SlideShare a Scribd company logo

Securing your cloud perimeter with azure network security brk3185

Download as PPTX, PDF
J
jtaylor707

Securing your cloud perimeter with azure network security

Technology
1 of 33
Securing your cloud perimeter with Azure Network Security​
Zero Trust Architecture Devices Security Policy Enforcement Identities Visibility and Analytics Automation Data Apps Infrastructure Network 1 2 3 https://www.Microsoft.com/en- us/security/
Zero Trust Networking Maturity Model Security Enforcement ty and Analytics utomation Data Apps Infrastructure Network Network
Segment Prevent lateral movement and data exfiltration Protect Secure network with threat intelligence Deploy securely across DevOps process Azure Network Security Connect Embrace distributed connectivity
Achieving Zero Trust with Azure Networking Cloud-Native Network Security Services Networking Partner Solutions Defense-in-Depth + Software Defined Network (SDN) Virtual Networks Network Security Groups User Defined Routes Load Balancer Azure Firewall Azure DDoS Protection Azure Web Application Firewall Azure PrivateLink
Photo of main entrance at the Orange County Convention Center.
Network Segmentation Web Application Firewall Virtual Network Network Security Group Azure Firewall Subscription
Multi-level Segmentation Network Security Group Subscriptions Virtual Network Azure Firewall Application Security Group or FQDN or Service Tag Kubernetes Services Container Networking Interface Web Application Firewall Private Link Vnet Peering Virtual WAN VPN Gateway
Azure Firewall Manager Central network security policy and route management for globally distributed, software-defined perimeters Central deployment and configuration Automated routing Advanced security with 3rd party SECaaS [Roadmap] Split routing PREVIEW 3rd party SecSaaS 3rd party Sec SaaS
Internet Corpnet Customer VNet Subnet 10.3.0.0/25 Cloud Native Firewall Central VNet Gateway VNet CSEO Infra L3 – L7 Connectivity Policies VNet Peering VNet Peering Subnet 10.1.0.0/27 Spoke 1 VNet Subnet 10.2.0.0/27 Spoke 2 Public Azure Source Destination Ports/Protocols LAB Internet HTTP - 80, HTTPS - 443 , KMS - 1688 Internet LAB Not available Source Destination Ports/Protocols LAB Azure Public HTTP - 80, HTTPS - 443 , KMS - 1688 Azure Public LAB Not available Source Destination Ports/Protocols LAB "CorpNet" HTTPS-443,HTTP-80, RDP, SSH, WinRM,445,ICMP "CorpNet" LAB HTTPS-443,HTTP-80, RDP, SSH, WinRM,445,ICMP Microsoft Core Services Engineering Labs @ Microsoft Goals Migrate 100’s of labs to Cloud Network Segmentation (From Corpnet and each other) Enable engineering agility and time to market Solution: Leverage cloud native Scalable Infrastructure Central Edge Controls Learnings : Scalability Improved Performance Improved (lack of Force Tunnel)
Photo of main entrance at the Orange County Convention Center.
Azure Web Application Firewall BRK3171 | 11/08 (9:15 - 10 AM) | Using Azure Web Application Firewall to protect your web applications and web APIs Azure Global WAF (Front Door) Azure Regional WAF (Application Gateway) Uniform policy WAF policy PaaS, IaaS, AKS, serverless and on-premises backends OWASP rules Bot management Custom rules Microsoft threat intelligence • Protect apps against automated attacks • Manage good/bad bots with Azure BotManager RuleSet Site and URI path specific WAF policies  Customize WAF policies at regional WAF for finer grained protection at each host/listener or URI path level Geo filtering on regional WAF  Enhanced custom rule matching criterion PREVIEW Unified WAF policy Protect your apps at network edge or in Azure regions
Cloud scale DDoS protection for Azure Azure DDoS Protection Standard Azure Spoke VNET Central VNET Azure Firewall Spoke VNET Azure WAF Azure DDoS Public Internet Inbound Inbound / Outbound Internet Public IP 1 Public IP 2 DDoS Protection Standard Adaptive Tuning Engine Web Application 1 Web Application 2 Azure global network 1 2 Adaptive tuning 3 Attack analytics and metrics 4 DDoS Rapid Response (DRR) 5 SLA guarantee and cost protection
New Partner WAF-as-a-Service Offerings in Azure • Advanced Security Stack with Bot Manager, Analytics & Threat Detection • Application Specific Rule Sets with positive / negative rules and auto policy generation Leverages the scale & reach of Azure Defended against DDoS attacks by Azure DDoS Protection Standard Consumption based pricing model & available on Azure Marketplace • Web application security, simplified • All the advanced WAF functionality with the ease of SaaS – deployed in minutes
Photo of main entrance at the Orange County Convention Center.
Clouds Business SaaS Consumer SaaS Azure Networking Connectivity Transforming your network approach Azure
Azure Virtual WAN Region 2 Region 1 Region 3 Datacenter Point-to-site VPN ExpressRoute VNet VNet VNet Corp HQ Branch Branch Branch Branch VNet • ExpressRoute Integration • Point to site VPN Integration • Path selection from branch GA PREVIEW • Hub/Any-to-any connectivity • Azure Firewall integration Provides optimized and automated branch connectivity to, and through Azure
On-premises VNet Azure Firewall VNet Other PaaS Consumer SaaS Business SaaS HQ/Branch Datacenter Virtual WAN Direct Internet Breakout for O365 Secure Internet access via Azure, based on IPs/FQDNs/Tags PaaS User-aware Internet access via 3rd Party Azure Firewall Manager Multiple Secured Virtuals Secured vHub Azure Firewall Manager Extend your Security Edge to Azure PREVIEW
21 Securing your cloud transformation ©2019 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Microsoft Azure Firewall Manager and Zscaler Internet Access Azure Region 1 Azure Region n “The Zscaler and Microsoft joint solution ensures best-in-class internet/web security and low-latency performance to empower enterprise users and applications to securely access any internet destination." Dhawal Sharma Sr. Director Product Management, Zscaler
Checkpoint CloudGuard Connect
Microsoft Core Service Engineering Quantum Computing Private Network Need: Quickly create an isolated network for collaboration between Microsoft employees embedded at Universities around the world. Solution: Azure Virtual WAN Azure Firewall Azure VPN Full Deployment in less than a Day Azure 3rd Party Site1 University S1 University S2 University S3 Azure Virtual WAN Azure Firewall 3rd Party Site1 Remote User University S1 University S2 VNET VNET VNET VNET VNET 3rd Party Site1 University S3 3rd Party Site1 Remote User VPN Appliance HUB
Azure Private Link Highly secure and private connectivity solution for Azure Platform Private endpoint Storage 10.0.0.5 SQL DW SQL Private Link Service Deny Internet Deny Internet ER Gateway On-premises Private Link Customer owned services Azure PaaS services Marketplace services Virtual Network (10.0.0.0/16) ER Private Peering Private access from Virtual Network resources, peered networks and on-premise networks In-built Data Exfiltration Protection Predictable private IP addresses for PaaS resources Unified experience across PaaS, Customer Owned and marketplace Services BRK3168 | 11/07 (9:15 - 10 AM) | Delivering services privately in your VNet with Azure Private Link
Azure Bastion Secure and seamless RDP and SSH access to your virtual machines using zero trust GA RDP/SSH to your workload using HTML5 standards- based web-browser, directly in Azure Portal Resources can be accessed without public IP addresses Supported Azure resources include VMs, VM Scale Sets, Dev-Test Labs No agent required Azure Portal Remote Protocol (RDP, SSH, et al) SSL 443, Internet AzureBastionSubnet Port: 3389/22 “AzureBastionSubnet” Target VM Subnet(s) Private IP Azure VM Azure VM Azure VM Customer’s Virtual Network SSL Azure Bastion
Azure Bastion Demo
How it all works together Azure Hub VNET Public Internet Express Route VPN Gateway & Virtual WAN On-Premises Data Center, Branch Offices, Mobile Workers Azure Firewall Azure Regional WAF Azure DDoS Inbound Inbound / Outbound Azure Global WAF Private Link PaaS Services IaaS/PaaS Spoke VNET App on IaaS App on PaaS = Network Service Group + Private Link PRIVATE PaaS IaaS/PaaS Spoke VNET App on IaaS App on PaaS = Public PaaS Services Network Service Group Service Endpoints + PUBLIC PaaS
Key takeaways
Please evaluate this session Your feedback is important to us! https://aka.ms/ignite.mobileapp https://myignite.techcommunity.microsoft.com/evaluations
Find this session in Microsoft Tech Community
Securing your cloud perimeter with azure network security brk3185

