Securely Publishing Azure Services

1. Micro-Segmentation of Services& Datain Azure © Cloud Mechanix www.cloudmechanix.co Aidan Finn, MVP Cloud Mechanix & Innofactor Norway

2. • 12 year MVP – currently Microsoft Azure (3) • Previously Hyper-V and SCCM • Onwer of Cloud Mechanix • Custom-written Azure training • Principal Consultant for Innofactor Norway • Azure infrastructure – networking & security • Working as consultant/sys admin since 1996 • Windows Server, Hyper-V, System Center, desktop managment, and Azure • http://aidanfinn.com • http://innofactor.com • http://www.cloudmechanix.com • @joe_elway Aidan Finn Introduction © Cloud Mechanix www.cloudmechanix.co

3. Infrastructure andPlatform © Cloud Mechanix www.cloudmechanix.co

4. • Networks: • Connection to/from Internet • Between components of your service • Resource include (but not limited to): • Virtual machines • App Services • Azure Kubernetes Service • Logic Apps • And everything else © Cloud Mechanix www.cloudmechanix.co There IsAlwaysA Network It’s The Cloud!

5. • Control: • Inbound flows • Flows between components of your service • Data access • Outbound flows • Log & report: • Flows • Classification of threats • Alert • Security threats © Cloud Mechanix www.cloudmechanix.co Network Security Taking control

6. • Usual data center approach: • “Open up everything inside the network” • It’s easy for admins … and malware and attackers • Micro-Segmentation • Breaking up a network into smaller secure zones • Right down to the workload • Yes, I know “secure zone” is a special term in Norway! © Cloud Mechanix www.cloudmechanix.co Essential TermOf The Day Micro-segmentation

7. BackToBasics– Virtual Network (VNet) © Cloud Mechanix www.cloudmechanix.co

8. • I have never created a VLAN • Never! • But I am the Azure networking guy at work • Who struggles with Azure networking? • The network admin • Who ends up being best at Azure networking? • The person who forgets/doesn’t know on- prem networking YourOn-PremisesNetwork Knowledge To keep or not to keep, that is the question © Cloud Mechanix www.cloudmechanix.co

9. • NSX • An abstraction of physical network • Overlapping address ranges are possible (if not routed) • Data transmission is encapsulated on a physical network • A memory transfer between physical hosts • There is no Default gateway • Handled in the fabric: • Routing • Load balancing © Cloud Mechanix www.cloudmechanix.co Virtual Network Software Defined

10. • Yes: • VNets are needed for virtual machines • The useful: • VNet-integrated PaaS resources • The hidden: • Platform services are often built using VMs under-the- covers • VMs require VNets! © Cloud Mechanix www.cloudmechanix.co Virtual Network Scenarios Not just VMs/IaaS

11. • A threat against business of all sizes • Attackers: • State-sponsored • Professional criminals • Amateurs: rented botnets! © Cloud Mechanix www.cloudmechanix.co Distributed Denial of Service(DDoS)Attacks Our first security feature

12. • Every VNet has DDoS Basic • You pay (a lot) for Standard • Enabled on VNets with public IP • It takes 2 weeks for the machine • Don’t wait until you are attacked! addresses learning to “learn” your network AzureDDoSProtectionOptions Choosing a tier https://docs.microsoft.com/en-us/azure/virtual-network/ddos-protection- overview © Cloud Mechanix www.cloudmechanix.co

13. Public IPAddresses © Cloud Mechanix www.cloudmechanix.co

14. • Azure services tend to be public by default • A public IP address (PIP) • Limit your attack surface: • Centralise PIPs • Limit creation by Azure Policy • Force everything through a secure network core © Cloud Mechanix www.cloudmechanix.co Long-Story-Short How many on-premises services have their own public IP?

15. Network Security Groups(NSGs) © Cloud Mechanix www.cloudmechanix.co

16. • An NSG resource associated with a subnet • Best practice: 1 NSG : 1 Subnet • Contains inbound and outbound rules • Inbound default rules: • Allow everything from VNet in, allow Azure load balancer in, deny everything else • Outbound default rules: • Allow everything out © Cloud Mechanix www.cloudmechanix.co BasicLayer-4 Security A free form of allow/deny Layer-4 firewall

17. • Priority • Order that rules are applied: low (1) to high (4096) • Name • User friendly label • Port • TCP/UDP port • Protocol • TCP, UCP, ICMP, Any • Source • IP address, range, CIDR, service tag, application security group • Destination • IP address, range, CIDR, service tag, application security group • Action • Allow | Deny © Cloud Mechanix www.cloudmechanix.co RuleComponents Basic firewall components

