Network Security (Part 3 of 3)

By Ashwin Venugopal -

 


To read part 1 please click here
To read part 2 please click here

Azure Application Gateway

It is a web traffic load balancer that allows you to manage traffic to your web applications. Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example URI path or host headers. Application Gateway includes the following features:

  • Secure Socket Layer (SSL/TLS) termination- Application Gateway supports SSL/TLS termination at the gateway, after which the traffic typically flows unencrypted to the backend servers and also allows web servers to be unburdened from costly encryption and decryption overhead.

  • Autoscaling- Application Gateway Standard_v2 supports autoscaling and can scale up or down based on changing traffic load patterns and also removes the requirement to choose a deployment size or instance count during provisioning.

  • Zone redundancy- Standard_v2 Application Gateway can span multiple Availability Zones, offering better fault resiliency and removing the need to provision separate Application Gateways in each zone.

  • Static VIP- The application gateway Standard_v2 SKU supports static VIP type exclusively. This ensures that the VIP associated with the application gateway doesn't change even over the lifetime of the Application Gateway.

  • Web Application Firewall (WAF)- It is a service that offers centralized protection of your web applications from common exploits and vulnerabilities .

  • Ingress controller for AKS-  Application Gateway Ingress Controller (AGIC) allows you to use Application Gateway as the ingress for an Azure Kubernetes Service (AKS) cluster.

  • URL-based routing- URL Path Based Routing allows you to route traffic to back-end server pools based on URL Paths of the request. One of the scenarios is to route requests for different content types to different pool.

  • Multiple-site hosting- It enables you to configure more than one web site on the same application gateway instance and allows you to configure more efficient topology for your deployments by adding up to 100 web sites to one Application Gateway.

  • Redirection- A common scenario for many web applications is to support automatic HTTP or HTTPS redirection to ensure all communication between an application and its users occurs over an encrypted path.

  • Session affinity- The cookie-based session affinity feature is useful when you want to keep a user session on the same server.

  • Websocket and HTTP/2 traffic- Application Gateway provides native support for the WebSocket and HTTP/2 protocols.There's no user-configurable setting to selectively enable or disable WebSocket support.

  • Connection draining- It helps you achieve graceful removal of backend pool memebers during planned service updates.

  • Custom error pages- Application Gateway allows you to create custom error pages instead of displaying default error pages and you can also use your own branding and layout using custom error page.

  • Rewrite HTTP headers- They allow the client and server to pass additional information with the request or the response.

  • Sizing- Application Gateway Standard_v2 can be configured for autoscaling or fixed size deployments. This SKU doesn't offer different instance sizes.

Most deployments that use v2 SKU take around 6 minutes to provision. However, it can take longer depending on the type of deployment.

Web Application Firewall (WAF)

WAF offers a centralized protection of your web applications from common exploits and vulnerabilities. SQL injection and cross-site scripting are among the most common attacks and preventing such attacks in application code is very challenging. However, a centralized Web Application Firewall helps make security management much simpler and also gives application administrators better assurance of protection against threats as well as intrusions.

A WAF solution can react to a security threat faster by centrally patching a known vulnerability, instead of securing each individual web application and it can be easily deployed with Azure Application Gateway, Azure Front Door as well as Azure Content Delivery Network (which is currently under public preview) service from Microsoft.

Azure Front Door

Azure Front Door enables you to define, manage, and monitor the global routing for your web traffic by optimizing for the best performance and instant global failover for high availability. Front Door works at Layer 7 or HTTP/HTTPS layer. It provides a range of traffic-routing methods as well as backend health monitoring options to suit different application needs and automatic failover models. However, like Traffic Manager, Front Door is resilient to failures, including the failure of an entire Azure region.

Following features are included with Front Door:

  • Accelerate Application performance- By using split TCP-based anycast protocol, Front Door ensures that your end users promptly connect to the nearest Front Door POP (Point Of Presence).

  • Increase application availability with smart health probes- Front Door delivers high availability for your critical applications using its smart health probes, monitoring your backend for both latency and availability while providing instant automatic failover when a backend goes down.

  • URL-based routing- URL Path Based Routing allows you to route traffic to backend pools based on URL paths of the request.

  • Multiple-site hosting- It enables you to configure more than one website on the same Front Door configuration.

