Microsoft uses numerous security practices and technologies in order to help manage identity and access:
■ Azure role- based access control (Azure RBAC) allows access to Azure resources. It is an authorization system that is incorporated into the Azure Resource Manager. Use Azure RBAC to grant access to cloud resources depending on the user’s assigned role.
■ Integrated identity management (hybrid identity) allows you to create a single user identity that will be used for authentication and authorization for all your resources across on- premises datacenters and cloud resources.
■ Microsoft Authenticator is an app that allows for two- factor authentication to provide added security to your online accounts. It works with both Azure AD and Microsoft accounts.
■ Multifactor authentication (MFA) is an authentication method used to gain access to either on- premises or cloud resources. It requires your users to provide two or more verification factors in order to gain access.
■ Password policy enforcement allows you to configure password policies by using Group Policy settings. Using password policies allows you to set the length and complexity requirements, failed lockout attempts, and more.
■ Token-b ased authentication is a protocol where your users will verify their identity and, in return, get a unique access token through Azure AD.
Networking
This section will discuss some of the tools and features that are available for Azure network security. I will briefly discuss some of these tools and features and what each is capable of.
Application Gateway
Microsoft Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. It offers an Application Delivery Controller (ADC) as a service for your application by providing numerous Layer 7 load- balancing capabilities.
Azure DNS
The Domain Name System (DNS) translates a website or service name to its IP address.
Azure DNS is a hosting service for DNS domains. It provides name resolution by using the Azure infrastructure. You can manage your DNS records by using the same credentials, APIs, tools, and billing as your other Azure services by hosting your domains in Azure.
Azure Firewall
Azure Firewall is a cloud- based network security service that protects your Azure VNet resources. It provides threat protection for your cloud workloads that are running in Azure.
Azure Firewall is offered in two SKUs: Standard and Premium.
Azure Load Balancer
Azure Load Balancer is a Layer 4 (TCP, UDP) load balancer that distributes incoming traffic among healthy instances that are defined in a load- balanced set. You can configure Azure Load Balancer for the following:
■ Public load balancing, which will load- balance all incoming Internet traffic to VMs.
■ Internal load balancing, which will load- balance traffic between VMs in a virtual network, between VMs in cloud services, or between on-p remises computers and VMs in a cross- premises virtual network.
■ Forward external traffic to a specific virtual machine
Azure Monitor Logs Network Security Groups (NSGs)
You can enable Event and Rule counter diagnostic log categories for NSGs. The Event log category will consist of entries for which NSG rules have been applied to the VMs and instance roles by using MAC addresses. The status for these rules will be collected every 60 seconds. The Rule counter diagnostic log category will consist of entries for how many times each NSG rule is applied.
Azure Private Link
Azure Private Link provides a private connection from a virtual network to Azure platform- as- a- service (PaaS), customer- owned, or Microsoft partner services. It secures the connection between endpoints in Azure by preventing data exposure to the public Internet. Traffic from your virtual network to the Azure service will stay on the Azure backbone network.
Azure Virtual Network (VNet)
An Azure virtual network (VNet) is basically your network in the cloud. VNet is similar to your on- premises network that you’d operate in your own datacenter. You control the IP address blocks, DNS settings, security policies, and route tables within this network.
ExpressRoute
ExpressRoute is an Azure service that lets you create private connections using a dedicated WAN link that allows you to extend your on- premises networks into the Microsoft cloud over a dedicated private connection. ExpressRoute connections do not go over the public Internet.
Internal DNS
By using the management portal or the network configuration file, you can manage the list of DNS servers that are used on your VNet. You can add up to 12 DNS servers for each VNet.
Microsoft Defender for Cloud
Microsoft Defender for Cloud analyzes the security state of your Azure resources for network security best practices. It will identify possible security vulnerabilities and create recommendations.
Network Access Control (NAC)
Network access control (NAC) is a security solution that limits connectivity to and from specific devices or subnets. It ensures that your VMs and services are only accessible to the users and devices that are allowed.
Network Security Group
A network security group (NSG) contains the security rules that allow or deny inbound/outbound network traffic to or from Azure resources. They are used to control traffic moving between subnets within a VNet and traffic between a VNet and the Internet.
Route Control and Forced Tunneling
Route Control is the ability to control the routing behavior on your VNet. You can configure user- defined routes that will allow you to customize inbound and outbound paths to ensure the most secure route possible. Forced tunneling is a mechanism that you can use to make sure that your services are not allowed to initiate a connection to devices on the Internet. Forced tunneling is commonly used to force outbound traffic to the Internet to go through on- premises security proxies and firewalls.
Traffic Manager
Azure Traffic Manager is a DNS- based traffic load balancer that allows you to distribute traffic to your public- facing applications across the global Azure regions. Service endpoints supported include Azure VMs, web apps, and cloud services. Traffic Manager uses Domain Name System (DNS) to direct client requests to the most appropriate endpoint depending on a traffic- routing method and the health of the endpoints.
VPN Gateway
A VPN gateway is a type of virtual network gateway that sends encrypted traffic across a public connection. In order to send network traffic between your VNet and your on- premises site, you need to create a VPN gateway for your VNet.
Web Application Firewall (WAF)
Web Application Firewall (WAF) is an Azure Application Gateway feature that provides protection to web applications that use the application gateway for standard Application Delivery Control (ADC) functions. It helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.
Operations
This section will discuss some of the tools that are available for security operations. I will briefly discuss some of these tools and features and what each is capable of.
Application Insights
Application Insights is an extension of Azure Monitor and provides Application Performance Monitoring (APM) features for web developers. APM tools are useful for monitoring applications from development, testing, all the way into production. With Application Insights, you can monitor your live web applications and detect performance issues. It has analytic tools that help you diagnose problems and create charts and tables.
Azure Advisor
Azure Advisor is an Azure service that will provide recommendations depending on the configuration of your deployed Azure services. It is a personalized cloud consultant that helps optimize your Azure deployments by analyzing your resource configurations and usage telemetry.
Azure Monitor
Azure Monitor collects, analyzes, and acts on telemetry data from your cloud and hybrid environments. You can use Azure Monitor to alert you of security- related events that are generated in your Azure Monitor logs. Azure Monitor logs let you see the metrics for your entire environment in one location. The logs are a useful tool in forensic and security analysis.
Azure Resource Manager
Azure Resource Manager is the Azure deployment and management service that consists of a management layer that allows you to create, update, and delete resources in your Azure account. You can set access controls, locks, and tags, in order to secure your resources after deployment.