18. • Source/Destination IP addresses can be unfriendly: • Complex subnets with many Azure virtual machines • Azure services • Service Tags • Abstracts the IP addresses of Azure Services, e.g. AzureLoadBalancer, GatewayManager, VirtualNetwork, Internet • Application Security Groups • A label, associated with NICs of Azure virtual machines • Can be used to more-easily micro-segment a single subnet © Cloud Mechanix www.cloudmechanix.co UserFriendly Labels Abstraction of many IPv4 addresses

19. • It’s not just the virtual network! • It’s the current virtual PLUS: • Every other connected virtual network • Peering • ExpressRoute • VPN • So the default rule of AllowVnetInbound breaks micro- segmentation © Cloud Mechanix www.cloudmechanix.co TheVirtualNetwork Service Tag Understanding this is important

20. Building Up ASimple NSGRuleset Note the DenyEverythingElse rule VNet-0 10.2.0.0/1 6 WebServerSubn et 10.0.0.0/24 SqlServerSubn et 10.0.2.0/24 Priority Name Port Protocol Source Destination Action 100 AllowHttpAndHttps 80, 443 TCP Internet WebServersAsg Allow 200 AllowLoadBalancer Any Any AzureLoadBalancer WebServersAsg Allow 300 DenyEverythingElse Any Any Any Any Deny © Cloud Mechanix www.cloudmechanix.co

21. Building Up ASimple NSGRuleset Note the use of Application Security Groups & Service Tags VNet-0 10.2.0.0/1 6 WebServerSubn et 10.0.0.0/24 SqlServerSubn et 10.0.2.0/24 Priority Name Port Protocol Source Destination Action 100 AllowSQLFromWeb 1433 TCP WebServersAsg SqlServersAsg Allow 200 AllowLoadBalancer Any Any AzureLoadBalancer SqlServersAsg Allow 300 DenyEverythingElse Any Any Any Any Deny Priority Name Port Protocol Source Destination Action 100 AllowHttpAndHttps 80, 443 TCP Internet WebServersAsg Allow 200 AllowLoadBalancer Any Any AzureLoadBalancer WebServersAsg Allow 300 DenyEverythingElse Any Any Any Any Deny © Cloud Mechanix www.cloudmechanix.co

22. • Real-world experience: • There’s always more than just the basic rules • Get comfortable with IPv4 subnetting • Migration scenarios: • Log Analytics Service Map • Troubleshooting • NSG Traffic Analytics © Cloud Mechanix www.cloudmechanix.co But There’s Likely Much More! My examples were simple illustrations Priority Name Port Protocol Source Destination Action 100 AllowHttpAndHttps 80, 443 TCP Internet WebServersAsg Allow 200 AllowDnsResponses 53 UDP DnsServersAsg WebServersAsg Allow 300 AllowMonitoring 5001 TCP MonitoringAsg WebServersAsg Allow 400 CiCd … … … … … … … … … … … … 1200 AllowLoadBalancer Any Any AzureLoadBalancer WebServersAsg Allow 1300 DenyEverythingElse Any Any Any Any Deny

23. BackToBasics– Routing © Cloud Mechanix www.cloudmechanix.co

24. • In the physical data centre • Cables control the connections • In the cloud: • Software-defined networks • We have no access to cables! • Packets go from A-Z directly • Azure VNets are flat & open • We control flows using routing • This is the most important thing you will learn today! TheImportance of Routing What controls the flow of packets between devices? © Cloud Mechanix www.cloudmechanix.co

25. • Configuring routing in a guest OS has no influence • The fabric takes over when the packet hits the NIC • Routing is only done in the fabric • Per-subnet route tables are always present • Route table: • Destination • Next hop instruction • Route chosen: • Longest path first (LPF) • Route type © Cloud Mechanix www.cloudmechanix.co How Routing Works Forget what you know about on-premises routing

26. • Example …. • You want to get to 10.0.1.4 • Two routes exist: • 10.0.0.0/8 … 16-bit match • 10.0.1.0/24 … 32-bit match • The chosen route is 10.0.1.0/24 © Cloud Mechanix www.cloudmechanix.co Longest PathFirst (LPF) First rule of Azure routing

27. 1. Default routes 2. BGP 3. User-defined routes © Cloud Mechanix www.cloudmechanix.co Route Type Second Rule of Azure routing

28. • Simply there for basic functionality • Added when you enabled Azure features © Cloud Mechanix www.cloudmechanix.co Default / SystemRoutes Routes that exist automatically

29. VNet-0 10.0.0.0/16 Example Simple Default Routes Subnet-1 10.0.1.0/24 Subnet-2 10.0.2.0/24 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet © Cloud Mechanix www.cloudmechanix.co

30. VNet-0 10.0.0.0/1 6 Example Simple Default Routes | VNet Peering Subnet-1 10.0.1.0/2 4 Subnet-2 10.0.2.0/2 4 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet VNet-1 10.1.0.0/1 6 Subnet-A 10.1.1.0/24 Subnet-B 10.1.2.0/2 4 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet © Cloud Mechanix www.cloudmechanix.co