  • Session affinity- The cookie-based session affinity feature is useful when you want to keep a user session on the same application backend.

  • TLS termination- Front Door supports TLS termination at the edge that is, individual users can set up a TLS connection with Front Door environments instead of establishing it over long haul connections with the application backend.

  • Custom domains and certificate management- When you use Front Door to deliver content, a custom domain is necessary if you would like your own domain name to be visible in your Front Door URL.

  • Application layer security- Azure Front Door allows you to author custom Web Application Firewall (WAF) rules for access control to protect your HTTP/HTTPS workload from exploitation based on client IP addresses, country code, and http parameters.

  • URL redirection- With the strong industry push on supporting only secure communication, web applications are expected to automatically redirect any HTTP traffic to HTTPS. 

  • URL rewrite- Front Door supports URL rewrite by allowing you to configure an optional Custom Forwarding Path to use when constructing the request to forward to the backend.

  • Protocol support- IPv6 and HTTP/2 traffic- Azure Front Door natively supports end-to-end IPv6 connectivity and HTTP/2 protocol. 

Its overall strategy ensures that requests from your end users always reach the closest Front Door environment and that even if the preferred Front Door environment is unhealthy then traffic automatically moves to the next closest environment.

User Defined Routes and Network Virtual Appliances

User Defined Routes (UDR)

A UDR is a custom route in Azure that overrides Azure's default system routes or adds routes to a subnet's route table. Each subnet can have zero or one route table associated with it but if you create a route table and associate it to a subnet, then  Azure will either combines its routes with the default routes that Azure adds to a subnet or overrides those default routes.

Network Virtual Appliances (NVA)

You can deploy an NVA to a perimeter network in many architectures which helps you to provide a secure network boundary by checking all inbound as well as outbound network traffic and then passing only the traffic that meets the network security rules. However, if the NVA fails, then no other path will exist for network traffic, and all the back-end subnets will become unavailable. 

Hence, to make an NVA highly available, you should deploy more than one NVA into an availability set. NVAs help provide layer 7, application layer, security.

ExpressRoute and ExpressRoute Direct  

ExpressRoute

It is a direct, private connection from your WAN (not over the public Internet) to Microsoft Services, including Azure while configuring a Site-to-Site VPN as a secure failover path for ExpressRoute, or use Site-to-Site VPNs to connect to sites that are not part of your network, but that are connected through ExpressRoute. 

Note that this configuration requires two virtual network gateways for the same virtual network, one using the gateway type 'Vpn', and the other using the gateway type 'ExpressRoute'.

ExpreeRoute encryption

  • IPsec over ExpressRoute for Virtual WAN- Azure Virtual WAN uses an Internet Protocol Security (IPsec) Internet Key Exchange (IKE) VPN connection from your on-premises network to Azure over the private peering of an Azure ExpressRoute circuit. This technique can provide an encrypted transit between the on-premises networks and Azure virtual networks over ExpressRoute. without going over the public internet or using public IP addresses. 

  • Point-to-point encryption by MACsec- MACsec is an IEEE standard that encrypts data at the Media Access Control (MAC) level or Network Layer 2. You can use it to encrypt the physical links between your network devices and Microsoft's network devices when you connect to Microsoft via ExpressRoute Direct.

  • End-to-end encryption by IPsec and MACsec- IPsec is an IETF standard and encrypts data at the Internet Protocol (IP) level or Netweork layer 3. While MACsec secures the physical connections between you and the Microsoft, IPsec secures the end-to-end connection between you and your virtual networks on Azure. You can also enable them independently.  

     ExpressRoute Direct

It gives you the ability to connect directly into Microsoft's global, network at peering locations strategically distributed across the world. Key feature that ExpressRoute Direct provides include, but aren't limited to:
  • Massive Data Ingestion into services like Storage and Cosmos DB.
  • Physical isolation for industries that are regulated and requires dedicated as well as isolated connectivity like- Banking, Government, and Retail.
  • Granular control of circuit distribution based on business unit. 

ExpressRoute Direct supports massive data ingestion scenarios into Azure storage and other big data services. Its infrastructure is redundant and connectivity into the Microsoft Global Network is diverse and scales accordingly with the customer's requirements.


To read part 1 please click here
To read part 2 please click here












Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more