This document addresses another important aspect of cloud security – the network. As network security is specific to each cloud service provider, this document concentrates on Microsoft Azure and provides an overview of some of the key security services and resources it provides to cloud architects.

The network infrastructure in Microsoft Azure contains the following components:

  • Azure Virtual Network (VNet) – A logical isolated section of the Azure cloud for a specific customer to launch resources.
  • Subnet – A segment of a VNet’s IP address range where you can place groups of isolated resources.
  • Network Security Group (NSG) – A virtual firewall for an instance to control inbound and outbound traffic. NSGs can be applied to individual VMs, subnets, or both.
  • Azure Virtual Network Service Endpoints – These endpoints allow you to secure your critical Azure service resources to only your virtual networks (Example of services: Azure Storage, Azure SQL Database, Azure Key Vault, etc.)

References:

Instructions for creating an Azure Network Security Group (NSG)

https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group

Best practices for Azure NSG:

https://blogs.msdn.microsoft.com/igorpag/2016/05/14/azure-network-security-groups-nsg-best-practices-and-lessons-learned/

https://www.petri.com/best-practices-azure-arm-network-security-groups

AWS vs Azure: AWS Security Groups and Microsoft Azure Network Security Groups

https://www.scalr.com/blog/aws-vs-azure-security-groups/

Azure security best practices and patterns:

https://docs.microsoft.com/en-us/azure/security/security-best-practices-and-patterns

Azure Network Security Best Practices:

https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices

Azure Security Best practices:

https://azure.microsoft.com/mediahandler/files/resourcefiles/cis-microsoft-azure-foundations-security-benchmark/CIS_Microsoft_Azure_Foundations_Benchmark_v1.0.0.pdf

About the author

Eyal Estrin is a cloud architect, working in the Inter-University Computation Center (IUCC) in Israel. He has more than 20 years of experience in infrastructure, information security and public cloud services. He is a public columnist and shares knowledge about cloud services. You can follow him on Twitter at @eyalestrin