Last updated - January 12, 2024
In this blog post, we will walk you through basic to advanced scenarios for Azure network security. Ready to become an Azure NetSec ninja? Dive right in!
Check back here routinely, as we will keep updating this blog post with new content as it becomes available.
Anything in here that could be improved or may be missing? Let us know in the comments below, we’re looking forward to hearing from you.
| Latest Highlight: Public Preview: Support for DRS and Mask sensitive data on Application Gateway WAF |
|
Enhancements have been made to Web Application Firewall on Application Gateway with the addition of the Default Rule Set (DRS) 2.1 and sensitive data protection. DRS 2.1 is baselined off the Open Web Application Security Project (OWASP) Core Rule Set (CRS) 3.3.2 and extended to include additional proprietary protections rules developed by Microsoft Threat Intelligence team. The Web Application Firewall sensitive data protection log scrubbing tool (preview) will help remove sensitive data from WAF logs by scrubbing the sensitive data from the logs and replacing it with ******* to ensure this information remains hidden. Check out the blogpost above for more details on these two new features.
|
Knowledge Check
Take the Azure Network Security Ninja Knowledge Test to confirm your Azure Network Security Ninja Skills.
- Once you have completed the training, take the knowledge check here.
- If you score more than 80% in the knowledge check, request your certificate here. If you achieved less than 80%, please review the training material again and re-take the assessment.
1 The Basics
1.1 Introduction to network security concepts
This module introduces general concepts of network and web application security.
1.1.1 Network security in Azure
Be familiar with network security concepts and ways you can achieve a secure network deployment in the Azure cloud.
- Network security and containment in Azure
- Secure and govern workloads with network level segmentation
- Best practices for network security
1.1.2 Web application protection in Azure
Be familiar with web application protection concepts and ways you can achieve a secure web application deployment in the Azure cloud.
1.2 Introduction to Azure network security products
1.2.1 Azure DDoS Protection
1.2.1.1 Azure DDoS Protection - Network Protection
Azure DDoS Network Protection, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks.
For more information, check the Azure DDoS Protection documentation.
MS Learn Training Material: Azure DDoS Protection (34 minutes)
This MS Learn module will show you how to guard your Azure services from a denial-of-service attack using Azure DDoS Protection.
1.2.1.2 Azure DDoS Protection - IP Protection
IP Protection is a new SKU for Azure DDoS Protection that is designed with SMBs in mind and delivers enterprise-grade, and cost-effective DDoS protection. You can defend against L3/L4 DDoS attacks with always-on monitoring and adaptive tuning that ensure your application is always protected. With IP Protection, you now have the flexibility to enable protection on a single public IP. Azure DDoS Protection integrates seamlessly with other Azure services for real-time alerts, metrics, and insights to strengthen your security posture.
1.2.2 Azure Firewall and Azure Firewall Manager
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
For more information, check the Azure Firewall documentation.
Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.
For more information, check the Azure Firewall Manager documentation.
MS Learn Training Material: Azure Firewall and Azure Firewall Manager (48 minutes)
This MS Learn module will describe how Azure Firewall protects Azure Virtual Network resources, including the Azure Firewall features, rules, deployment options, and administration with Azure Firewall Manager.
1.2.3 Azure Web Application Firewall (WAF)
Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities. You can deploy WAF on Azure Application Gateway or WAF on Azure Front Door.
For more information, check the Azure Web Application Firewall (WAF) documentation.
MS Learn Training Material: Azure Web Application Firewall (WAF) (40 minutes)
This MS Learn module will show how Azure Web Application Firewall protects Azure web applications from common attacks, including its features, how it’s deployed, and its common use cases.
2 Architecture and Deployments
2.1 Standalone Deployments
2.1.1 Azure DDoS Protection
When deploying Azure DDoS Protection, keep in mind that public IPs in ARM-based VNETs are currently the only type of protected resource. Public IPs that are part of PaaS services (multitenant) are not supported for Azure DDoS Network Protection SKU at this time.
The main steps to deploy Azure DDoS Network Protection are:
- Create a DDoS protection plan
- Attach vNETs to the DDoS protection plan
- Configure DDoS logging
- Enable diagnostic settings on Public IP Address resources
Do you prefer videos? Check out the Getting started with Azure Distributed Denial of Service (DDoS) Protection (60 minutes) webinar. You can also quickly browse through the contents of the presentation deck.