31. VNet-0 10.0.0.0/1 6 Example– Simple Default Routes| VNet Peering Subnet-1 10.0.1.0/2 4 Subnet-2 10.0.2.0/2 4 Source State Address Prefixes Next Hop Type Next Hop IP Address Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Default Active 0.0.0.0 Internet Default © Cloud Active 2020 10.1.0.0/16 Peering Default Active 10.1.0.0/16 Peering www.cloudmechanix.co VNet-1 10.1.0.0/1 6 Subnet-A 10.1.1.0/24 Subnet-B 10.1.2.0/2 4 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Default Active 10.0.0.0/16 Peering Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Default Active 10.0.0.0/16 Peering

32. • BGP is used when there is site-to-site networking • ExpressRoute • VPN • Ways: • Propagate routes from to/from on-premises • ExpressRoute: required • VPN: Optional • Propagate routes from the GatewaySubnet to other subnets/VNets • Even if you don’t enable BGP in S2S VPN © Cloud Mechanix www.cloudmechanix.co BGPRoutes Bi-directional site-to-site routing

33. • A list of routes is maintained in a route table • Routes are propagated to a neighbour(s) • That neighbour propagates routes to it’s neighbour(s) • The network learns how to get to any remote destination • Possibly over many hops © Cloud Mechanix www.cloudmechanix.co BGPSummary Basic explainer

34. BGP& Site-to-Site BGP routes propagate from on-premises to GatewaySubnet VNet-0 10.0.0.0/1 6 GatewaySubn et 10.0.0.0/24 ExpressRoute/V PN 172.16.0.0/1 2 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet BGP Active 172.16.0.0/12 VirtualNetworkGateway © Cloud Mechanix www.cloudmechanix.co

35. www.cloud echanix.c BGP& Site-to-Site BGP routes propagate from GatewaySubnet to all connected subnets VNet-0 10.0.0.0/1 6 GatewaySubn et 10.0.0.0/24 ExpressRoute/V PN 172.16.0.0/1 2 VNet-1 10.1.0.0/1 6 Subnet-1 10.1.1.0/24 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Default Active 10.0.0.0/16 Peering BGP Active 172.16.0.0/12 VirtualNetworkGateway Sourc e Stat e Address Prefixes Next Hop Type Next Hop IP Source State Address Prefixes Next Hop Type Next Hop IP Address VNet-2 10.2.0.0/1 6 Subnet-1 Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Address Default Active 10.1.0.0/16 Peering Default Active 10.0.0.0/16 Virtual Network Default Active 10.2.0.0/16 Peering Default Active 0.0.0.0 Internet BGP © Cloud Active Mech 172.16.0.0/12 nix VirtualNetworkGateway Default BGP Active Active 10.0.0.0/16 172.16.0.0/12 Peering VirtualNetworkGateway VNet PeeringUse Remote Gateway Gateway Transit

36. • A BGP route that matches a Default Route beats the Default Route • Scenario: • A Default route exists for 10.1.0.0/16 • A BGP route to 10.1.0.0/16 propagates to the subnet • The Default route is marked by Azure as Invalid (disabled) • The BGP route is chosen instead © Cloud Mechanix www.cloudmechanix.co BGPBeatsDefault Applying the second rule of routing (part 1)

37. • Sometimes you need force traffic via a particular destination • This is always the case when you use a firewall … ah- ha! • Third-party firewall appliance • Azure Firewall • And also when you use third-party routers/VPN appliances © Cloud Mechanix www.cloudmechanix.co User-Defined Routes (UDRs) Cabling our Azure devices

38. • Associated with a subnet • Tip: 1 subnet per Route Table only! • Common mistake: • People think the route table contains the only routes in a subnet • Don’t forget about Default and BGP routes hidden in the fabric! © Cloud Mechanix www.cloudmechanix.co Route Tables An Azure resource that contains UDRs

39. • Name: A human friendly label • Address Prefix: CIDR destination • Next Hop Type: • Virtual Network Gateway • Virtual Network • Internet • Virtual Appliance * • None (black hole) • * Next Hop IP Address • * Virtual Appliance IPv4 address © Cloud Mechanix www.cloudmechanix.co UDRComponents Pretty simple

