges = digital identity These identities have more than the normal user rights, and, if compromised allow a malicious hacker to access sensitive corporate assets. Securing these privileged identities is a critical step in establishing security assurances for business assets in a mode

  To read part 2 please click  here Zero Trust Model Sometime back security was focused on a strong perimeter defense to keep malicious hackers out. Anything outside the was treated as hostile, whereas inside the wall, an organization's systems were trusted, but today's security posture is to assume breach and use the zero trust model. Nowadays security professionals no longer focus on perimeter defense and modern organizations have to support access to data and services evenly from both inside and outside the corporate firewall. What does Zero Trust mean? The Zero Trust Model states that you should never assume trust but instead continually validate trust. Instead of assuming everything behind the corporate firewall is safe, the zero trust model assumes breach and verifies each request as though it originates from an open network. It relies on verifiable user and device trust claims to grant access to organizational resources. The trust determination components are: Identity P