2.1.2 Azure Firewall
You can choose to deploy Azure Firewall Basic SKU, Azure Firewall Standard SKU or Azure Firewall Premium SKU. Check the documentation below to get an understanding of their feature differences:
- Axure Firewall Basic - Features
- Azure Firewall Standard - Features
- Azure Firewall Premium - Features
It is also possible to upgrade or downgrade between the Azure Firewall Standard and Azure Firewall Premium SKUs. This upgrade/downgrade feature allows you to easily and efficiently move between these two SKUs without service downtime, with a single click of a button.
- Azure Firewall Single-Click Upgrade/Downgrade - Azure Firewall easy upgrade/downgrade.
- You can also check out this blogpost - Announcing Azure Firewall Upgrade/Downgrade General Availability
During your planning stages, it’s also a good idea to refer to the known issues for these products. Being aware of these known issues will save you time and stress when deploying your Azure Firewall.
Deploy and configure Azure Firewall using the Azure portal.
Azure Firewall logs and metrics
- Azure Firewall logs and metrics
- New metric: Latency Probe Metric (Preview) - This metric measures the overall or average latency of Azure Firewall - Azure Firewall Metrics
- Monitor Azure Firewall logs and metrics.
- Overview of Azure Firewall logs and metrics
- New Logs: Top Flow Logs (Preview) and Flow Trace Logs (Preview) - Enable Top flows and Flow trace logs in Azure Firewall
- You can also check out this blogpost - Logging and Metrics Enhancements to Azure Firewall now in Preview.
- Structured Firewall Logs - This new Azure Firewall log type enables the use of resource-specific tables instead of the existing AzureDiagnostic table. The structured logs contain more detailed view of firewall events and provide more metadata such as time of the event and the name of the Azure Firewall instance.
- Azure Structured Firewall Logs
- You can also check out this blogpost - Exploring the New Resource Specific Structured Logging in Azure Firewall
- Azure Firewall Resource Health - This enables one to view the health status of Azure Firewall and address service problems that may affect the Azure Firewall resource. This will allow teams to receive proactive notifications regarding potential health degradations and recommended mitigation actions for each health event type.
- Azure Resource Health overview - Azure Service Health
- You can also check out this blogpost - Azure Firewall: New Monitoring and Logging Updates
- Built-in Firewall Workbook - The Azure Firewall Workbook provides a dynamic ability for Azure Firewall data analysis. You can use it to create rich visual reports within the Azure portal. You can tap into multiple Firewalls deployed across Azure and combine them into unified interactive experiences. This workbook is now available within the Azure Firewall instance, providing an easy and convenient way to track your Azure Firewall statistics.
- Monitor logs using Azure Firewall Workbook
- You can also check out this blogpost - Azure Firewall: New Monitoring and Logging Updates
Integrate Azure Firewall with Azure Standard Load Balancer
Use Azure Firewall to protect Azure Kubernetes Service (AKS) Deployments
- Use Azure Firewall to protect Azure Kubernetes Service (AKS) Deployments
- Restrict egress traffic in Azure Kubernetes Service (AKS)
Azure Firewall DNS settings
- Azure Firewall DNS settings
- Enabling DNS proxy in your Azure Firewall will allow you to use FQDN filtering in network rules
- Enabling Central Visibility For DNS Using Azure Firewall Custom DNS and DNS Proxy
Azure Firewall in forced tunneling mode
Azure Firewall Explicit Proxy (Preview)
Azure Firewall can be configured in proxy mode to enable the sending application direct traffic to the firewall's private IP address without the use of a User Defined Route (UDR).
- Azure Firewall Explicit proxy (preview)
- You can also check out this blogpost - Demystifying Explicit proxy: Enhancing Security with Azure Firewall.
Azure Firewall Protection for O365
Azure Firewall integration with O365 enables the ability to secure and manage traffic destined to O365 endpoints in an efficient and simplified manner. This is achieved through the use of Azure Firewall built-in service tags and FQDN tags which group the required IPv4 addresses by Office365 service and category. The service tags and FQDN tags can be used in the Firewall Network rules or Application rules to secure traffic destined to the O365 endpoint or IP address.
- You can also check out this blogpost - Protect Office365 and Windows365 with Azure Firewall.
Do you prefer videos? Check out the Manage application and network connectivity with Azure Firewall (50 minutes) webinar. You can also quickly browse through the contents of the presentation deck.
You can also check out this Azure Firewall Deep Dive on YouTube (82 minutes). It covers almost everything you need to know!
