Network Security (Part 2 of 3)

By Ashwin Venugopal -



 


To read part 1 please click here
To read part 3 please click here


Application Security Groups or ASGs

ASGs enables you to configure network security as a natural extension of an application's structure and then you can easily group VMs and define network security policies based on those groups while also allowing you to reuse your security policy at scale without any manual maintenance of explicit IP addresses. NSG1 is associated to both subnets and contains following rules:
  • Allow-HTTP-Inbound-Internet
  • Deny-Database-All
  • Allow-Database-BusinessLogic 

The rules that specify an ASG as the source or destination are only applied to the network interfaces that are members of the ASG, but if they are not a member of an ASG, the rule is not applied to the network interface even though the network security group (NSG) is associated to the subnet. 

ASGs have the following constraints

  • There are limits to the number of ASGs you can have in a subscription, in addition to the other limits related to ASGs.
  • You can specify one ASG as the source and destination in a security rule but cannot specify multiple ASGs in the source or destination.
  • All network interfaces assigned to an ASG must exist in the same virtual network as the first network interface is assigned to the ASG.
  • If you specify an ASG as the source and destination in a security rule, the network interfaces in both ASGs must exist in the same virtual network.  

Hence ASGs along with the NSGs, have brought multiple benefits on the network security area:

  • A single management experience
  • Increased limits on multiple dimensions
  • A great level of simplification
  • A seamless integration with your architecture 

Service Endpoints

A virtual network service endpoints provides the identity of your virtual network to the Azure service. once they are enabled in your virtual network, you can secure Azure service resources to your virtual network by adding a virtual network rule to the resources.
A common usage case for service endpoints is a virtual machine accessing storage. The storage account restricts access to the virtual machines private IP address.

Why use a service endpoint?
  • Improved security for your Azure service resources- Once service endpoints are enabled in your virtual network, you can secure Azure service resources to your virtual network by adding a virtual network rule to the resources. This offers improved security by fully removing public Internet access to resources, and allowing traffic only from your virtual network.

  • Endpoints always take service traffic directly from your virtual network to the service on the Microsoft Azure backbone network- Keeping traffic on the Azure backbone network allows you to continue auditing and monitoring outbound Internet traffic from your virtual networks, through forced-tunneling, without impacting service traffic.

  • Simple to set up with less management overhead- No NAT or gateway devices are required to set up the service endpoints, but they are configured through a simple click on a subnet. There is no additional overhead to maintain the endpoints.   

With the help of service endpoints, the source IP addresses of the virtual machines in the subnet for service traffic can switch from using public IPv4 addresses to using private IPv4 addresses. 

Service Endpoint Services

Service endpoint would provide benefits in the following scenarios:
  • Peered, connected, or multiple virtual networks- To secure Azure services to multiple subnets within a virtual network or across multiple virtual networks, you can enable service endpoints on each of the subnets independently, and secure Azure service resources to all of the subnets.

  • Filtering outbound traffic from a virtual network to Azure services- This scenario might be helpful if you want to use network virtual appliance filtering to restrict Azure service access from your virtual network only to the specific Azure resources.

  • Securing Azure resources to services deployed directly into virtual networks- You can secure Azure service resources to managed service subnets by setting up a service endpoint on the managed service subnet.

  • Disk traffic from an Azure virtual machine- Virtual Machine Disk traffic for managed and unmanaged disks isn't affected by service endpoints routing changes for Azure Storage. You can limit REST access to page blobs to select networks through service endpoints and Azure Storage network rules.

Private Links

Azure Private Link works on an approval call flow model wherein the Private Link service consumer can request a connection to the service provider for consuming the service. There are two connection approval methods that a Private Link service consumer can choose from:

  • Automatic- If the service consumer has RBAC permissions on the service provider resource, then the consumer can choose the automatic approval method. In this case, when the request reaches the service provider resource, no action is required from the service provider and the connection is automatically approved.

  • Manual- If the service consumer doesn't have the RBAC permissions on the service provider resource, then the consumer can choose the manual approval method. In this case, the connection request appears on the service resources  as Pending and the service provider has to manually approve the request before the connections can be established.  

The service provider has options like- approved, reject, and remove- to choose from for all the Private Endpoint connections and Portal is the preferred method for managing Endpoint connections on Azure PaaS resources.



To read part 1 please click here
To read part 3 please click here



Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more