Erwin Staal from 4DotNet will share experience on “Network security with Azure PaaS services“.
He will share some of the things he learned while implementing network security at his current client. We will start with a short introduction to the basics of networking in Azure. He will present to you some best practices and tell you about some of the limitations you need to know before getting started. We will talk about how you for example can lock-down your API or SQL-server. To do that we will use relatively new Azure offerings like Service endpoints, Private endpoints, and VPN connections.
Erwin is a .NET Software Engineer and DevOps Consultant at 4DotNet. He’s helping clients with ASP.NET Core, Docker and Kubernetes and as a DevOps Consultant he helps companies with the implementation of DevOps and Continuous Delivery.
5. @erwin_staal
VNetbasics
• RFC1918 Subnets
• 10.0.0.0 – 10.255.255.255 (10/8 prefix)
• 172.16.0.0 – 172.31.255.255 (172.16/12 prefix)
• 192.168.0.0 – 192.168.255.255 (192.168/16 prefix)
• Smallest: /29 -> 3 hosts
• 5 IP-addresses are reserved by Azure
• x.x.x.0: Network address
• x.x.x.1: Reserved by Azure for the default gateway
• x.x.x.2, x.x.x.3: Reserved by Azure to map the Azure DNS IPs to the VNet space
• x.x.x.255: Network broadcast address
6. @erwin_staal
• Access Azure PaaS Services over a private endpoint
• No public IP anymore on PaaS service
• Traffic remains on the Microsoft network
• Integration with on-premises and peered networks
PrivateLink
7. @erwin_staal
PrivateLink
Azure Storage All public regions GA
Azure Data Lake Storage Gen2 All public regions GA
Azure SQL Database All public regions GA
Azure Synapse Analytics All public regions GA
Azure Cosmos DB All public regions GA
Azure Database for PostgreSQL - Single server All public regions GA
Azure Database for MySQL All public regions GA
Azure Database for MariaDB All public regions GA
Azure Key Vault All public regions GA
Azure Kubernetes Service - Kubernetes API All public regions GA
Azure Search All public regions GA
Azure Container Registry All public regions GA
Azure App Configuration All public regions Preview
Azure Backup All public regions GA
Azure Event Hub All public regions GA
Azure Service Bus All public regions GA
Azure Relay All public regions Preview
Azure Event Grid All public regions GA
Azure Web Apps All public regions Preview
8. @erwin_staal
• Lets your App Service join a vnet(subnet) for egress
• Allows you to access resources in your vnet in the same region
• Require a Standard or PremiumV2 App Service Plan
• You can block outbound traffic with an NSG
• App Settings for additional config
AppServiceVNetIntegration
9. @erwin_staal
• Provides secure and direct connection to Azure services
• Traffic from your VNet to the Azure service remains on the Microsoft network
• Lock down access to e.g. a Web App to specific VNet
• Public IP is still being used
ServiceEndpoint
10. @erwin_staal
• Azure Storage
• Azure SQL Database
• Azure SQL Data Warehouse
• Azure Database for PostgreSQL server
• Azure Database for MySQL server
• Azure Database for MariaDB
• Azure Cosmos DB
• Azure Key Vault
• Azure Service Bus
• Azure Event Hubs
• Azure Data Lake Store Gen 1
• Azure App Service
• Public Preview: Azure Container Registry
ServiceEndpoint
11. @erwin_staal
• Define a priority ordered allow/deny list that controls network access to your app
• IP addresses or Azure Virtual Network subnets
AccessRetrictiononWebApps
12. @erwin_staal
• Virtual network gateway used to send encrypted traffic between
• Azure virtual network and an on-premises location
• Azure virtual networks over the Microsoft network
• Site-to-Site and Multi-Site
• VNet-to-VNet connections
• ExpressRoute
• Point-to-Site VPN
• Certificate
• Azure AD
• RADIUS
• OpenVPN
VNetVPNGateway