Network security
Protect assets by placing controls on network traffic originating in Azure, between on-premises and Azure hosted resources, and traffic to and from Azure. If security measures aren't in place attackers can gain access, for instance, by scanning across public IP ranges. Proper network security controls can provide defense-in-depth elements that help detect, contain, and stop attackers who gain entry into your cloud deployments.
Checklist
How have you secured the network of your workload?
- Segment your network footprint and create secure communication paths between segments. Align the network segmentation with overall enterprise segmentation strategy.
- Design security controls that identify and allow or deny traffic, access requests, and application communication between segments.
- Protect all public endpoints with Azure Front Door, Application Gateway, Azure Firewall, Azure DDoS Protection.
- Mitigate DDoS attacks with DDoS Standard protection for critical workloads.
- Prevent direct internet access of virtual machines.
- Control network traffic between subnets (east-west) and application tiers (north-south).
- Protect from data exfiltration attacks through a defense-in-depth approach with controls at each layer.
Azure security benchmark
The Azure Security Benchmark includes a collection of high-impact security recommendations you can use to help secure the services you use in Azure:
The questions in this section are aligned to the Azure Security Benchmarks Network Security.
Azure services
Reference architecture
Here are some reference architectures related to network security:
- Hub-spoke network topology in Azure
- Deploy highly available NVAs
- Windows N-tier application on Azure with SQL Server
- Azure Kubernetes Service (AKS) production baseline
Next steps
We recommend applying as many as of the best practices as early as possible, and then working to retrofit any gaps over time as you mature your security program.
Related links
Combine network controls with application, identity, and other technical control types. This approach is effective in preventing, detecting, and responding to threats outside the networks you control. For more information, see these articles:
Ensure that resource grouping and administrative privileges align to the segmentation model. For more information, see Administrative account security.
Go back to the main article: Security