Azure Virtual Networks
“First, our focus on security is on the infrastructure itself. So, it is all about how you protect the network, the device, and the application that is riding on the server” — John W. Thomson.
As we connect virtual machines using virtual networks which are created in Hyper-V, we do the same in Azure too as a Cloud-Only VNet and create a Cross-Premises VNet by connecting with on-premises network. But azure Virtual Networks (VNets) are not just virtually connected they are also secure by providing network isolation from each VNet. Totally VNets are controlled by you like setting policies, DNS, routing tables, IP address blocks etc., through making private connections by ExpressRoute or VPN gateways which are secured.
Securely connecting VNet
Point-to-site virtual private network (VPN): In this a private and secure connection is established through a VPN between a VNet and individual computer on your network using Secure Socket Tunneling Protocol (SSTP) for encryption
Site-to-site VPN: In this the connection is securely established between Azure VPN Gateway and your VPN using IPSec/IKE for encryption.
On-premise connectivity without Internet traverse
There may be time when you don’t want to send the data through internet. That’s when Azure ExpressRoute comes into play. In Azure ExpressRoute, the traffic can’t be traversed through internet because it is a private connection established between Azure and your network via an ExpressRoute
Internal name resolution vs External name resolution
Internal name resolution
It works in on-premises or both networks which are used for services present in VNet. When creating a VNet a DNS server is created by default or you can put your own DNS server. The default DNS server is managed by fabric manager, so it is not configurable. Therefore, name resolution is secured. The chosen DNS server is provided by Azure partner so it can be a dedicated or an Active Directory integrated.
External name resolution
It works outside the VNet and On-premises networks by people and devices. External DNS servers can be hosted on On-premises networks either with their own or from a service provider. Both provides the expertise in networking and global presence, but service provider gives very high availability
Built-in protection for Attacks
Despite of the complexity of DDoS attacks, Azure provides a built-in protection to protect all cloud services. All Azure datacenters are deployed with the public IP’s that come under this protection
How the traffic filtering, routing and monitoring done for security in Virtual networks?
Traffic filtering
Generally inbound and outbound traffic filtering is done using source, destination IP addresses and port. The subnets traffic is filtered using either or both options mentioned below:
Network security groups (NSG): It is a stateful packet filtering firewall. These allow the traffic whether to permit or deny based on rules to access Virtual Machines in your VNet. The rules for outbound and inbound traffic by default is set to deny.
Network virtual appliances (NVA): It is a software that strengthens security, network functions and runs on VM which performs a network traffic functions and WAN optimization.
Forced Tunneling: A mechanism that doesn’t allow the services get connected to devices through internet and traffic is routed using BGP or custom route from virtual machines to on-premises.
Routing
The routing can be customized, controlled and make sure that traffic that enters or leaves VNet from devices are done through a specific location
Azure Front Door: It can monitor, manage the routing of web traffic and used for high performance and availability.
Azure Traffic Manager: It manages the traffic by directing the requests from clients to the suitable end points through endpoints health and traffic routing method. So, it acts like a load balancer based on DNS that make the traffic to be distributed to the services in any location.
Monitoring and threat detection
Azure has many tools to detect, monitor, prevent, collect and review the network traffic.
Azure Network Watcher is used to diagnose, troubleshoot the network, monitor performance and assist in identifying and to resolving the security issues.
Virtual Network TAP will make the analytics tool or a network packet collector to collect the network traffic of virtual machine. This can able to aggregate the traffic from different subscriptions
Azure Security Center gives the visibility to the customers and security of the resources are controlled by it.
So, by going through this post we can say that Virtual Networks are not just virtually connected, their scope is beyond it and can be configured and managed according to the requirements.
References:
