Security is one of the critical areas when you are deploying applications on the cloud. Cloud providers have a set of best practices and tools available to make sure you secure your applications.
Virtual Network: helps create virtual boundaries and isolate resources from unwanted access. Setting up subnets further help sub-boundaries within a virtual network. Secured practices like Site-to-Site connectivity, and point-to-site connectivity using Express routes or Virtual Network gateways help connect between on-prem and on-cloud networks securely.
Network Security Groups (NSG): NSG helps create security rules which will ensure only desired traffic can be received or sent from virtual networks or subnets.
A security rule contains the following aspects
- name (unique)
- priority (lower the priority number, the more importance is given)
- source/ destination
- protocol
- direction (inbound/ outbound)
- port range
- action (allow/ deny)
You can associate an NSG to a virtual network, subnet, or Application Security Group.
Azure Firewall: One can set FQDN traffic rules, Network traffic rules using Azure Firewall. Network Security Group is more targeted towards Virtual Network or Subnets, whereas Firewall monitors traffic more broadly.
There are three kinds of rules that you can configure in the Azure Firewall. Remember, by default, Azure Firewall blocks all traffic, unless you enable it.
NAT rules: You can configure Azure Firewall Destination Network Address Translation (DNAT) to translate and filter inbound traffic to your subnets. Each rule in the NAT rule collection is used to translate your firewall public IP and port to a private IP and port. Scenarios, where NAT rules might be helpful, are publishing SSH, RDP, or non-HTTP/S applications to the Internet. A NAT rule that routes traffic must be accompanied by a matching network rule to allow the traffic.
Network rules: Any non-HTTP/S traffic that will be allowed to flow through the firewall must have a network rule. For example, if resources in one subnet must communicate with resources in another subnet, then you would configure a network rule from the source to the destination
Application rules: Application rules define fully qualified domain names (FQDNs) that can be accessed from a subnet. For example, specify the Windows Update network traffic through the firewall
Application Security Group: ASGs enable you to configure network security as a natural extension of an application’s structure. That means, you can create a NSG and apply it to an ASG. The ASG can be applied to a VM or set of VMs (forming an application including web servers, application servers, and database servers).