This eBook is based on AZURE AZ 500 STUDY GUIDE-2 that has been collected from different sources and people. For more information about this ebook. Kindly write to mamtadevi775304@gmail.com. I will happy to help you.
Copyright 2023 by Mamta Devi
This eBook is a guide and serves as a next part of first guide. Previous Part AZURE AZ 500 STUDY GUIDE-1 has already been published. This book has been written on the advice of many experts and sources who have good command over Cloud Computing, networking and Security. They are listed at the end of this book.
All images used in this book are taken from the LAB which is created by experts. All rights reserved, including the right to reproduce this book or portions thereof in any form whatsoever. For any query reach out to the author through email.
In this section, we will delve into the realm of advanced network security to safeguard your company's invaluable computer and information assets stored within the company network. Our primary objective is to make it exceptionally challenging for unauthorized individuals to gain access to company resources. This entails securing communications and implementing comprehensive network security within the Azure environment.
Ensuring the Security of Hybrid Network Connectivity
Securing hybrid networks involves comprehending the intricacies of network setups where multiple distinct network types coexist. To maintain the security of these interconnected networks, it's vital to consider factors such as access control, resource group management, and network configuration, among others.
Access Control
To fortify the security of your hybrid networks, we strongly recommend leveraging Azure Role-Based Access Control (Azure RBAC) to regulate access to your resources. Azure proposes the creation of three custom roles to streamline access control:
DevOps Role: This role empowers individuals to manage infrastructure, deploy application components, and oversee virtual machine (VM) operations within the environment.
General IT Administrator Role: This role grants permissions for the management and monitoring of all network resources.
Security IT Administrator Role: This role is exclusively responsible for securing network resources, including the management and configuration of network firewalls.
Resource Groups
The second pivotal aspect of securing hybrid networks involves organizing your resources into resource groups based on their specific security requirements. Categorizing resources into resource groups simplifies resource management, and you can subsequently assign Azure RBAC roles to each resource group to control access. Azure recommends the creation of the following resource groups for efficient resource grouping:
Virtual Network Resource Group: Create a separate resource group exclusively for the virtual network, excluding VMs, network security groups (NSGs), and gateway resources linked to on-premises network connections. Assign the IT administrator role to this group.
VMs and User-Defined Group: Establish a resource group for Azure firewall instances and user-defined routes within your gateway subnet. This group is entrusted to the security IT administrator role.
Application Tiers with Load Balancers and VMs Groups: Configure distinct resource groups for each application tier that encompasses load balancers and VMs. The DevOps role should be assigned to this group for efficient administration.
Configuring Network Security
In this section, we will delve into the essential steps to properly filter internet traffic and enhance network security within your Azure environment. These measures will help you establish robust security controls and efficiently manage your network resources.
Implement Destination Network Address Translation (DNAT) Rule
To filter incoming internet traffic effectively, you should add a DNAT rule to your Azure firewall. This rule enables the use of a single public IP address for your firewall instance, acting as the central point for internet-bound traffic. Enabling forced tunneling is crucial when creating a routing table. This configuration redirects all internet-bound traffic back to your on-premises location using a site-to-site VPN tunnel or ExpressRoute. This setup allows you to inspect and audit internet traffic before it leaves your network. Figure 3.1 illustrates the difference, highlighting that the frontend subnet does not employ forced tunneling and must route through the internet to reach the on-premises network, while the backend and mid-tier subnets do not have this limitation.
Routing On-Premises User Requests through Azure Firewall
To ensure thorough inspection and filtering of traffic, all on-premises user requests should be routed through the Azure firewall. This guarantees that traffic is examined and filtered before reaching its destination. Additionally, Network Security Groups (NSGs) can be employed to control the flow of traffic between different application layers effectively.
In modern networks, it is essential to establish secure connections with external networks from your cloud environment. Neglecting this aspect can expose your network to external threats. Here are the key steps to secure virtual network connectivity:
Provision Azure Virtual Network (VNet): Begin by provisioning an Azure Virtual Network (VNet), which serves as your computer network in the cloud environment. By default, no traffic is permitted between any two virtual networks. You can enable traffic between them using virtual network peering. This configuration allows the next hop in a user-defined route to be a VM's IP address in a peered virtual network or a VPN gateway, ensuring that your networks only permit necessary traffic.
Secure VMs on VNet: All VMs on your VNet have a network interface for communication with other VMs, the internet, and on-premises networks. To control this traffic, leverage Azure's Application Security Groups (ASGs) to group VMs based on their workloads or functionality and assign rules for traffic permissions. ASGs can be used as source or destination entities when defining NSG rules.
Use Network Security Groups (NSGs) for Subnet Traffic: For traffic between subnets, Azure recommends the use of Network Security Groups (NSGs). Ensure you do not confuse NSGs with ASGs, which are intended for traffic outside the Azure environment. NSGs are ideal for regulating traffic to and from other Azure resources. They also provide the capability to create NSG flow logs
Verlag: BookRix GmbH & Co. KG
Texte: Mamta Devi
Bildmaterialien: Mamta Devi
Cover: Richa Shukla
Lektorat: Himesh Kumar
Korrektorat: Rishabh Jain
Übersetzung: Devesh Pathak
Satz: Mamta Devi
Tag der Veröffentlichung: 11.11.2023
ISBN: 978-3-7554-6062-6
Alle Rechte vorbehalten