TOP 3 Azure Network Security Services : NSG, Firewall, DDoS

Introduction

Network security is the set of actions taken to safeguard a computer network and its information from unauthorized access, misuse, changes, or interruptions. It encompasses using different tools, procedures, and rules to guarantee that network resources remain private, unaltered, and accessible when needed. Azure offers a comprehensive suite of network security services to protect your cloud infrastructure and applications. Let's look at a few of them.

Network Security Groups (NSGs)

They serve as fundamental firewall tools within Azure, enabling users to regulate the flow of network traffic to and from Azure resources in a virtual network. NSGs are linkable with subnets, network interfaces, or specific VM instances. Positioned at the network layer (Layer 3) of the OSI model, NSGs empower users to establish regulations that authorize or restrict traffic based on source and destination IP addresses, ports, and protocols.

You can create an NSG and associate it with the subnet containing your VMs. Within the NSG, you define rules to allow or deny specific types of traffic based on criteria such as source and destination IP addresses, ports, and protocols.

Let's look at an example: We create a rule allowing inbound traffic on port 80 (HTTP) to the VM running the web server but deny traffic on other ports to prevent unauthorized access. By configuring NSGs in this way, you can effectively control the flow of traffic to and from your Azure resources, enforcing network security policies and reducing the risk of unauthorized access or malicious activity.

Azure Firewall

It is a completely managed, cloud-based firewall solution delivering centralized, application-aware network security for resources within Azure Virtual Networks. It functions across both the network layer (Layer 3) and the application layer (Layer 7) of the OSI model. Azure Firewall empowers users to establish and implement policies using Fully Qualified Domain Names (FQDN), IP addresses, ports, and protocols, thus providing advanced security features for Azure deployments.

Let's say you have a virtual network (VNet) in Azure hosting multiple resources, including web servers, application servers, and a database server. You want to ensure that only authorized traffic can access these resources and that malicious activity is blocked.

We deploy Azure Firewall within your VNet, configure it, and create a policy allowing inbound traffic on port 80 (HTTP) and 443 (HTTPS) to the web servers, ensuring that users can access the website securely. We configure the firewall to inspect traffic at the application layer (Layer 7) to detect and block suspicious web requests, such as SQL injection attacks or cross-site scripting (XSS) attempts. With these policies in place, Azure Firewall acts as a barrier between your virtual network and the internet, inspecting and filtering traffic to enforce your security policies. It provides centralized, application-aware network security, protecting your Azure resources from unauthorized access, malicious activity, and potential security breaches.

Often there is confusion between the two: NSG and Firewall.

The following provides a quick overview of the key differences between NSGs and Azure Firewall in terms of scope, capabilities, deployment flexibility, and integration with other Azure services.

Feature Network Security Groups (NSGs) Azure Firewall
Scope Associated with subnets, network interfaces, or VM instances Provides centralized firewalling for entire virtual networks
Layer Operates at Layer 3 (network layer) Operates at both Layer 3 and Layer 7 (application layer)
Capabilities Basic filtering based on IP addresses, ports, and protocols Advanced application-level filtering, including FQDNs, IPs, ports, and protocols
Deployment Flexibility Granular control at subnet/VM level Centralized management for the entire virtual network
Integration Integrates with Azure services like Virtual Network, Load Balancer, and VPN Gateway Integrates with Azure Monitor and Security Center for logging, analytics, and threat detection


Azure DDoS

Azure DDoS (Distributed Denial of Service) Protection is a built-in service offered by Microsoft Azure to safeguard your applications and resources from DDoS attacks. DDoS attacks aim to disrupt the normal functioning of online services by overwhelming them with a flood of traffic, rendering them inaccessible to legitimate users. Let's take an example to understand it better.

Picture having a web application hosted on Azure for online shopping. During a big sale, your site sees a sudden surge in traffic as customers rush in for discounts. But within this flood of genuine traffic, attackers unleash a DDoS onslaught, bombarding your site with an overwhelming volume of requests to crash your servers and disrupt the shopping experience.

However, with Azure DDoS Protection activated, the service swiftly spots the abnormal traffic surge, signaling a DDoS attack. Harnessing its sophisticated defense capabilities, Azure DDoS Protection effectively sifts through malicious traffic, ensuring that genuine customer requests smoothly reach your web application without any interruption. Consequently, your website remains accessible and responsive, enabling customers to shop seamlessly without disruptions from the DDoS attack.

Hope this article finds you used in understanding key elements of Azure's network security setup and how collectively, they strengthen Azure deployments, guaranteeing formidable defense against a range of cyber threats.

Happy Reading!