2.1.3 Azure Web Application Firewall (WAF)
Azure Web Application Firewall DRS and CRS Rules and Rule Groups
The Azure Web Application Firewall consists of the Core Rule Sets (CRS) or Default Rules Sets (DRS) which are rules that protect web applications from common vulnerabilities and exploits. These rulesets are managed by Azure making them easy to deploy to protect against a common set of security threats.
The Application Gateway WAF consists of rules based on the OWASP CRS 3.2, 3.1 or 3.0. Additionally, the Application Gateway WAF now supports the Default Ruleset (DRS) 2.1. The Default Ruleset (DRS) is an Azure managed ruleset that is baselined from the OWASP CRS rules and includes the Microsoft Threat Intelligence (MSTIC) rules that are written in partnership with the Microsoft Intelligence team.
For more information, check out: Web Application Firewall DRS and CRS rule groups and rules.
Azure Web Application Firewall Sensitive Data Protection (Preview)
The sensitive data protection for Application Gateway WAF is a new feature that masks sensitive data (such as passwords, IP addresses) that can be read within the WAF logs. Normally, when a WAF rule is triggered, the WAF logs the details of the request in clear text. To protect against the exposure of sensitive data, the Web Application Firewall's (WAF's) Log Scrubbing tool (preview) assists to remove sensitive data from the WAF logs by using a rules engine that allows one to build custom rules to identify specific portions of a request that contain sensitive information. Once identified, the tool scrubs that information from your logs and replaces it with *******.
- For more information check out - Azure Web Application Firewall Sensitive Data Protection
- You can also check out this blogpost - Public Preview: Support for DRS and Mask sensitive data on Application Gateway WAF
Check out the below resources on how to create and use a WAF policy:
- Create a WAF Policy on Azure Application Gateway
- Create a WAF Policy on Azure Front Door
- Configure WAF logging for an Application Gateway deployment
- Configure WAF logging for a Front Door deployment
- Azure Web Application Firewall: WAF config versus WAF policy
2.2 Advanced Deployments
2.2.1 On-Prem Hybrid
- Deploy and configure Azure Firewall in a hybrid network via Azure Portal or via PowerShell
- Deploy network virtual appliances (NVAs) for high availability in Azure
- Implement a secure hybrid
2.2.2 vWAN (Secured Virtual Hub)
- Introduction to Azure Virtual WAN
- What are the Azure Firewall Manager architecture options?
- Azure Virtual WAN FAQs
- How does the virtual hub in a virtual WAN select the best path for a route from multiple hubs?
- Configure Azure Firewall in a VWAN hub
- Convert a VWAN to a Secure Hub
- Secure your VirtualHub with Azure Firewall Manager
- Migrate to Virtual WAN
2.2.3 vWAN (Secured Virtual Hub) with 3rd party SECCaaS
- VWAN hub partners
- Deploy a security partner provider
- Deploy Check Point CloudGuard Connect as a trusted Azure security partner
2.2.4 Hub and Spoke
- Hub and spoke network topology
- Hub-spoke network topology in with Azure Firewall
- Using Azure Firewall as a Network Virtual Appliance (NVA)
2.2.5 Forced Tunneling with 3rd party NVAs
2.2.6 Multi-product combination in Azure
- Combine Azure Firewall with other Network security products.
- Determine how best to combine App Gateway and Azure FrontDoor
- Zero-trust network for web applications with Azure Firewall and Application Gateway - Azure Architec...
2.2.7 TLS Inspection on Azure Firewall
- Enable TLS inspection in Azure firewall
- Learn about URL filtering and Web Categories
- Certificate Management Overview for Azure Firewall Premium TLS Inspection
Do you prefer videos? Check out the Content Inspection Using TLS Termination with Azure Firewall Premium (50 minutes) webinar. You can also quickly browse through the contents of the presentation deck.
2.2.8 Per-Site or Per-URI WAF policies on Azure Application Gateway
Do you prefer videos? Check out the Using Azure WAF Policies to Protect Your Web Application at Different Association Levels (50 minutes) webinar. You can also quickly browse through the contents of the presentation deck.
3 Operations
3.1 Centralized Management
3.1.1 Azure Firewall Manager and Firewall Policy
Do you prefer videos? Check out the Getting started with Azure Firewall Manager (35 minutes) webinar. You can also quickly browse through the contents of the Azure Firewall Manager presentation deck.