40. Inbound FlowsVia Firewall Force traffic from on-premises in via firewall VNet-0 10.0.0.0/1 6 GatewaySubn et 10.0.0.0/24 ExpressRoute/V PN 172.16.0.0/1 2 VNet-1 10.1.0.0/1 6 Subnet-1 10.1.1.0/2 4 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Default Inactive 10.1.0.0/16 Peering BGP Active 172.16.0.0/12 VirtualNetworkGateway User Active 10.1.0.0/16 Virtual Appliance 10.0.1.4 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Default Active 10.0.0.0/16 Peering BGP Active 172.16.0.0/12 VirtualNetworkGateway AzureFirewallSubn et 10.0.1.0/24 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Inactive 0.0.0.0 Internet Default Inactive 10.1.0.0/16 Peering BGP Active 172.16.0.0/12 VirtualNetworkGateway User Active 0.0.0.0/0 Internet 10.0.1. 4 © Cloud Mechanix www.cloudmechanix.co

41. Outbound FlowsVia Firewall Common mistake for outbound flows – remember LPF? VNet-0 10.0.0.0/1 6 GatewaySubn et 10.0.0.0/24 ExpressRoute/V PN 172.16.0.0/1 2 VNet-1 10.1.0.0/1 6 Subnet-1 10.1.1.0/2 4 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Default Inactive 10.1.0.0/16 Peering BGP Active 172.16.0.0/12 VirtualNetworkGateway User Active 10.1.0.0/16 Virtual Appliance 10.0.1.4 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Inactive 0.0.0.0 Internet Default Active 10.0.0.0/16 Peering BGP Active 172.16.0.0/12 VirtualNetworkGateway User Active 0.0.0.0/0 Virtual Appliance 10.0.1.4 AzureFirewallSubn et 10.0.1.0/24 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Inactive 0.0.0.0 Internet Default Inactive 10.1.0.0/16 Peering BGP Active 172.16.0.0/12 VirtualNetworkGateway User Active 0.0.0.0/0 Internet 10.0.1. 4 © Cloud Mechanix www.cloudmechanix.co

42. • A UDR route that matches a BGP/Default Route beats the BGP/Default Route • Scenario: • A Default route exists for 10.1.0.0/16 • A BGP route to 10.1.0.0/16 propagates to the subnet • You add a UDR to 10.1.0.0/16 • The Default route is marked by Azure as Invalid (disabled) • The BGP route is marked by Azure as Invalid (disabled) • The UDR is chosen instead © Cloud Mechanix www.cloudmechanix.co UDRBeatsBGP&Default Applying the second rule of routing (part 2)

43. • A BGP route that matches a Default Route beats the Default Route • Scenario: • A Default route exists for 10.1.0.0/16 • A BGP route to 10.1.0.0/16 propagates to the subnet • You add a UDR to 0.0.0.0/0 • Send a packet to 10.1.1.4 • The Default route is marked by Azure as Invalid (disabled) • The BGP route is a 16-bit match • The UDR is a 0-bit match • The BGP route is chosen! © Cloud Mechanix www.cloudmechanix.co But Remember – TheMost Accurate RouteWins! Rule 1 and Rule 2 together

44. VNet-0 10.0.0.0/1 6 GatewaySubn et 10.0.0.0/24 VNet-1 10.1.0.0/1 6 Subnet-1 10.1.1.0/2 4 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Default Inactive 10.1.0.0/16 Peering BGP Active 172.16.0.0/12 VirtualNetworkGateway User Active 10.1.0.0/16 Virtual Appliance 10.0.1.4 AzureFirewallSubn et 10.0.1.0/24 Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Inactive 0.0.0.0 Internet Default Inactive 10.1.0.0/16 Peering BGP Active 172.16.0.0/12 VirtualNetworkGateway User Active 0.0.0.0/0 Internet 10.0.1. 4 Outbound FlowsVia Firewall Disabling BGP propagation in a spoke Route Table Route Table > Disable Source BGP Propaga State tion Addres s Prefixe s Ne xt Hop Type Next Hop IP Address Default Active 10.0.0.0/16 V irtual Network 172.16.0.0/12 ExpressRoute/VPN Public IP Address Default Inactive 0.0.0.0 I nternet Default Active 10.0.0.0/16 P e ering User Active 0.0.0.0/0 V irtual Appliance 10.0.1.4 © Cloud Mechanix www.cloudmechanix.co

45. • Today: • Only possible via the NIC of an allocated (running) VM • Desired: • See it via any subnet • Tips: 1. LEARN how routing really works (see previous) 2. Try it out 3. Draw how it works 4. Put a “canary” subnet/VM into a complex VNet so you can see effective routes • VMs cannot be added to GatewaySubnet or AzureFirewallSubnet © Cloud Mechanix www.cloudmechanix.co Viewing Effective Route Tables How do you see the actual route table?

