Security | Aidan Finn, IT Pro

Back Teaching – Implementing Secure Azure Networks

After a quiet 2019, I am getting back into Azure training starting in March in Brussels, Belgium, with a new hands-on course called Implementing Secure Azure Networks.

2019 was a year of (good) upheaval. I started a new job with big responsibilities and a learning curve. Family-wise, we had a lot of good things going on. So I decided to put our (my wife and I) Cloud Mechanix training on the shelf for a while. All last year, I’ve been putting a lot of cool Azure networking & security things into practice with larger enterprises so I’ve been learning … new things, good practices, what works, what doesn’t, and so on. That put the seed into my head for the next class that I would write. Then along came Workshop Summit and asked if I would like to submit a 1-day practical training course. So I did, and they accepted.

The Course

Security is always number 1 or 2 in any survey on the fears of cloud computing. Networking in The Cloud is very different to traditional physical networking … but in some ways it is quite similar. The goals of this workshop are:

To teach you the fundamentals, the theory, of how Azure networking functions so you can understand the practical design and application
Do hands-on deployments of secure networks

As a result, this workshop takes you all the way back to the basics of Azure networking so you really understand the “wiring” of a secure network in the cloud. Only with that understanding do you understand that small is big. The topics covered in this class will secure small/mid businesses, platform deployments that require regulatory compliance, and large enterprises:

The Microsoft global network
Availability & SLA
Virtual network basics
Virtual network adapters
Peering
Service endpoints
Private Link & Private Endpoints
Public IP Addresses
VNet gateways: VPN & ExpressRoute
Network Security Groups
Application Firewall
Route Tables
Third-Party Firewalls
Azure Firewall
Architectures

Attendees will require an Azure subscription capable of deploying multiple 4 x single-core virtual machines, 1 x Azure Firewall, 1 x Web Application Gateway, and 1 x per GB Log Analytics Workspace for 1 day.

When

Tuesday, 3rd March

Where

Venue: the Hackages Lab, located at Avenue des Arts 3-4-5 in Brussels

Organisers & Registration

This event is being run by The Workshop Summit. All registration and payments are handled by that event.

Who Should Attend

You don’t need to be a networking guru to attend this class. I always start my Azure networking training by explaining that I have never set up a VLAN; I’m proud of that! But I can out-network most people in Azure. Azure networking requires some learning, especially to do it correctly and securely, and that starts with re-learning some fundamentals. Those who understand basic concepts like a route, a firewall rule, network addressing (CIDR blocks), and so on will do fine on this course.

Who will benefit? Anyone planning on working with Azure. If you’re the person building the first “landing zone” for a migration, setting up the infrastructure for a new cloud-based service, working with IaaS VMs or platform (PaaS – yes network security plays a big role here!) then this course is for you. Get this stuff right early on and you’ll look like a genius. Or maybe you’ve already got an infrastructure and it’s time to learn how to mature it? We will start with the basics, cover them deeply, and then dive deep, focusing on security in ways that a typical Azure introduction course cannot do.

Why A Bastion Host Is Necessary For Remote VM Administration (Including Azure)

This post will explain why you should use a “Bastion Host” or a “Jump Box” to securely remote into Linux (SSH) or Windows (Remote Desktop) virtual machines. And this advice also includes machines that you run in a cloud, such as Microsoft Azure.

For the Fundamentalists on Social Media

Some people are going to make some comments like:

“This is why you should use remote Bash|PowerShell scripting”

Or maybe:

“You should be using Windows Admin Center”.

Windows Admin Center – great! Genuinely. But it does not do everything.

There are still many times when you need to directly log into a machine and do something; that’s real life, and not some blogger’s lab life.

Security Center JIT VM Access?

I was a fan of this feature. That was until they changed how the allow (RDP, SSH, etc) rules were added to an NSG. In my work, every subnet is micro-segmented. That means that the last user-defined NSG rule is Deny All from * to *. Since JIT VM Access was changed, it moves the last rule (if necessary) and puts in the allow-RDP or all-SSH (or whatever) rule after the DenyAll rule which is useless. Feedback on this has been ignored.

Why Are SSH and RDP Insecure?

I can’t comment too much on SSH because I’m allergic to penguins. But I can comment on RDP. Over the last few months, I can think of 3 security alerts that have been released about pre-authentication vulnerabilities that have been found in Remote Desktop. What does that mean?

Let’s say that you have a PC on your WAN that is infected by malware that leverages a known or zero-day pre-authentication remote desktop vulnerability. If that PC has the ability to communicate with a remote VM, such as an Azure Windows/Linux VM, via SSH or RDP then that remote machine is vulnerable to a pre-authentication attack. That means that if malware gets onto your network, and that malware scans the network for open TCP 22 or TCP 3389 ports, it will attempt to use the vulnerability to compromise the remote VM. It does not require the user of the PC to SSH or RDP into the remote VM, or to even have any guest OS access! You can put a firewall in front of the remote virtual machines, but it will do no good; it’s still allowing TCP 3389 or TCP 22 directly into the virtual machines and all it will offer is logging of the attack.