- Azure Firewall Manager now also manages WAF Policy and DDoS Protection plans. This will assist organizations to easily manage and control their network security policy deployments. Check out What is Azure Firewall Manager? | Microsoft Learn for more information on this.
3.1.2 Web Application Firewall (WAF) Policy
3.2 Optimizing
3.2.1 Azure Firewall Policy Analytics
Azure Firewall Policy Analytics provides deeper insights, centralized visibility and greater granular control to Azure Firewall rules and policies. Policy Analytics enables one to easily and efficiently fine-tune Azure Firewall rules and policies ensuring enhanced security and compliance.
- Azure Firewall Policy Analytics.
- Do you prefer videos? Check out Azure Firewall Policy Analytics (50 minutes) webinar video.
- You can also check out this blog - Exploring Azure Firewall Policy Analytics.
3.2.2 Web Application Firewall (WAF) tuning
- Troubleshooting and tuning for Azure WAF for Application Gateway
- Troubleshooting and tuning for Azure WAF for Front Door
Do you prefer videos? Check out the Boosting your Azure Web Application (WAF) deployment (45 minutes) webinar and Azure WAF Tuning for Web Applications (webinar). You can also quickly browse through the contents of the presentation deck.
3.3 Governance
3.3.1 Built-in Azure Policies for Azure DDoS Network Protection
- Azure DDoS Network Protection should be enabled.
- Public IP addresses should have resource logs enabled for Azure DDoS Network Protection
- Virtual networks should be protected by Azure DDoS Network Protection
3.3.2 Built-in Azure Policies for Azure Web Application Firewall (WAF)
- Web Application Firewall (WAF) should be enabled for Application Gateway
- Web Application Firewall (WAF) should be enabled for Azure Front Door Service.
- Web Application Firewall (WAF) should use the specified mode for Application Gateway
- Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service
3.3.3 Restrict creation of Azure DDoS Network Protection plans with Azure Policy
If you are looking to prevent unplanned or unapproved costs associated with the creation of multiple DDoS plans within the same tenant, check out this Azure Policy template. This policy denies the creation of Azure DDoS Network Protection plans on any subscriptions, except for the ones defined as allowed.
3.4 Responding
3.4.1 Azure Web Application Firewall (WAF)
This Logic App Playbook for Sentinel will add the source IP address passed from the Sentinel Incident to a custom WAF rule blocking the IP. For a more comprehensive description of this use case, check our blog post Integrating Azure Web Application Firewall with Azure Sentinel.
3.4.2 Azure DDoS Network Protection
During an active access, Azure DDoS Network Protection customers have access to the DDoS Rapid Response (DRR) team, who can help with attack investigation during an attack and post-attack analysis.
This DDoS Mitigation Alert Enrichment template will alert administrators of a DDoS event, while adding essential information in the body of the email for a more detailed notification.
4 Integrations
Using Azure Sentinel with Azure Web Application Firewall
You can integrate Azure WAF with Azure Sentinel for security information event management (SIEM). By doing this, you can use Azure Sentinel’s security analytics, playbooks and workbooks with your WAF’s log data.
In this blog post, we cover in further detail how to configure the log connector, query logs, generate incidents, and automate responses to incidents.
Using Azure Sentinel Solutions for Azure Firewall
The Azure Firewall Solution provides new threat detections, hunting queries, a new firewall workbook and response automation as packaged content. This enables you to find the appropriate solution easily and then deploy all the components in the solution in a single step from the Solutions blade in Azure Sentinel.
In this blog post, we cover in further detail how automate detections and response for Azure Firewall events using Azure Sentinel.
5 Hands-on Labs
Network Security Demo lab: Azure pre-configured test deployment kit for POC is available in this repository. You can use this lab to validate Proof of Concepts for the different Network security products. You can find more information on set up and demo in the NetSec POC blogpost
WAF Attack test lab: Set up a Web Application Firewall lab environment to verify how you can identify, detect and protect against suspicious activities in your environment. This blogpost provides steps to protect against potential attacks and you can deploy the template from GitHub.
Interactive Guide: If you cannot set up a lab environment, you can still get a hands-on experience with our Azure network security interactive guide. In this guide, we will show you how you can protect your cloud infrastructure with Azure network security tools.
6 Resource References
Register for upcoming webinars or watch recordings of past webinars in our Microsoft Security Community!
Check out and be sure to contribute with our Azure Network Security samples in GitHub!
Check out our Azure Network Security blog posts in our Tech Community!
Provide feedback and ideas about Azure products and features in our Azure Feedback portal!