46. • ExpressRoute • View/export routes propagated from on-premises • Circuit > Peerings > Private Peering • VPN • Non-BGP: See Local Network Gateway • BGP: Query Log Analytics … AzureDiagnostics | where OperationName == "BgpRouteUpdate" © Cloud Mechanix www.cloudmechanix.co ExpressRoute& VPN See the routes associated with site-to-site networking

47. Firewalls © Cloud Mechanix www.cloudmechanix.co

48. • Ideally – yes! • Central point of: • Network security • Routing • Can offer more than just simple “Allow TCP From X To Y” • Centrally control outbound and east-west flows • FQDN support for SQL and Web © Cloud Mechanix www.cloudmechanix.co DoI Need AFirewall? Great question!

49. Platform VersusAppliance I prefer the platform option – Azure Firewall © Cloud Mechanix www.cloudmechanix.co Feature Appliance Azure Firewall Type Virtual machines Platform Complexity High None High availability None to challenging Availability Set/Zones Scale-Out 1-2 Automatic Maintenance/Upgrades You (Guest OS) Microsoft (Platform) Layer-7 None-Little Little (see Azure WAFv2) IDS/IPS Maybe Azure Security Center/Sentinel Documentation Mostly awful Good Max throughput Varies 30 Gbps (more with Support call)

50. • Architecture • Single subnet / Private IP • 1-100 Public IPv4 (SNAT and DNAT scale-out) • Availability sets/zones • Features: • NAT Rules • DNAT from Internet • Network Rules • Layer-4 protection at central location • Application Rules • FQDN HTTP/S and SQL Server traffic • FQDN Tags • Threat Intelligence • Machine learning based alerting/blocking • Logging • Storage account, Event Hub, Log Analytics © Cloud Mechanix www.cloudmechanix.co Azure Firewall A platform-based firewall

51. • Network • A single resource • Managed via the resource • Secure Virtual Hub (Preview) • A hub (hub and spoke) • Firewall and Azure WAN hub • Managed via hub and Azure Firewall Policy • AFP not in the Network SKU © Cloud Mechanix www.cloudmechanix.co AzureFirewall SKUS Ways to deploy the same resource type

52. • It depends – consult whatever documentation the vendor has • Caution: some major vendors sell you ticking timebombs! • Beware of appliance clusters that don’t have 2 Azure load balancers • And don’t use any brand that expects you to program Azure UDRs via their appliance © Cloud Mechanix www.cloudmechanix.co Third-Party Firewall ApplianceArchitecture If you insist on unnecessary work, scalability & complexity issues

53. Simple Firewall Appliance Architecture Single firewall appliance VNet-0 10.0.0.0/1 6 GatewaySubn et 10.0.0.0/24 FirewallSubn et 10.0.1.0/24 Public IP Address 10.0.1.4 VM: Typically D4v2 © Cloud Mechanix www.cloudmechanix.co

54. www.cloudmechanix.coN©oteC:lAoduditdionMalefircehwaalnlmixan2a0ge2m0ent subnet typically Split-Subnet Firewall Appliance Architecture Is this really required in The Cloud? VNet-0 10.0.0.0/1 6 GatewaySubn et 10.0.0.0/24 FirewallExternalSubn et 10.0.1.0/24 Public IP Address FirewallInternalSubn et 10.0.2.0/24 10.0.1.4 10.0.2.4 VM: Typically D4v2

55. © Cloud Mechanix www.cloudmechanix.co • GatewaySubnet • Address Prefix : Spoke CIDR • Next Hop Type: Virtual Appliance • Next Hop IP Address: External NIC private IP address • Spoke Subnets • Address Prefix : 0.0.0.0/0 • Next Hop Type: Virtual Appliance • Next Hop IP Address: Internal NIC private IP address UDRsFor ThisScenario Still required … and maybe dangerous, depending on your appliance

56. www.cloudmechanix.coN©oteC:lAoduditdionMalefircehwaalnlmixan2a0ge2m0ent subnet typically HAFirewall Appliance Architecture Assuming your firewall appliance supports this VNet-0 10.0.0.0/1 6 GatewaySubn et 10.0.0.0/24 FirewallExternalSubn et 10.0.1.0/24 BasicAzure Load Balancer Public IP Address FirewallInternalSubn et 10.0.2.0/24 Standard AzureLoad Balancer 10.0.1.4 10.0.2.4 VM: Typically D4v2

57. • GatewaySubnet • Address Prefix : Spoke CIDR • Next Hop Type: Virtual Appliance • Next Hop IP Address: External Load Balancer Private IP address • Spoke Subnets • Address Prefix : 0.0.0.0/0 • Next Hop Type: Virtual Appliance • Next Hop IP Address: Internal Load Balancer Private IP address © Cloud Mechanix www.cloudmechanix.co UDRsFor ThisScenario Beware of HA firewalls that must manage the UDRs themselves

58. • Most vendors will add management subnet/NICs • Not load balanced • Some vendors require Azure Service Bus for configuration replication • There is an option for another subnet with load balanced NICs: • Internet traffic • ExpressRoute/VPN traffic © Cloud Mechanix www.cloudmechanix.co Variations OnThis Scenario Consult your vendor … assuming they even know

