Network Security (Part 3 of 3)

 


To read part 1 please click here
To read part 2 please click here

Azure Application Gateway

It is a web traffic load balancer that allows you to manage traffic to your web applications. Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example URI path or host headers. Application Gateway includes the following features:

  • Secure Socket Layer (SSL/TLS) termination- Application Gateway supports SSL/TLS termination at the gateway, after which the traffic typically flows unencrypted to the backend servers and also allows web servers to be unburdened from costly encryption and decryption overhead.

  • Autoscaling- Application Gateway Standard_v2 supports autoscaling and can scale up or down based on changing traffic load patterns and also removes the requirement to choose a deployment size or instance count during provisioning.

  • Zone redundancy- Standard_v2 Application Gateway can span multiple Availability Zones, offering better fault resiliency and removing the need to provision separate Application Gateways in each zone.

  • Static VIP- The application gateway Standard_v2 SKU supports static VIP type exclusively. This ensures that the VIP associated with the application gateway doesn't change even over the lifetime of the Application Gateway.

  • Web Application Firewall (WAF)- It is a service that offers centralized protection of your web applications from common exploits and vulnerabilities .

  • Ingress controller for AKS-  Application Gateway Ingress Controller (AGIC) allows you to use Application Gateway as the ingress for an Azure Kubernetes Service (AKS) cluster.

  • URL-based routing- URL Path Based Routing allows you to route traffic to back-end server pools based on URL Paths of the request. One of the scenarios is to route requests for different content types to different pool.

  • Multiple-site hosting- It enables you to configure more than one web site on the same application gateway instance and allows you to configure more efficient topology for your deployments by adding up to 100 web sites to one Application Gateway.

  • Redirection- A common scenario for many web applications is to support automatic HTTP or HTTPS redirection to ensure all communication between an application and its users occurs over an encrypted path.

  • Session affinity- The cookie-based session affinity feature is useful when you want to keep a user session on the same server.

  • Websocket and HTTP/2 traffic- Application Gateway provides native support for the WebSocket and HTTP/2 protocols.There's no user-configurable setting to selectively enable or disable WebSocket support.

  • Connection draining- It helps you achieve graceful removal of backend pool memebers during planned service updates.

  • Custom error pages- Application Gateway allows you to create custom error pages instead of displaying default error pages and you can also use your own branding and layout using custom error page.

  • Rewrite HTTP headers- They allow the client and server to pass additional information with the request or the response.

  • Sizing- Application Gateway Standard_v2 can be configured for autoscaling or fixed size deployments. This SKU doesn't offer different instance sizes.

Most deployments that use v2 SKU take around 6 minutes to provision. However, it can take longer depending on the type of deployment.

Web Application Firewall (WAF)

WAF offers a centralized protection of your web applications from common exploits and vulnerabilities. SQL injection and cross-site scripting are among the most common attacks and preventing such attacks in application code is very challenging. However, a centralized Web Application Firewall helps make security management much simpler and also gives application administrators better assurance of protection against threats as well as intrusions.

A WAF solution can react to a security threat faster by centrally patching a known vulnerability, instead of securing each individual web application and it can be easily deployed with Azure Application Gateway, Azure Front Door as well as Azure Content Delivery Network (which is currently under public preview) service from Microsoft.

Azure Front Door

Azure Front Door enables you to define, manage, and monitor the global routing for your web traffic by optimizing for the best performance and instant global failover for high availability. Front Door works at Layer 7 or HTTP/HTTPS layer. It provides a range of traffic-routing methods as well as backend health monitoring options to suit different application needs and automatic failover models. However, like Traffic Manager, Front Door is resilient to failures, including the failure of an entire Azure region.

Following features are included with Front Door:

  • Accelerate Application performance- By using split TCP-based anycast protocol, Front Door ensures that your end users promptly connect to the nearest Front Door POP (Point Of Presence).

  • Increase application availability with smart health probes- Front Door delivers high availability for your critical applications using its smart health probes, monitoring your backend for both latency and availability while providing instant automatic failover when a backend goes down.

  • URL-based routing- URL Path Based Routing allows you to route traffic to backend pools based on URL paths of the request.

  • Multiple-site hosting- It enables you to configure more than one website on the same Front Door configuration.

  • Session affinity- The cookie-based session affinity feature is useful when you want to keep a user session on the same application backend.

