This document addresses another important aspect of cloud security – the network. As network security is specific to each cloud service provider, this document concentrates on Microsoft Azure and provides an overview of some of the key security services and resources it provides to cloud architects.
The network infrastructure in Microsoft Azure contains the following components:
- Azure Virtual Network (VNet) – A logical isolated section of the Azure cloud for a specific customer to launch resources.
- Subnet – A segment of a VNet’s IP address range where you can place groups of isolated resources.
- Network Security Group (NSG) – A virtual firewall for an instance to control inbound and outbound traffic. NSGs can be applied to individual VMs, subnets, or both.
- Azure Virtual Network Service Endpoints – These endpoints allow you to secure your critical Azure service resources to only your virtual networks (Example of services: Azure Storage, Azure SQL Database, Azure Key Vault, etc.)
References:
Instructions for creating an Azure Network Security Group (NSG):
https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group
Best practices for Azure NSG:
https://www.petri.com/best-practices-azure-arm-network-security-groups
AWS vs Azure: AWS Security Groups and Microsoft Azure Network Security Groups:
https://www.scalr.com/blog/aws-vs-azure-security-groups/
Azure security best practices and patterns:
https://docs.microsoft.com/en-us/azure/security/security-best-practices-and-patterns
Azure Network Security Best Practices:
https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices
Azure Security Best practices:
About the author
Eyal Estrin, cloud architect.