Hi there. Welcome to “Networking Security”. In this lecture, you are going to learn about several key offerings designed to help you secure your networks in Microsoft Azure. We’re going to cover Network Security Groups, Azure VPN Gateway, Azure ExpressRoute, and Azure Firewall. We’ll also look at Web Application Firewall, Azure DDoS Protection, and Virtual Network Service Endpoints.

Network Security Groups are used to filter network traffic to and from Azure resources that are connected to an Azure virtual network. When you create a network security group, several default security rules are created. These rules, in turn, allow or deny inbound network traffic to, or outbound network traffic from, many kinds of Azure resources. In addition to the default rules that are created, you can create as many custom rules as you need to control traffic and secure your resources. While you can’t delete the default rules, you can create rules that override them.

To learn about which Azure resources can have network security groups associated to them, visit the URL that you see on your screen.

https://docs.microsoft.com/azure/virtual-network/virtual-network-for-azure-services

An VPN gateway is a virtual network gateway that Azure uses to send and receive encrypted traffic between an Azure virtual network and an on-prem network. This traffic is sent over the public Internet. VPN gateways can also be used to send encrypted traffic between Azure virtual networks over the Microsoft network. 

I should mention that, although a virtual network can have only one VPN gateway, you can create multiple connections to a single VPN gateway. When you do this, all of the VPN tunnels that are created will share the available gateway bandwidth.

When a virtual network gateway is deployed, Azure provisions two or more specialized VMs under the covers. These specialized VMs, which are not accessible, are deployed to a special subnet that you create. This special subnet is called the gateway subnet. The specialized VMs that get deployed contain routing tables and they run specific gateway services. 

You can deploy VPN gateways in Azure Availability Zones so they can benefit from the resiliency, scalability, and higher availability that Availability Zones provide. 

Once you’ve deployed a VPN gateway, you can create an IPsec/IKE VPN connection between the VPN gateway and another endpoint, which could be another VPN gateway (to form a VNet-to-VNet connection), or an on-prem VPN device (to create a Site-to-Site connection). You could also create a Point-to-Site VPN connection that allows you or your users to connect to the virtual network from a remote location.

To learn more about VPN gateways in Azure, visit the URL you see on your screen.

https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpngateways

Another, more secure and robust, way to connect you on-prem network to Azure is to use ExpressRoute. Using ExpressRoute lets you connect your on-prem network to the Microsoft cloud via a private connection rather than the public internet. This private connection is facilitated by a connectivity provider. You can use ExpressRoute to establish connectivity to Microsoft cloud services, like Microsoft Azure and Office 365.

The diagram on your screen shows what a typical ExpressRoute configuration looks like.

ExpressRoute offers several benefits, including layer 3 connectivity between your on-prem network and the Microsoft Cloud. This connectivity can be from an any-to-any network, a point-to-point Ethernet connection, or through a virtual cross-connection via an Ethernet exchange.

ExpressRoute also provides connectivity to Microsoft’s cloud services across all regions in the geopolitical region. Leveraging the ExpressRoute premium add-on, you can get global connectivity to Microsoft services across all regions.

Other benefits of ExpressRoute include dynamic BGP routing between your network and Microsoft and built-in redundancy.

Visit the URL on your screen to read more about ExpressRoute.

https://docs.microsoft.com/azure/expressroute/expressroute-faqs

Web Application Firewall (or WAF) is included with the Application Gateway service and with the Front Door service. Because web applications are targeted more and more frequently with malicious attacks, WAF is used to provide centralized protection of those web applications. 

While such attacks CAN be prevented within the application code, this strategy can be difficult to implement and maintain. That being the case, leveraging a centralized web application firewall can help simplify security management, because such a solution can more quickly react to security threats by centrally patching whatever known vulnerability exists, instead of securing each individual web application.

To learn more about Web Application Firewall, visit the URL that you see on your screen.

https://docs.microsoft.com/azure/web-application-firewall/overview

Azure Firewall is another cloud-based network security service available in Azure. This managed service is used to protect Azure Virtual Network resources. This fully stateful firewall as a service comes with built-in high availability and also offers unrestricted cloud scalability.

Azure Firewall allows you to centrally create, enforce, and log application policies as well as network connectivity policies across multiple subscriptions and virtual networks. Because it uses a static public IP address to represent all of your underlying virtual network resources, Azure Firewall allows outside firewalls to easily identify traffic that comes from your virtual network. 

The tight integration of Azure Firewall with Azure Monitor allows for robust logging and analytics as well.

A distributed denial of service attack, or DDoS attack, can wreak havoc on an internet-facing application. It’s a real concern for organizations who are considering moving their workloads to the cloud because DDoS attacks can be leveled at any internet-facing endpoint.

To help mitigate these threats, you can leverage Azure DDoS Protection. By combining this service with solid application design, you can protect yourself from dangerous DDoS attacks

Azure DDoS protection comes in two tiers: Basic and Standard.

The Basic Azure DDoS tier is automatically enabled as part of the Azure platform. It provides always-on traffic monitoring as well as real-time mitigation of many common network-level attacks. 

The Standard tier comes with more bells and whistles. It offers additional mitigation capabilities over and above what the Basic tier provides. 

Enabling DDoS Protection Standard is easy and doing so requires no changes to your applications. The protection policies offered in the standard tier are tuned through dedicated traffic monitoring and even leverage machine learning algorithms. 

To use Azure DDoS Protection, you apply protection policies to the public IP addresses that are associated with resources deployed in virtual networks. These resources include things like Azure Load Balancer, Azure Application Gateway, and even Azure Service Fabric instances.

Azure DDoS Protection Standard can mitigate volumetric attacks, protocol attacks, and application-layer attacks.

To learn more about Azure DDoS Protection and detailed information on the attacks that it can mitigate, visit the URL that you see on your screen:

https://docs.microsoft.com/azure/virtual-network/ddos-protection-overview

The last topic I want to cover here is Virtual Network Service Endpoints. Service endpoints are used to extend the private address space of an Azure virtual network. They are also used to extend the identity of a virtual network to Azure services over a direct connection. 

By leveraging service endpoints, you can lock down your Azure service resources to only your virtual networks. Traffic originating from your virtual network and headed toward your Azure service never leaves the Microsoft Azure backbone network.

Service endpoints provide improved security for Azure resources as well as optimal routing of Azure service traffic from your virtual network because they allow you to route service traffic directly from your virtual network to your service on the Microsoft Azure backbone network. Because the traffic remains on the Azure backbone network, you can audit and monitor your outbound Internet traffic from your virtual networks, through forced-tunneling - without impacting service traffic. 

To learn more about Virtual Network Service Endpoints, visit the URL that you see on your screen:

https://docs.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview