Day: February 18, 2019

Posted on

Increase your IaaS Cloud Security in Azure

The security is the key pillar of designing the public cloud infrastructure. We must create the security principle to define the security design by bringing best practices.

There are different ways of securing your environment by implementing such as identity, automation in security, secured data at rest, transit etc. We would be looking at applying security layers in the Azure infrastructure. Microsoft is providing multiple options in Azure to secure your network like Network Security Groups (NSG), Application Security Grups (ASG), Azure Firewall, Web Application Firewall (WAF), Network Virtual Appliance (NVA), DDoS etc. too apply at different layer. Based on our requirements we can select each option available and or combinations of each those options.

 

It is important that we understand important of each of those to select right security options available. There is no doubt that security is important but at the

 same time we should not make things very complex by introducing everything in our Azure infrastructure. Let’s take some scenarios and discuss those each of my coming blog.

Let’s looks at the above scenario when we have Hub and Spoke model Azure vNET implement. Hub and Spoke vNET implementation are recommend by Microsoft.

Let’s identify our building block of our core design and will do one by one. Let’s create some assumptions for our design.

vNET – We will use 4x vNETs.

Express Route – Express route will connect to the Hub vNET

                1x Shared vNET called Hub vNET

                1 spoke vNET each for segregating each environment required.

Site to Site – this can be used alone of combinations of both ER and S2S.

1x NSG per vNET – 4 NSGs in total for 4 Spoke vNET. Or you may prefer to use per subnet.

ASG will be create for each tier for the specific security zones or specific applications.

2x node checkpoint NVAs in scale set mode. This includes 1x external and 1x internal load balancers.

No public IP on the NVA.

Public IP will be configured on External Load balancers only.

Application Gateway (WAF) with private IP in each vNETs.

We will talk about different benefits and use cases when you combine all of these in my coming blogs. Please join me interacting with my blog posts.