  • TLS termination- Front Door supports TLS termination at the edge that is, individual users can set up a TLS connection with Front Door environments instead of establishing it over long haul connections with the application backend.

  • Custom domains and certificate management- When you use Front Door to deliver content, a custom domain is necessary if you would like your own domain name to be visible in your Front Door URL.

  • Application layer security- Azure Front Door allows you to author custom Web Application Firewall (WAF) rules for access control to protect your HTTP/HTTPS workload from exploitation based on client IP addresses, country code, and http parameters.

  • URL redirection- With the strong industry push on supporting only secure communication, web applications are expected to automatically redirect any HTTP traffic to HTTPS. 

  • URL rewrite- Front Door supports URL rewrite by allowing you to configure an optional Custom Forwarding Path to use when constructing the request to forward to the backend.

  • Protocol support- IPv6 and HTTP/2 traffic- Azure Front Door natively supports end-to-end IPv6 connectivity and HTTP/2 protocol. 

Its overall strategy ensures that requests from your end users always reach the closest Front Door environment and that even if the preferred Front Door environment is unhealthy then traffic automatically moves to the next closest environment.

User Defined Routes and Network Virtual Appliances

User Defined Routes (UDR)

A UDR is a custom route in Azure that overrides Azure's default system routes or adds routes to a subnet's route table. Each subnet can have zero or one route table associated with it but if you create a route table and associate it to a subnet, then  Azure will either combines its routes with the default routes that Azure adds to a subnet or overrides those default routes.

Network Virtual Appliances (NVA)

You can deploy an NVA to a perimeter network in many architectures which helps you to provide a secure network boundary by checking all inbound as well as outbound network traffic and then passing only the traffic that meets the network security rules. However, if the NVA fails, then no other path will exist for network traffic, and all the back-end subnets will become unavailable. 

Hence, to make an NVA highly available, you should deploy more than one NVA into an availability set. NVAs help provide layer 7, application layer, security.

ExpressRoute and ExpressRoute Direct  

ExpressRoute

It is a direct, private connection from your WAN (not over the public Internet) to Microsoft Services, including Azure while configuring a Site-to-Site VPN as a secure failover path for ExpressRoute, or use Site-to-Site VPNs to connect to sites that are not part of your network, but that are connected through ExpressRoute. 

Note that this configuration requires two virtual network gateways for the same virtual network, one using the gateway type 'Vpn', and the other using the gateway type 'ExpressRoute'.

ExpreeRoute encryption

  • IPsec over ExpressRoute for Virtual WAN- Azure Virtual WAN uses an Internet Protocol Security (IPsec) Internet Key Exchange (IKE) VPN connection from your on-premises network to Azure over the private peering of an Azure ExpressRoute circuit. This technique can provide an encrypted transit between the on-premises networks and Azure virtual networks over ExpressRoute. without going over the public internet or using public IP addresses. 

  • Point-to-point encryption by MACsec- MACsec is an IEEE standard that encrypts data at the Media Access Control (MAC) level or Network Layer 2. You can use it to encrypt the physical links between your network devices and Microsoft's network devices when you connect to Microsoft via ExpressRoute Direct.

  • End-to-end encryption by IPsec and MACsec- IPsec is an IETF standard and encrypts data at the Internet Protocol (IP) level or Netweork layer 3. While MACsec secures the physical connections between you and the Microsoft, IPsec secures the end-to-end connection between you and your virtual networks on Azure. You can also enable them independently.  

     ExpressRoute Direct

It gives you the ability to connect directly into Microsoft's global, network at peering locations strategically distributed across the world. Key feature that ExpressRoute Direct provides include, but aren't limited to:
  • Massive Data Ingestion into services like Storage and Cosmos DB.
  • Physical isolation for industries that are regulated and requires dedicated as well as isolated connectivity like- Banking, Government, and Retail.
  • Granular control of circuit distribution based on business unit. 

ExpressRoute Direct supports massive data ingestion scenarios into Azure storage and other big data services. Its infrastructure is redundant and connectivity into the Microsoft Global Network is diverse and scales accordingly with the customer's requirements.


To read part 1 please click here
To read part 2 please click here












Comments

Popular posts from this blog

Deployment (Part 3)

Project Resourcing (Part 2)

Design Planning (Part 3)