A Bastion Host

You might have heard the term “bastion” in the Azure world recently. However, the terms Bastion Host or Jump Box are far from new. They’re an old concept that allows you to isolate valuable machines and services behind a firewall but still have a way to remote into them.

The valuable remote virtual machines are placed behind a firewall. In Azure, that could be a firewall appliance, such as Azure Firewall, and/or Network Security Groups. Now to connect to the remote VMs, you must first remote into the Bastion Host. And from that machine, you will remote further into the network through the isolation of the firewall/NSGs.

But that’s still not perfect, is it? If we do simple SSH or RDP to the Bastion Host, then it is vulnerable to pre-authentication attacks. And that means once that machine is compromised, it can attack further into the remote network. What we need is some kind of transformation.

Remote Desktop Gateway

My preferred solution is to deploy a Remote Desktop Gateway (RDGW) as the bastion host – this does not require RDP licensing for administrative access to the remote virtual machines! The Bastion Host is deployed as one virtual machine or 2+ load-balanced virtual machines that allow in HTTPS connections via firewall/NSG rules. When an administrator/developer/operator needs to log into a remote VM, their Remote Desktop client is configured to connect to this gateway using HTTPS instead of RDP. Once the connection is authenticated by the RDGW, it reverse proxies the connection through to the desired virtual machine, further protected by firewall/NSG rules. Now the malware that is on the WAN cannot probe any machines in the remote network; there is no opening across the network to TCP 3389 or TCP 22. Instead, the only port open for remote connections is HTTPS which requires authentication. And internally, that transforms to connections from the RDGW to the remote VMs via TCP 3389.

Some sharp-eyed observers might notice that the recently announced CVE-2020-0609 is a pre-authentication attack on RDGW! Yes, unpatched RDGW deployments are vulnerable, but they are smaller in number and easier to manage patches for than a larger number of other machines. Best practice for any secure network is to limit all external ports. Transforming the protocol in some way, like an RDGW, further reduces the threat of that single opening to a single service that forwards the connection.

If you want to add bells and whistles, you can deploy Network Policy Server(s) to centrally manage RDGW policy and even add multi-factor authentication (MFA) via Azure AD.

This is great for Windows, but what about Linux? I’m told that Guacamole does a nice job there. However, Guacamole is not suitable for recent releases of Windows because of how it must have hardcoded admin credentials for Network Layer Authentication (NLA).

Azure Bastion

Azure Bastion made lots of noise in IT news sites, and on blogs and social media when it went into preview last year, and eventually it went GA at Ignite in November of last year. Azure Bastion is a platform-based RDGW. Today (January 2020), I find it way too limited to use in anything but the simplest of Azure deployments:

The remote desktop authentication/connection are both driven via the Azure Portal, which assumes that the person connecting into the guest OS even has rights to the Azure resources.
It does not support desktop Remote Desktop/SSH clients.
It does not offer MFA support for the guest OS login, only for the Azure Portal login (see above).
VNet peering is not supported, limiting Azure Bastion to pretty simple Virtual Network designs.

If Azure Bastion adds VNet peering, it will make it usable for many more customers. If it understands that guest OS/Azure resource rights OS/Azure Portal logins can be different, then it will be ready for mid-large enterprise.

Setting Up Azure – The Three Permissions You Will Need

You need to have rights to configure certain things in Microsoft Azure when you are setting it up for the first time. I will list those three permissions and the reasons for them in this post.

1. Global Admin Rights

You are going to need rights to configure things in Azure AD. For example, you should be creating security groups and using those for role-based access control of things like management groups, subscriptions, and maybe even resource groups – the higher in the hierarchy, the better, in my opinion.

This will require that you have Global Admin Rights. This is the equivalent of being a domain admin in Azure AD, and will impact all services attached to your directory such as Office 365. This right should be limited to just a few people. In a very large organisation, someone else might be doing these tasks for you because you will not be granted the necessary rights.

This role is easily added to the user account in Azure AD, either at the time of creation or later by opening the user account and selecting Assigned Roles.

2. Access Management For Azure Resources

This is an easy right to miss! It is also known as Elevated Access. This right gives you access to all subscriptions and management groups in your directory (tenant) and therefore grants you superuser powers that should be limited to a very small group of capable people. Here’s how I learned about the right: I was cleaning up management groups that I created using a service principal. I knew the management groups were there, and I could see them, but my Global Admin user couldn’t remove them. It was only when I elevated my account that I was able to move the subscriptions and remove the management groups.

Part of the reason this right is so hidden is that it is not configured in the user account screen in the Azure Portal. Instead, sign in to the Portal with your Global Admin-enabled user, open Azure AD, and then go to Properties. Now click “Yes” under Access Management For Azure Resources. Now you will have rights to everything in Azure even if you weren’t granted them originally – this is why this superpower should be tightly controlled!

3. Role-Based Access

The typical person working with Azure should have only the rights that they need to do their job. The two big reasons are:

External threats: Prevent someone from compromising a dev/ops employee’s account and using their rights to compromise the entire system.
Internal threats: Limit access that a single employee has, either for security or compliance reasons.

For example, one should not be made a subscription owner just “because”. Typically, being made a Contributor will give you more than enough rights to do your job in a subscription. And maybe a lesser right is necessary – an auditor might only be made a Reader or you might use/create a more specialised role.

One should start the RBAC design using management groups. As with organisational units in Active Directory Domain Services, management groups should model the administrative model, not the HR org chart. Permissions and policy association should start at the top and become more granular as you work your way down. Eventually, you will grant dev/ops rights often at the subscription or even resource group level.

Another Consideration: Privileged Identity Management

PIM is a solution in the Azure AD per-user licensing SKUs that is sometimes used in large enterprises. It allows you to deploy just-in-time access to Azure resources/rights. There are a bunch of features in PIM that make it a useful feature to limit any one person’s access to what they need, when they need it, and for only as long as they need it, with MFA, oversight, and auditing.

Failed to add new rule: IpSecurityRestriction.VnetSubnetResourceId is invalid.

This post is focused on a scenario where you are creating an Access Restriction rule in an Azure App Service to allow client requests from a subnet in a Virtual Network (VNET) and you get this error:

Failed to add new rule: IpSecurityRestriction.VnetSubnetResourceId is invalid. For request GET https://management.azure.com/subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxxx/taggedTrafficConsumers?api-version=2018-01-01 with clientRequestId xxxxxx and correlationRequestId xxxxxx, received a response with status code Forbidden, error code AuthorizationFailed, and response content: {“error”:{“code”:”AuthorizationFailed”,”message”:”The client ‘xxxxxx’ with object id ‘xxxxxx’ does not have authorization to perform action ‘Microsoft.Network/virtualNetworks/taggedTrafficConsumers/read’ over scope ‘/subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxxx’ or the scope is invalid. If access was recently granted, please refresh your credentials.”}}.

The Scenario

The customer wanted to deploy Standard Tier Azure App Services with some level of security in a hub and spoke architecture. The hub is in Subscription A. There a virtual network with an Azure Application Gateway (WAG)/Web Application Firewall(WAF) is deployed into a VNET/subnet. The WAF subnet has the Microsoft.Web Service Endpoint enabled, allowing the WAF to reverse proxy web requests via the direct path of the Service Endpoint to the App Service(s).

The App Service Plan and App Services are in Subscription B. The goal is to only allow traffic to the App Services via the WAF. All the necessary DNS/SSL stuff was done and the WAF was configured to route traffic. Now, the customer wanted to prevent requests from coming in directly to the App Service – an Access Restriction rule would be created with the Virtual Network type. However, when we tried to create that rule, it failed with the above security error.

Troubleshooting

At first, we thought there was an error with Azure Privileged Identity Management (PIM), but we soon ruled that out. The customer had Contributor rights and I had Owner rights over both subscriptions and we verified access. While doing a Teams screen share the customer read an article about Azure Key Vault with a similar error that indicated an issue with Resource Providers. We both had the same idea at the same time.

Solution

In the WAF subscription, enable the Microsoft.Web resource provider. This will allow the App Service to “configure” the integration with the subnet from its own subscription and solves the security issue.

Microsoft Ignite 2019 – Top 10 Azure Governance and Adoption Best Practices

Speaker: Nathan Lasnoski, Concurrency, MVP

Prepare & Execute

Picture of a tri-athlete. Riding on perfect smooth surface with perfect picture with hands off the brakes. The person is prepared – set up well. Azure operators & devs should be like this. Ready, confident, and on a smooth road with a great experience with no sudden stops.

Preface – Getting Started

Cloud Maturity Curve.

Legacy: On-prem, business not enabling. IT is a blocker to innovation.
Legacy +: IT stagnant. Scattered cloud across the business.
Platform: Target today – operationalized loud. Goverened.
Product:
Innovation
Fusion: Technology fully business integrated.

What is an “Azure Environment”?

Operated by the corporation
- Runs with standards, policies, controls
Diverse workload enablement, powers innovation
- Servers, containers, serverless, PaaS, AI, digital ledger
Stakeholder management
- Delegated to targeted teams, under corporate oversight
Representative of technology investments
- Areas like cost should relate to intended investment areas/business value. IT is not the bucket of all IT spend – Those spending should care about the things they pay for.

Number 1 – Employee Organizational Change and Operations

Transformation of organization, tied to DevOps

Increased multi-skill frameworks
Emphasis on code, repeatability, automation

New products/projects made up of:

Cloud architecture & operations
Innovation and business enablement
Application and Product DevOps Teams
Security

Number 2 – Define an operational and leave adoption strategy

High level view of a cloud program – diagram in the slides.

Define an iterative cloud program whith a MVP motion on operations
- OPERATIONAL STANDARDS, PROVISIONING PROCESS, WIKI, MOTIONS
Be careful about overreaching – Corporation has a bad relationship with IT.

Number 3- Be a Blueprint That is Manageable

A structure of management groups and subscriptions, with limited resource groups.

Left-hand IT, Right-side business. Top – management groups, bottom – IT. Why split corp IT and business areas should be in different subscriptions/management groups.

Using 1 overloaded sub is BAD, even is MS people recommend it (AGREED!). RBAC, cost-management, quotas, etc.

Number 4 – Approaches for provisioning short-term and long-term

Using a portal for provisioning. It’s a manual process. Azure Portal, ServiceNow, whatever – minimise their usage. Problem with portals is that all the old manual problems of on-prem follow to the cloud. No documentation on config. No repeatability. No change control.

Source Code Release (Azure DevOps) > Control Plane (ARM, Policy) > Deployment.

Subscriptions should be read-only. Only time you use the portal to deploy/config should be sandboxes. Enterprise deployments should be done as code:

ARM
Script
Program code

This includes 3^rd party stuff you put in VMs.

This is the right way to start. And it prepares you for PaaS, e.g. AKS, App Services, etc.

Number 5 – Define Structures for Naming and Tagging

You cannot work in the cloud long-term without this.

Critical tags:

Owning team
Business unit
Application Name
Classification (security)
Environment moniker (dev, test, production, etc)
Cost Center

Number 6 – Recovery and re-deployment approaches

Assume re-deployment at every level, especially corp-IT.
- The Corp IT infrastructure is code too, store it in a code repository
- Build based on release management pipeline
Re-deployability such as AKS
- Re-deployable app environments
  - AKS
  - App Services
  - Data services
  - Functions
  - OAM, RUDR, DAPR

Number 7 – Adapt Security Controls For The Cloud

Movement to vertical network design. On-prem IT is flat and horizontal and things talk directly to things. In the cloud, direct connections should be limited with micro-segmentation – see previous blog posts.

This is easier to do in the cloud, and it should be done during migration and new-builds. According to Nathan, it’s one of the reasons to migrate to the cloud at all!

Use Azure Security Center to assess the environment and monitor it from a security perspective. Leverage automated responses to react, e.g. playbooks in Azure Sentinel. Use custom policies to audit Azure too.

Admin accounts:

Segment addresses – don’t use admin email accounts for Azure accounts.
Limit owner rights. Contributor at most. Read-only ideally in production.
Use PIM (AAD P5) to limit access but require rights escalation for admins. Consider approval.
Use MFA. Less than 8% of Azure tenants have MFA enabled.

RBAC applied to applications

Teams only get access to necessary RGs/subscriptions.
Admin owner credentials are different than application credentials
Deployments are encouraged to be automated from source code.

Number 8 – Monitoring responsibilities change as application owners take more responsibility

Corp IT is responsible for “cloud IT”.
- Standards policies, connectity – not just things that go bump in the night
- Ensures governance is applied, monitors for aggregate issues
Security might be a separate group
- Measuring security compliance, reacting to incidents
- Runs against playbooks but moving declaratively
Application teams
- Own operational monitoring and reacting to their services
- DevOps teams operating stuff

Azure Monitor/Logs provides data access via resources now that reflects RBAC to resources.

Number 9 – What do I do with my CMDB and how does it change?

Original function of the CMDB was to contain configuration data
Modern environment is quarriable platform, declarative config, DevOps

Resource Graph and DevOps can be your living always correct CMDB.

Number 10 – Building a methodology for cost reviews and organizational discipline

Tags are critical to cost analysis
- Use policy enforced tagging regimes
- Apply tags as needed for accounting purposes
Be able to judge costs on:
- Owner
- Business unit
- Application
- Technology
- Dev/Prod/QU
Options:
- Azure Cost Management
- Custom PowerBI

Controlling Costs:

Setting budgets
Analysis and improvement
Limit high spenders
Optimize sizing
Cost management team should pay for itself.

Microsoft Ignite 2019 – Deliver Highly Available Secure Web Application Gateway and Web Application Firewall

Speaker:

Amit Srivastava, Principal Program Manager, Microsoft

Mission Critical HTTP Applications

Always On
Secure
Scalable
Telemetry
Polygot – variety of backed, IaaS, PaaS, on-prem

Many things to think about.

What Azure Pieces Can We Use?

WAG
AFD
CDN
WAF
Azure Load Balancer
Azure Traffic Manager

WAG

Regional ADS as a service. A full reverse proxy. It terminates the incoming connection and creates a new one to the web server.

Platform managed: built-in HA and sclability
Layer 7 load balancing: URL path, host based, round robin, session affinity, redirection
Security and SSL management: WAF, SSL Offload, SSL re-encryption, SSL policy
Public or ILB: Public internet, internal or both.
Flexible backends: VMs, VMSS, AKS, public IP, cloud services, ALB/ILB, On-premises
Rich diagnostics: Azure monitor, log analytics, network watcher, RHC, more

Standard v2 SKU in GA

Available in 26 regions
Built-in zone redundancy
Static VIP
HTTP header/cookies insertion/modification
Increased scale limits 20 -> 100 listeners
Key vault integration and autorenewal of SSL certs (GA)
AKS ingress controller (GA)

Autoscaling and performance improvements:

Grow and shrink based on app traffic requirements
5 x better SSL offloads performance
- 500-50,000 connections/sec with RSA 2048 bit certs
- 30,000, 3,000,000 persistent connections
- 2,500 – 250,0000 HTTP req/sec
75% reduction in provisioning time ~5mins

Key Vault Integration in v2 GA

Front end TLS cert integrated with Azure Key Vault
Utilizes user-assigned management identity for access control on key vault
Use certificate or secrets on Key Vault
Pools every 4 hours to enable automatic cert renewal – you can force a poll if you need to
Manual override or specific certificate version retrieval

WAG v2 Header Rewrites

Manipulate request and response headers and cookies
- Strip port from x-forwarded-for header
- Add security headers like HSTS and X-XSS-Protection
- Common header manipulation ex: HOST, SERVER
Conditional header rewrites … something

Ingress Controller

Ingress controller for 1+ AKS clusters at one time
Deployed using HELM – newer easier options by EOY
Utilized pod-AAD for ARM authentication
Tighter integration with AKS add-on support upcoming
Supports URI-path based, host based, SSL termination, SSL re-encryption, redirection, custom health probes, draining, cookie affinity.
Support for Let’s Encrypt provided TLS certs
WAF fully supported with custom listener policies
Support for multiple AKS as backend
Support for mixed mode- both AKS and other backend types on the same application gateway.

http://aka.ms/appgawks

Application Gateway Wildcard Listener

Managed preview
Support for wildcard characters in listener host name
Supports * and ? characters in host name
Associate wildcard or SAN certs to serve HTTPS

Telemetry Enhancements

GA
Diagnostics Log Enhancements
- TLS protocol version, cipher spec selected.
- Backend target server, response code, latency.
Metrics Enahncements
- Backend response status code
- RPS/healthy node
- End-to-end latency
- Backend latency
- Backend connect, first byte, and last byte latency.

Azure Monitor Insights for Application Gateway

Public Preview
Sign health and metric console for your entire cloud network#
No agent/configuration required
Visualize the structure and functional dependencies
More

AKS Demo

He loads a Helm YAML config to the AKS cluster. Now the AKS cluster can configure listers, backend pools, rules, etc for the containers/services running on the cluster. Pretty cool.

Azure WAF

Cloud native WAF

Unified WAF offering
- Protect your apps at network edge or in region uniformly
Public preview:
- Microsoft threat intelligence
  - Protect apps against automated attacks
  - Manage good/bad bots with Azure BotManager RuleSet
- Site and URI pathc specific WAF policies
  - Customise WAF policies at regional WAF for finer grained protection at each host/listener or URI path level
- Geo-filtering on regional WAF

WAF

HA, scalable fully platform managed
Auto-scaling support
New RuleSet CRS 3.1 added, will soon be the default
Integration with Azure Sentinel SIEM
Performance and concurrency enhancements
More

WAF Policy Enhancements

Assign different policies to different sites behind the same WAF
Increased configurability
Per-URI policy

Geo Filtering Public Preview

Block, allow, log countries.
Easily configurable in WAF policy
Geo data refreshed weekly

Only in special Portal URI at the moment – normal Azure Portal soon.

Bot Protection (Public Preview)

Stuff

Microsoft Ignite 2019 – Building and Managing Distributed Micro-Perimeters With Azure Firewall

Speaker: Yair Tor, Principal Program Manager

Azure Firewall

Cloud native stateful firewall as a service. A first among public cloud providers.

Central governance of all traffic flows
- Built in high availability and auto scale
- Network and application traffic filtering
- Centralized policy across VNets and subscriptions
Complete VNet protection
- Filter outbound, inbound, spoke-spoke
Centralized logging
Best for Azure

Key Features

Application Rules
Fully stateful network rules
NAT support
Threat Intelligence (GA this week)
Monitoring
Support for inbound and hybrid connections
Network Watcher integration

Azure Firewall Updates

Recently released
- Multiple public IPs GA – up ot 100
- Availability zones now GA (99.99% SLA)
- Threat Intelligence based filtering now GA
- Azure HDInsight (HDI) FQDN tag GA
- TDS (SQL) FQDN filtering in Preview
Sovereign Clouds
- US Gov
- China
Coming soon: tentative ETA H2 CY 2019
- FQDN filtering for all ports and protocols
- Native forced tunnelling support
- IP groups in Azure Firewall rules – coming to NSG and UDR too.