59. Layer-7WebApplication Firewall (WAF) © Cloud Mechanix www.cloudmechanix.co

60. • Specialised firewall for HTTP/S traffic • Think of it as a reverse proxy with firewall features for HTTP/S servers • Different to your firewall • Focused on simple allow/deny traffic • WAF focus: • Attacks on HTTP/S servers © Cloud Mechanix www.cloudmechanix.co What is aWAF? Web Application Firewall

61. Options VNet, Microsoft or partner, and location © Cloud Mechanix www.cloudmechanix.co Type Vendor Location Third-party WAF Third-Party Virtual Network Third-party cloud service Third-Party 1+ locations Azure Application Gateway WAF Microsoft Virtual Network Azure Frontdoor WAF Microsoft 170+ edge data centres

62. • Azure Frontdoor: • Located at every Microsoft edge data centre • Reduce latency between global customers and your service • Keeping the threat further from your assets • SSL Offload • End-to-end encryption • WAF Policy: • OWASP 3.1 rules, SQL injection, malformed requests, etc • Extended rules customisation • Bot protection rule (preview) • Geo-match filtering (preview) © Cloud Mechanix www.cloudmechanix.co AzureFront Door WAFFeatures Deployed in Microsoft’s 170+ edge data centres

63. • Application Gateway: • Availability sets/zones • SSL Offload • SSL storage in Azure Key Vault – delegated access via User Managed ID • End-to-end encryption • WAF: • OWASP 3.1 rules, SQL injection, malformed requests, etc • Extends DDoS Standard Tier to Layer-7 • Optional management via WAF Policy resource • Extended rules customisation • Bot protection rule (preview) • Geomatch filtering (limited region preview) © Cloud Mechanix www.cloudmechanix.co AzureApplication Gateway WAFv2Features Focus in this presentation

64. • Where will you place the WAF? • Centrally: • Managed by security experts • Requires process for change requests • With each application • Flexible for Devs/Operators • Security handled by the wrong people! • Typically not in-front or behind the network firewall • Isolated flow to protect against DDoS • Protected at Layer-4 by NSG © Cloud Mechanix www.cloudmechanix.co WAFPlacement Question you need to ask yourself

65. NSG,WAF,and Firewall Name of service resolves to WAF VNet-0 10.0.0.0/1 6 GatewaySubn et 10.0.0.0/24 ExpressRoute/V PN172.16.0.0/1 2 AzureFirewallSubn et 10.0.1.0/24 10.0.1. 4 Public IP Address InternalWafSubne t 10.0.2.0/24 Source State Address Prefixes Next Hop Type Next Hop IP Address User Active 10.19.3.0/24 Virtual Appliance 10.0.1.4 User Active 10.0.2.0/24 Virtual Network © Cloud Mechanix www.cloudmechanix.co Priority Name Port Protocol Source Destination Action 100 AllowHealthProbe 65200-65535 TCP GatewayManager Any Allow 200 AllowWeb 80, 443 TCP 172.16.0.0/12 10.0.2.0/24 Allow 300 AllowLoadBalancer Any Any AzureLoadBalancer 10.0.2.0/24 Allow 400 DenyEverythingElse Any Any Any Any Deny A, internal.joeelway.com = 10.0.2.4 A, sql.joeelway.com = 10.19.3.8

66. NSG,WAF,and Firewall Name of service resolv VNet-0 10.0.0.0/1 6 GatewaySubn et 10.0.0.0/24 ExpressRoute/V PN172.16.0.0/1 2 AzureFirewallSubn et 10.0.1.0/24 10.0.1. 4 Public IP Address InternalWafSubnet 10.0.2.0/24 Source State Address Prefixes Next Hop Type Next Hop IP Address User Active 10.19.3.0/24 Virtual Appliance 10.0.1.4 User Active 10.0.2.0/24 Virtual Network © Cloud Mechanix www.cloudmechanix.co Priority Name Port Protocol Source Destination Action 100 AllowHealthProbe 65200-65535 TCP GatewayManager Any Allow 200 AllowWeb 80, 443 TCP 172.16.0.0/12 10.0.2.0/24 Allow 300 AllowLoadBalancer Any Any AzureLoadBalancer 10.0.2.0/24 Allow 400 DenyEverythingElse Any Any Any Any Deny A, internal.joeelway.com = 10.0.2.4 A, sql.joeelway.com = 10.19.3.8

68. How AVNet ResourceTalksToAzure Services The long way there VNet-1 10.1.0.0/1 6 Subnet- 1 10.1.1.0/2 4 App Service (ASE or VNet Integration) AzureSQL Storage(Azure) Public Azure Backbone © Cloud Mechanix www.cloudmechanix.co

69. • Enabled per-subnet • A trick of routing • Kind of the same idea as ExpressRoute Azure Public Peering • Uses Default routes • Redirects traffic to certain Azure services • Direct path: not public, lower latency • Extend network security to PaaS (see Access Rules) © Cloud Mechanix www.cloudmechanix.co Service Endpoints Routing shortcut to Azure services

70. How AVNet ResourceTalksToAzure Services The short way there VNet-1 10.1.0.0/1 6 Subnet- 1 10.1.1.0/2 4 App Service (ASE or VNet Integration) AzureSQL Storage(Azure) Public Azure Backbone Private Azure Backbone Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Default Active [Microsoft.SQL] VirtualNetworkServiceEndpoint Default Active [Microsoft.Storage] VirtualNetworkServiceEndpoint © Cloud Mechanix www.cloudmechanix.co

72. • PaaS resources run on a VNet • We cannot see that VNet • But we can enable “firewall rules” on the PaaS resources: • App Service access rules • Azure SQL firewall rules • And more • Often used with Service Endpoints © Cloud Mechanix www.cloudmechanix.co Platform ServicesHidden Networking Azure PaaS is built on many Azure resources that you can use

73. How AVNet ResourceTalksToAzure Services Control inbound connections at the PaaS instance VNet-1 10.1.0.0/1 6 Subnet- 1 10.1.1.0/2 4 App Service (ASE or VNet Integration) AzureSQL Storage(Azure) Public Azure Backbone Private Azure Backbone Source State Address Prefixes Next Hop Type Next Hop IP Address Default Active 10.0.0.0/16 Virtual Network Default Active 0.0.0.0 Internet Default Active [Microsoft.SQL] VirtualNetworkServiceEndpoint Firewall Rule: Allow 10.1.1.0/24 © Cloud Mechanix www.cloudmechanix.co

75. • PaaS is the cloud of services in The Cloud • PaaS is natively public: • Your internal application is on The Internet • The Data Lake is publicly addressable • That database is addressable by everyone © Cloud Mechanix www.cloudmechanix.co Challengeof Platform-as-a-Service(PaaS) The default setting is public

76. • VNet integration • Expensive SKUs • Access Policies • Basic Layer-4 filters • Service Endpoints • Maps an entire service, not an instance • WAF with Service Endpoints, Access Policies, and basic VNet connectivity • Doesn’t control all network flows • Hybrid connectivity agents • Only protects PaaS outbound connections to private services • ExpressRoute Microsoft Peering with Access Policies • Maps an entire service, not an instance • ExpressRoute is less popular thanks to cost and SD-WAN (Azure WAN) option © Cloud Mechanix www.cloudmechanix.co PaaSPrivacyOptions So many options

77. Private PaaS(PartlyGA) Private Link (the service) GA, Private Endpoints (the method) preview Virtual Network (10.0.0.0/16) AzurePaaS Internet Virtual Network (10.0.0.0/16) AzurePaaS InternetSERVICE ENDPOINT PRIVATE LINK – PRIVATE ENDPOINT VNettoPaaSserviceviatheMicrosoftbackbone DestinationisstillapublicIPaddress.NSGopenedto Service Tags NeedtopassNVA/Firewallfor exfiltrationprotection VNetPaasviatheMicrosoftbackbone PaaSresourcemappedtoPrivateIPAddress.NSGs restrictedtoVNetspace In-built dataexfiltration protection PRIVATE © Cloud Mechanix www.cloudmechanix.co

78. • From Azure VMs to Azure PaaS resources • Secure connection over VPN, SD-WAN, ExpressRoute via VNet Gateway • Services shared via Standard tier Azure Load Balancer: • Enable overlapping IP address spaces • Privately share IaaS/PaaS as SaaS with customers © Cloud Mechanix www.cloudmechanix.co Scenarios Interesting future

79. • Private Link • The fabric service that allows mapping • Private Endpoint • The IP address for your PaaS resource in your VNet • Private Endpoint maps a specific resource • Not just an instance like Service Endpoint or ExpressRoute Microsoft Peering • Provides protection against data exfiltration © Cloud Mechanix www.cloudmechanix.co Points ToNote How it’s different to Service Endpoints

80. • Limited preview with mixed support of: • Resources • Regions • No support for NSG rules • Still can use NSG Flow Logs • VNet Peering • Requires 1+ VMs on the Private Endpoint VNet • Private Endpoint not addressable by some resource types: • App Service Plan, Azure Container Instance, Azure NetApp Files, Azure Dedicated HSM© Cloud Mechanix www.cloudmechanix.co Preview Limitations Documentation still not updated for GA

