You dont have javascript enabled! Please enable it! Navigating Azure Network Security - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

Navigating Azure Network Security

10 Min. Read

In the fast-paced digital era, securing your digital assets is more critical than ever. Azure, Microsoft’s cloud computing platform, offers a robust suite of network security services designed to protect your valuable data from various online threats.

In this article, we will explore the crucial role of Azure Network Security, which includes Azure Firewall, Azure WAF, Azure DDoS Protection, and Network Security Group (NSG). We will compare their top features, protocols, and SKUs to safeguard your digital assets.

Introduction to Azure Network Security

Ensuring the security of your digital infrastructure is a top priority. Azure’s network security services provide a comprehensive solution to safeguard your assets from cyber threats, unauthorized access, and other potential risks.

The Azure landscape presents a complex network security maze, wherein the Azure Firewall stands as a critical beacon of defense, offering a myriad of features tailored to safeguard digital assets. In the following sections, we will embark on a journey through the heart of Azure’s network security solutions, delving into the nuanced capabilities of Azure Firewall, exploring the robust shields provided by the Azure Web Application Firewall (WAF), dissecting defenses against DDoS attacks, and scrutinizing the precision control facilitated by Network Security Groups.

Introduction to Azure Network Security
Introduction to Azure Network Security

By traversing these key network security components, network engineers and security professionals will unravel the strategies and tools essential for securing Azure cloud environments, reinforcing the architecture that underpins our increasingly digital world.

Related: Check out designing and implementing Microsoft Azure Networking solutions.

Azure Firewall

Azure Firewall acts as a barrier between your internal network and the internet, monitoring and controlling incoming and outgoing traffic. With features like application and network-level filtering, it provides a robust defense mechanism against a wide range of cyber threats.

At its core, Azure Firewall is a stateful service, which means it’s smart enough to remember the context of the packets of data it handles. Think of it like a savvy gatekeeper who not only recognizes who came in and out but also what they brought with them. This memory allows Azure Firewall to make informed decisions on whether to allow or deny traffic, stopping malicious access attempts in their tracks.

But what really anchors network protection with Azure Firewall? Let’s dive in:

Azure Firewall simplifies life by providing a single point from which to govern all your network traffic rules. This means that instead of juggling multiple control lists across various locations, there’s one place to manage it all using Azure Firewall Manager. It’s like having a command center that gives clear directions to every guard and gate across your network city.

Azure Firewall comes with built-in high availability (HA) and the ability to handle traffic loads of any size. No matter how bustling your network becomes, this firewall is like a river that widens to accommodate increasing flow, ensuring that your network’s defenses are always up and never overwhelmed.

Empowered by Microsoft’s global threat intelligence, Azure Firewall is equipped with up-to-the-minute insight on the latest cyber threats. It utilizes this intelligence to identify and block malicious traffic, keeping your network free of unwanted guests.

Azure Firewall is also designed to operate hand-in-hand with other Azure services, such as Azure Monitor, Application Gateway, and Microsoft Defender for Cloud. This means deeper insights and analytics, as well as a unified approach to security across your Azure footprint.

Related: Deploy Application Gateway in Front of Azure Firewall.

What are the top features, protocols, available SKUs, and use cases for Azure Firewall?

Azure Firewall Top Features

  • Application Rules
  • Network Rules
  • NAT Rules
  • Threat Intelligence
  • High Availability
  • FQDN Tags
  • Forced Tunneling
  • DNS Proxy
  • TLS Inspection
  • URL Filtering
  • Intrusion Detection and Prevention System (IDPS)
  • Web Categories

Azure Firewall Protocols


Azure Firewall Available SKUs

  • Basic
  • Standard
  • Premium

Azure Firewall Use Cases

The main use case of Azure Firewall is when you need a centralized perimeter or DC network firewall for protection & traffic control, outbound, and inbound filtering, and region-based traffic control.

Azure Firewall
Azure Firewall

In conclusion, Azure Firewall is a fully managed Next Generation Firewall-as-a-service (NGFW) that protects Azure Virtual Network resources. With centralized management, the adaptability to handle any amount of traffic, advanced threat intelligence, and seamless integration with other Azure services, it does more than just anchor network protection; it elevates it.

Azure Firewall is a security service designed specifically for cloud workloads running in Azure. It is a cloud-native and intelligent network firewall that provides the best-in-class threat protection for digital assets. By utilizing cloud-native firewall capabilities, Azure Firewall ensures the highest possible level of security while also offering built-in high availability, auto-scalability, and zero maintenance.

Azure WAF

Web applications are frequent targets for cyber attacks. Azure WAF provides an additional layer of protection by monitoring and filtering HTTP traffic between a web application and the internet, safeguarding against web-based threats.

By detecting and blocking malicious HTTP traffic, Azure WAF helps prevent common web application vulnerabilities, such as SQL injection and cross-site scripting. It adds an extra shield to your web applications, ensuring their resilience against evolving threats.

So, how does Azure WAF gird up the ramparts? Let’s dive deep into its defensive playbook and reveal the strategies that help keep the hordes at bay.

Every web app has specific security needs. Azure WAF offers customizable rule sets, letting you set up the defenses that make sense for your situation. You can pinpoint exactly what traffic to allow, what to block, and when to raise the alarm, ensuring your moat is neither too wide nor too narrow.

As the gatekeeper, Azure WAF employs bot protection to differentiate friend from foe. It scrutinizes incoming requests, distinguishing legitimate users from malicious bots that are cloned armadas with a mission to breach your defenses. This feature is like having a squadron of sentries, expertly trained to spot the wolves in sheep’s clothing before they can infiltrate your ramparts.

Going past the tangible walls, Azure WAF operates at Layer 7 of the Open Systems Interconnection (OSI) model, the application layer. This is where it gets smart—really smart. It inspects HTTP traffic in detail, putting each packet under the microscope to detect and deflect even the most cunning of threats. Whether it’s a rogue script or a disguised agent of chaos, this level of scrutiny is akin to a royal taste tester for your data, ensuring nothing harmful makes it to the king’s table. Azure WAF also provides a centralized dashboard that tracks threats across multiple sites.

What are the top features, protocols, available SKUs, and use cases for Azure WAF?

Azure WAF Top Features

  • OWASP Top 10 protection
  • SQL Injection protection
  • Cross-site scripting protection
  • Protection against common web attacks (Command Injection/ HTTP Smuggling)
  • Protection against HTTP protocol anomalies
  • TLS Offloading
  • Bot Protection

Azure WAF Protocols

  • HTTP and HTTPS

Azure WAF Available SKUs

  • WAF
  • WAF v2

Azure WAF Use Cases

The main use case of Azure WAF is when you need to protect your web applications against web-based attacks. These Web Apps can be published on Azure VMs or Azure Web Apps. You can protect the Web App also by publishing behind the WAF instead of exposing the Web App public IP.

Azure Web Application Firewall (WAF)
Azure Web Application Firewall (WAF)

In conclusion, Azure WAF protects web applications from web-based attacks at the application layer ‘Layer 7’ and it can be used with Azure Application Gateway or Azure Front Door.

Azure DDoS Protection

Distributed Denial-of-Service (DDoS) attacks can cripple online services by overwhelming them with traffic. Azure’s DDoS Protection employs advanced mitigation techniques to identify and neutralize these attacks, ensuring the availability and performance of your services.

Azure’s proactive DDoS mitigation involves continuous monitoring and automatic detection of potential threats. By dynamically adjusting mitigation strategies, it keeps your services running smoothly even in the face of DDoS attacks.

So, why is Azure DDoS Protection so critical for your service availability?

Let’s start with the basics: DDoS attacks flood your network with superfluous requests. This tactic aims to exhaust your system’s resources – think of these as unwanted floods of water trying to break through a dam. Azure DDoS Protection helps safeguard your applications and services by absorbing the flood of internet traffic caused by such attacks.

Azure’s DDoS service isn’t a one-size-fits-all shield; it’s tailored. You can customize it to understand your traffic’s unique pattern, so it can spot when something’s off. Plus, Azure’s big, really big – its massive-scale infrastructure can handle a tsunami of data without breaking a sweat. Your services stay afloat even when there’s a storm on the cyber seas.

Another thing is that these attacks don’t stick to a script; they evolve. Hackers are always cooking up new strategies. But guess what? Azure DDoS protection is steps ahead, constantly updating itself. It’s like having a super smart guard who knows every trick in the book and a few that haven’t been written yet.

And then there’s the cost aspect. Without protection, a DDoS attack can rack up a huge bill, like a long and unwanted phone call at international rates. With Azure DDoS Protection, you get a predictable and affordable insurance policy. This means you avoid unexpected costs associated with DDoS attacks, keeping your budget in check.

What are the top features, protocols, available SKUs, and use cases for Azure DDoS Protection?

Azure DDoS Top Features

  • Volumetric attacks
  • Layer 3 and Layer 4 attacks
  • Application layer by integration with Azure WAF

Azure DDoS Protocols

  • Layer 3 and Layer 4 protocols

Azure DDoS Available SKUs

  • DDoS IP Protection is a pay-per-protected IP model
  • DDoS Network Protection is automatically tuned to help protect specific Azure resources in a virtual network

For more information about the available SKUs, check the Azure DDoS Protection tier comparison page.

Azure DDoS Use Cases

The main use case of Azure DDoS, it prevents a large-scale DDoS attack that aims to overwhelm an Azure-hosted service.

Azure DDoS Protection
Azure DDoS Protection

In conclusion, service outages are a nightmare, every minute your service is down, you lose faith, customers, and dollars. In today’s always-on world, you can’t afford to be offline. Azure DDoS Protection is essential, acting as your digital knight in shining armor, keeping the bad guys at bay and your digital doors always open.

Network Security Group (NSG)

Network Security Groups (NSGs) offer granular control over network traffic within your Azure environment. By defining security rules, you can restrict or allow communication between resources, ensuring that only authorized connections are established.

NSG is like a basic Firewall that filters network traffic to and from Azure resources in an Azure Virtual Network. Here’s how NSGs keep our cloud networks in tip-top shape.

NSGs are all about controlling access to network resources. They work by applying rules that allow or deny traffic to flow to different parts of a network. These rules, also known as five-tuple rules, are based on factors such as source and destination IP addresses, source and destination ports, and protocols.

One cool thing about NSGs? They help create a boundary around your resources. Imagine living in a gated community; NSGs are the gates, keeping unwanted guests out. This makes sure only approved traffic gets to talk to your cloud services, which keeps the bad guys at bay.

NSGs are super detailed, too. You can set them up to handle specific traffic types, like separating the traffic for a public-facing web server from the internal traffic that runs your applications.

Monitoring is another area where NSGs shine. With NSG flow logs, part of Azure Network Watcher, we can log network traffic info, which tells you who’s coming to your party, how long they’re staying, and what they’re doing. This helps in understanding any unusual activity and taking steps to tighten security if needed.

The NSG diagnostics is another feature of the Azure Network Watcher tool that helps you understand which network traffic is allowed or denied in your Azure virtual network along with detailed information for debugging. NSG diagnostics can help you verify that your network security group rules are set up properly.

The VNet flow logs (Preview) is a new feature of the Azure Network Watcher tool. Flow logs are the source of truth for all network activity in your Azure cloud environment. It’s important to keep track of the status of your network, including who is currently connected and from where. You should also be aware of which ports are accessible from the internet, expected network behavior, any unusual network activity, and sudden traffic increases.

Lastly, NSGs’ compatibility with other Azure products is like having a squad of friends who are great at different things. They make sure that the overall security strategy is coordinated and strong because they speak the same language as the rest of your security tools in the cloud.

Related: Audit all VMs that don’t have Network Security Group associated.

What are the top features, protocols, available SKUs, and use cases for Network Security Groups?

NSG Top Features

  • Created by default with VMs
  • Layer 3 and Layer 4 only
  • Applied only on Subnet and/or at the NIC level
  • Cannot be applied on Virtual Network
  • 5-Tuple-based rules (Source IP, Source Port, Destination IP, Destination Port, and Protocol)

NSG Protocols


NSG Available SKUs

  • Free

NSG Use Cases

The main use case of Network Security Groups, they provide microsegmentation by controlling access to VMs and subnets, defining granular network traffic rules on the subnet level or at the virtual NIC level.

Network Security Group (NSG)
Network Security Group (NSG)

In conclusion, micro-segmentation with NSGs involves dividing your network into smaller, isolated segments. This strategy adds an extra layer of protection, limiting the impact of security breaches and unauthorized access.

Frequently Asked Questions (FAQs)

Is the pricing of the firewall policy different from the Azure Firewall?

Yes, Azure Firewall policies are charged separately but they are billed based on firewall associations. So, policies with zero or one firewall association are free, while policies with multiple firewall associations are billed at a fixed rate. Azure Firewall Manager Policies are charged $100 per policy, per region. For more information, check the Azure Firewall Manager Pricing page.

Does creating a firewall policy also create an Azure Firewall Manager?

Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters. It is already available in the Azure Portal and is not created separately. When you create a Firewall policy, it becomes available in the Azure Firewall Manager service under Azure Firewall policies for better management.

There is no charge for Azure Firewall Manager service itself, but there are charges for the Firewall policies and Firewall Manager secured virtual hubs with 3rd party integrations.

What sets Azure Web Application Firewall (WAF) apart?

Azure WAF is tailored for web applications, offering protection against common online attacks, such as SQL injection and cross-site scripting, ensuring a secure online presence.

Can Azure DDoS Protection handle large-scale attacks?

Yes, Azure DDoS Protection is designed to handle large-scale distributed denial-of-service attacks, safeguarding your digital assets from disruptions and ensuring uninterrupted services.

How is traffic evaluated when NSG is associated with a subnet or a NIC?

For inbound traffic: Azure processes the rules in a network security group associated with a subnet first, if there is one, and then the rules in a network security group associated with the network interface if there is one.

For outbound traffic: Azure processes the rules in a network security group associated with a network interface first, if there is one, and then the rules in a network security group associated with the subnet if there is one.

How often should Azure network security be updated?

Ensuring the security of your Azure environment requires regular updates. It’s recommended to continuous monitoring and updating of security configurations to adapt to emerging threats.

Can Azure’s network security protect against zero-day vulnerabilities?

Azure employs advanced threat intelligence and proactive measures to mitigate the risk of zero-day vulnerabilities. However, you should stay vigilant and implement best practices for a robust security posture.

How can Azure’s network security adapt to the unique needs of different businesses?

Azure’s network security services, such as Firewall, WAF, DDoS Protection, and NSG, are designed to be customizable. Users can configure these services to meet the specific security needs and regulatory requirements of their respective industries.

Are there any specific industries where Azure’s network security is particularly beneficial?

Azure’s network security is versatile and beneficial across various industries, including finance, healthcare, and e-commerce. The customizable nature of Azure’s security services caters to the unique needs of different sectors.

In Conclusion

In this article, we discussed the crucial role of Azure Network Security, which includes Azure Firewall, Azure WAF, Azure DDoS Protection, and Network Security Group (NSG). All of these network services should be used together to have a robust design that follows Azure Security Framework and best practices. The design will always be different based on the budget, applications, and type of workload.

Please note that other Azure network and security services can be used such as Azure Network Watcher, Microsoft Defender for Cloud, and Microsoft Sentinel.

The secure fortification of digital resources in the cloud is not a task to be undertaken lightly, and through the exploration of Azure’s comprehensive array of network security services, network, and security professionals are equipped with the knowledge to create a bulwark against an ever-evolving threat landscape.

Azure’s network security tools, from Firewall to WAF, DDoS protection, and NSGs, provide a holistic approach to securing applications and infrastructure. With the integration and automation capabilities within Azure, security transforms into a seamless and dynamic component of the cloud environment, offering a resilient and responsive defense system that stands the test of time and cyber adversity.

Related: Check out designing and implementing Microsoft Azure Networking solutions.

Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.

Maximizing Security with Microsoft Defender XDR – Unveiling Features and Protection Layers

Unveiling the Secrets of Azure Event Hubs: A Guide to Capacity Planning


Let us know what you think, or ask a question...