Azure Firewall Manager – See Previous Post

Preview

Central deployment and configuration
Automated routing
Advanced security with 3^rd party SECaaS

Roadmap:

Virtual network support – this is the legacy form of Azure Firewall that is not the new Azure vWAN Hub Azure Firewall.
Split routing

Public Preview

Extend your security edge to Azure with Secured Virtual Hubs.
A secured virtual hub is an azure Virtual WAN Hub with associated security and routing policies configured by Azure Firewall Manager.
Easily create hub-and-spoke architectures with cloud native security services for traffic governance and protection.
Azure Firewall now integrated with Virtual WAN Hubs.
Secured virtual hub can be used as a managed central network with no on-prem connectivity.
There is no resource called Security Virtual Hub – it’s more of a deployment/concept. If you did a JSON deployment, it would use legacy resources.

Getting Started with Secured Virtual Hubs

One method:

Create your hub and spoke architecture
Select security providers: Done by secured virtual hub creation or by converting a Virtual WaN hub to secure virtual hub.
Create a firewall policy and associate it with your hub: applicable only if using Azure Firewall
Configure route settings on your secured hub to attract traffic: Easily attract traffic to the firewall from the spoke VNets – BGP!

Demo

Network rules are always processed before application rules in Azure Firewall. Inherited policy cannot allow stuff that parent policy denies.

Central Security and Route Policy Management

Deploy and configure multiple Azure Firewall instances
DevOps optimized hierarchical Azure Firewall Policies
Centralized routing configuration

GA Pricing

Preview has 50% discount
Azure Firewall in secure virtual hubs will be the same price as normal Azure Firewall
$100 per policy for policies that are associated with multiple hubs. No cost with policies associated with single hubs.
Fixed fee for outbound VPN to SECaaS partners in addition to a VPN scale unit charge.

Microsoft Ignite 2019 – Securing Your Cloud Perimeter With Azure Network Security

Speaker: Sinead O’Donvan (Irish, by the accent)

Zero Trust Architecture document

7 pillars:

Identity
Devices
Data
Apps
Infrastructure
Networking – the focus here

Verify explicitly every access control

Being on the network is not enough

Use least privilege access

IP address is not enough

Assume breach

No one is perfectly secure. Identify the breach. Contain the breach. Do your best to stop breaches in the first place.

You cannot claim success:

It requires constant improvement.

Network Maturity Model

Traditional (most customers)
- Few network security perimeters and flat open network
- Minimal threat protection and static filtering
- Internal traffic is not encrypted
Advanced
- Many ingress/egress cloud micro-perimeters with some micro-segmentation
- Cloud native filtering and protection for known threats
- User to app internal traffic is encrypted
Optimal
- Fully distributed ingress/egress cloud micro-perimeters and deeper micro-segmentation
- ML-based threat protection and filtering with context-based signals
- All traffic is encrypted

Three Cores of Azure Network Security

Segment – prevent lateral movement and data exfiltration
Protect – secure network with threat intelligence
Connect – embrace distributed connectivity … or face revolt from the users/devs

Deploy securely across DevOps process

Azure Features

Azure Firewall
Azure WAF
Azure Private Link
Azure DD0S Protection

Plus:

VNets
NSGs
UDRs
Load Balancer

Network Segmentation

3 approaches:

Host-based: an agent on the VM implements it
Hypervisor: Example, VMware SNX
Network controls

Azure Network Segmentation Controls

Subscription: RABC, logic isolation for all resources
Virtual network: An isolated and highly secure environment to run your VMs and apps. “This is the hero of segmentation”
NSG: Enforce and control network traffic security rules that allow or deny network traffic for a VNet or a VM.
WAF: Define application specific policies to protect web workloads.
Azure Firewall: Create and enforce connectivity policies using application, network and threat intelligence filtering across subscription(s) and VNet(s).

Multi-Level Segmentation

Connectivity:
- Use both public or private IP. Public app interface is public, backend is private.
- Choose cloud transit approach VNet peering or Virtual WAN.
- Carefully control routing
Infrastructure
- Segment across subscription, vnet, and subnet boundaries
- Managed at an org level
Application
- Enable application aware segmentation
- Easily create micro perimeters
- Managed at an application level

Azure Firewall Manager (Preview)

Central deployment and configuration
- Deploy and configure multiple Azure Firewall instances
- Optimized for DevOps with hierarchical policies
Automated Routing
- Easily direct traffic to your secured hub for filtering and logging without UDRs
And more

Azure Web Application Firewall

Preview:

Microsoft threat intelligence
- Protect apps against automated attacks
- Manage good/bad bots with Azure BotManager RuleSet
Site and URI patch specific WAF policies
- Customise WAF policies at regional WAF for finer grained protection at each host/listener or URI path level
Geo-filtering on regional WAF
- Enhanced custom rule matching criterion

MS sees 20/30 DDoS attacks per day.

WAF as a Service

Barracuda
Radware

Both run in Azure.

Connectivity

It’s time to transform your network.

User to app moves to Internet centric connectivity
Application to backend resources use private connectivity
Redesign your network and network security models to optimize user experience for cloud
Continue to extend app delivery models and network security to the edge

Azure Firewall Manager

Easily create multiple secured virtual hubs (DMZ Hubs) in Azure
Use Azure Firewall or 3^rd party security
Create global and local policies
Easy to set up connectivity
Roadmap:
- Split routing – optimized O365 and Azure public PaaS

CheckPoint CloudGuard Connect will debut soon as a partner extension.

Azure Private Link

Highly secure and private connectivity solution for Azure Platform.

Private access from VNet resources, peered networks and on-premises networks
In-built data exfiltration protection
Predictable private IP addresses for PaaS resources
Unified experience across PaaS customer owned and marketplace services

Microsoft taking this very seriously. All new PaaS services “from Spring onwards” must support Private Link.

Azure Bastion

See previous posts on this – it requires more work IMO because it lacks VNet peering support and requires login via the Azure Portal – doesn’t support MSTSC or SSH clients.

Key Takeaways

Embrace zero trust network model
Segment your network and create micro-perimters with Azure Firewall, NSG, etc
Use a defense in depth security strategy with cloud native services
Enable WAF and DDoS
Explore Azure as your secure Internet edge with Azure Firewall Manager

Private Connections to Azure PaaS Services

In this post, I’d like to explain a few options you have to get secure/private connections to Azure’s platform-as-a-service offerings.

Express Route – Microsoft Peering

ExpressRoute comes in a few forms, but at a basic level, it’s a “WAN” connection to Azure virtual networks via one or more virtual network gateways; Customers this private peering to connect on-premises networks to Azure virtual networks over an SLA-protected private circuit. However, there is another form of peering that you can do over an ExpressRoute circuit called Microsoft peering. This is where you can use your private circuit to connect to Microsoft cloud services that are normally connected to over the public Internet. What you get:

Private access to PaaS services from your on-premises networks.
Access to an entire service, such as Azure SQL.
A wide array of Azure and non-Azure Microsoft cloud services.

FYI, Office 365 is often mentioned here. In theory, you can access Office 365 over Microsoft peering/ExpressRoute. However, the Office 365 group must first grant you permission to do this – the last I checked, you had to have legal proof of a regulatory need for private access to Cloud services.

Service Endpoint

Imagine that you are running some resources in Azure, such as virtual machines or App Service Environment (ASE); these are virtual network integrated services. Now consider that these services might need to connect to other services such as storage accounts, Azure SQL, or others. Normally, when a VNet connected resource is communicating with, say, Azure SQL, the packets will be routed to “Internet” via the 0.0.0.0/0 default route for the subnet – “Internet” is everywhere outside the virtual network, not necessarily The Internet. The flow will hit the “public” Azure backbone and route to the Azure SQL compute cluster. There are two things about that flow:

It is indirect and introduces latency.
It traverses a shared network space.
A growing number of Azure-only services that support service endpoints.

A growing number of services, including storage accounts, Azure SQL, Cosmos DB, and Key Vault, all have services endpoints available to them. You can enable a service endpoint anywhere in the route from the VM (or whatever) to “Internet” and the packets will “drop” through the service endpoint to the required Azure service – make sure that any firewall in the service accepts packets from the private subnet IP address of the source (VM or whatever). Now you have a more direct and more private connection to the platform service in Azure from your VNet. What you get:

Private access to PaaS services from your Azure virtual networks.
Access to an entire service, such as Azure SQL, but you can limit this to a region.

Service Endpoint Trick #1

Did you notice in the previous section on service endpoints that I said:

You can enable a service endpoint anywhere in the route from the VM (or whatever) to “Internet”

Imagine you have a complex network and not everyone enables service endpoints the way that they should. But you manage the firewall, the public IPs, and the routing. Well, my friend, you can force traffic to support Azure platform services via service endpoints. If you have a firewall, then your routes to “Internet” should direct outbound traffic through the firewall. In the firewall (frontend) subnet, you can enable all the Azure service endpoints. Now when packets egress the firewall, they will “drop” through the service endpoints and to the desired Azure platform service, without ever reaching “Internet”.

Service Endpoint Trick #2

You might know that I like Azure Firewall. Here’s a trick that the Azure networking teams shared with me – it’s similar to the above one but is for on-premises clients trying to access Azure platform services.

You’ve got a VPN connection to a complex virtual network architecture in Azure. And at the frontend of this architecture is Azure Firewall, sitting in the AzureFirewallSubnet; in this subnet you enabled all the available service endpoints. Let’s say that someone wants to connect to Azure SQL using Power BI on their on-premises desktop. Normally that traffic will go over the Internet. What you can do is configure name resolution on your network (or PC) for the database to point at the private IP address of the Azure Firewall. Now Power BI will forward traffic to Azure Firewall, which will relay you to Azure SQL via the service endpoint. What you get:

Private access to PaaS services from your on-premises or Azure networks.
Access to individual instances of a service, such as an Azure SQL server
A growing number of Azure-only services that support service endpoints.

Private Link

In this post, I’m focusing on only one of the 3 current scenarios for Private Link, which is currently in unsupported preview in limited US regions only, for limited platform services – in other words, it’s early days.

This approach aims to give a similar solution to the above “Service Endpoint Trick #2” without the use of trickery. You can connect an instance of an Azure platform service to a virtual network using Private Link. That instance will now have a private IP address on the VNet subnet, making it fully routable on your virtual network. The private link gets a globally unique record in the Microsoft-managed privatelink.database.windows.net DNS zone. For example, your Azure SQL Server would now be resolvable to the private IP address of the private link as yourazuresqlsvr.privatelink.database.windows.net. Now your clients, be the in Azure or on-premises, can connect to this DNS name/IP address to connect to this Azure SQL instance. What you get:

Private access to PaaS services from your on-premises or Azure networks.
Access to individual instances of a service, such as an Azure SQL server.
(PREVIEW LIMITATIONS) A limited number of platform services in limited US-only regions.

Migrating Azure Firewall To Availability Zones

Microsoft recently added support for availability zones to Azure firewall in regions that offer this higher level of SLA. In this post, I will explain how you can convert an existing Azure Firewall to availability zones.

Before We Proceed

There are two things you need to understand:

If you have already deployed and configured Azure Firewall then there is no easy switch to turn on availability zones. What I will be showing is actually a re-creation.
You should do a “dress rehearsal” – test this process and validate the results before you do the actual migration.

The Process

The process you will do will go as follows:

Plan a maintenance window when the Azure Firewall (and dependent communications) will be unavailable for 1 or 2 hours. Really, this should be very quick but, as Scotty told Geordi La Forge, a good engineer overestimates the effort, leaves room for the unexpected, and hopefully looks like a hero if all goes to the unspoken plan.
Freeze configuration changes to the Azure Firewall.
Perform a backup of the Azure Firewall.
Create a test environment in Azure – ideally a dedicated subscription/virtual network(s) minus the Azure Firewall (see the next step).
Modify the JSON file to include support for availability zones.
Restore the Azure Firewall backup as a new firewall in the test environment.
Validate that that new firewall has availability zones and that the rules configuration matches that of the original.
Confirm & wait for the maintenance window.
Delete the Azure Firewall – yes, delete it.
Restore the Azure Firewall from your modified JSON file.
Validate the restore
Celebrate – you have an Azure Firewall that supports multiple zones in the region.

Some of the Technical Bits

The processes of backing up and restoring the Azure Firewall are covered in my post here.

The backup is a JSON export of the original Azure Firewall, describing how to rebuild and re-configure it exactly as is – without support for availability zones. Open that JSON and make 2 changes.

The first change is to make sure that the API for deploying the Azure Firewall is up to date:

        {
            "apiVersion": "2019-04-01",
            "type": "Microsoft.Network/azureFirewalls",

The next change is to instruct Azure which availability zones (numbered 1, 2, and 3) that you want to use for availability zones in the region:

        {
            "apiVersion": "2019-04-01",
            "type": "Microsoft.Network/azureFirewalls",
            "name": "[variables('FirewallName')]",
            "location": "[variables('RegionName')]",
            "zones": [
                "1",
                "2",
                "3"
            ],
            "properties": {
                "ipConfigurations": [
                    {

And that’s that. When you deploy the modified JSON the new Azure Firewall will exist in all three zones.

Note that you can use this method to place an Azure Firewall into a single specific zone.

Costs Versus SLAs

A single zone Azure Firewall has a 99.95% SLA. Using 2 or 3 zones will increase the SLA to 99.99%. You might argue “what’s the point?”. I’ve witnessed a data center (actually, it was a single storage cluster) in an Azure region go down. That can have catastrophic results on a service. It’s rare but it’s bad. If you’re building a network where the Azure Firewall is the centre of secure, then it becomes mission critical and should, in my opinion, span availability zones, not for the contractual financial protections in an SLA but for protecting mission critical services. That protection comes at a cost – you’ll now incur the micro-costs of data flows between zones in a region. From what I’ve seen so far, that’s a tiny number and a company that can afford a firewall will easily absorb that extra relatively low cost.