82. • Features: • Compliance reporting • Recommendations • Monitoring • An Azure IDS that runs across the subscription • Not focused on just 1 virtual appliance! • Be careful: • Some recommendations are not based on product best practices • Example: NSG should be per-subnet, NOT per-NIC • Example 2: Be careful of enabling Storage Account firewall feature © Cloud Mechanix www.cloudmechanix.co Security Center Security monitoring

83. • Log Analytics • Send diagnostic & metrics data to a single Workspace • Add solutions – some from “OMS” gallery in Marketplace, some from GitHub • Add saved queries • Build workbooks for reporting • NSG Flows • NSG Flow Logs: Send data to GPv2 storage account • Traffic Analytics: Forward blob data to Log Analytics © Cloud Mechanix www.cloudmechanix.co Monitoring It’s not managed if it’s not monitored

84. • Azure Sentinel • Features: • Log Analytics Workspace solution • Connect to Azure & third-party resources • Threat hunting • Automated responses • Alerting © Cloud Mechanix www.cloudmechanix.co Security Alerting Security Information & Event Management (SIEM)

85. • Azure Firewall • Traces in Log Analytics … AzureDiagnostics | where Category == "AzureFirewallNetworkRule" • Service Map to identify network requirements pre-migration • NSGs • Traffic Analytics … AzureNetworkAnalytics_CL | where SubType_s == 'FlowLog' • Routing • Effective Routes • VM NICs only • Truly understand routing to map it mentally/on-paper • Traffic Analytics • I don’t find Network Watcher to be useful • WAF • Traces in Log Analytics … AzureDiagnostics | where Category == "ApplicationGatewayFirewallLog" • Most common problem is false positive SQL injection attack detection © Cloud Mechanix www.cloudmechanix.co Troubleshooting Some tips

87. • Hard on the outside, gooey on the inside • Firewall at the edge • No port/VLAN protection • Windows/Linux firewall disabled • Direct remote access to machines • How do attacks happen? • Find a weak spot (human) to bypass the firewall • Spread across open network in minutes • Used to be 24 hours for complete compromise © Cloud Mechanix www.cloudmechanix.co TheTypicalOn-PremisesServer Network Everyone knew better but …

88. • Not a new concept • Implement network protections throughout the entire network • Not just the edge • Easier to do in the cloud: • Deployment via infrastructure-as-code (IaC) • CI/CD via Azure DevOps, GitHub, etc • Enforcement via Azure Policy © Cloud Mechanix www.cloudmechanix.co Micro-Segmentation The way we knew it should be done

89. SimpleExample At the resource level VNet-0 10.0.0.0/1 6 GatewaySubn et 10.0.0.0/24 ExpressRoute/V PN VNet-1 10.1.0.0/1 6 FrontSubnet 10.1.1.0/24 VNet-2 10.2.0.0/1 6 FrontSubnet 10.2.1.0/24 VNet Peering AzureFirewallSubn et 10.0.1.0/24 InternalWafSubnet 10.0.2.0/24 BackSubnet 10.1.2.0/24 BackSubnet 10.2.2.0/24 NSG NSG NSG NSG NSG WAFv2 VM VM Window s Firewall Linux Firewall AppSvc Azure SQL Access Rules Server Firewall Microsoft.Web Service Endpoint © Cloud Mechanix www.cloudmechanix.co

90. Micro-Segmentation In ASubnet In more depth VNet-1 10.1.0.0/1 6 FrontSubn et 10.1.1.0/24 BackSubn et 10.1.2.0/2 4 Web VMs App VMs Logic VMs Batch VMs SQL VMs NSG NSG Web- ASG App- ASG Logic- ASG Batch- ASG SQL- ASG Priority Name Port Protocol Source Destination Action 100 AllowWebToApp 443 TCP Web-Asg App-Asg Allow 200 AllowAppToLogic 443 TCP App-Asg Logic-Asg Allow 300 AllowLogicToBatch 443 TCP Logic-Asg Batch-Asg Allow 400 AllowLogicToSql 1433 TCP Logic-Asg SQL-Asg Allow 4096 DenyEverythingElse Any Any Any Any Deny © Cloud Mechanix www.cloudmechanix.co

92. • There’s a lot to learn • Take the deck (when it’s shared) and read through the stuff I skipped • Read lots! • Play with the tech in a lab • Don’t assume something works • Try the positive and negative tests © Cloud Mechanix www.cloudmechanix.co Summary We could have used 1-2 days on this topic!

93. • http://aidanfinn.com • http://www.cloudmechanix.co m • http://www.innofactor.com • @joe_elway Thank You! Aidan Finn, Cloud Mechanix © Cloud Mechanix www.cloudmechanix.co

Securely Publishing Azure Services

Esté a ler uma amostra.

Confira estes a seguir

Securely Publishing Azure Services

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a Securely Publishing Azure Services (20)

Mais de BizTalk360 (20)

Mais recentes (20)