Recommended

CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practices
walk2talk srl
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
Azure DDoS Protection Standard
Azure DDoS Protection StandardAzure DDoS Protection Standard
Azure DDoS Protection Standard
arnaudlh
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB
Samrat Das
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information Protection
Robert Crane
 
Five Connectivity and Security Use Cases for Azure VNets
Five Connectivity and Security Use Cases for Azure VNetsFive Connectivity and Security Use Cases for Azure VNets
Five Connectivity and Security Use Cases for Azure VNets
Khash Nakhostin
 
Azure subscription management with EA and CSP
Azure subscription management with EA and CSPAzure subscription management with EA and CSP
Azure subscription management with EA and CSP
Daichi Isami
 
CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applications
Forcepoint LLC
 

Recommended

CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practices
walk2talk srl
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
Azure DDoS Protection Standard
Azure DDoS Protection StandardAzure DDoS Protection Standard
Azure DDoS Protection Standard
arnaudlh
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB
Samrat Das
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information Protection
Robert Crane
 
Five Connectivity and Security Use Cases for Azure VNets
Five Connectivity and Security Use Cases for Azure VNetsFive Connectivity and Security Use Cases for Azure VNets
Five Connectivity and Security Use Cases for Azure VNets
Khash Nakhostin
 
Azure subscription management with EA and CSP
Azure subscription management with EA and CSPAzure subscription management with EA and CSP
Azure subscription management with EA and CSP
Daichi Isami
 
CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applications
Forcepoint LLC
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
Allen Brokken
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)
Cloudflare
 
Azure Governance
Azure GovernanceAzure Governance
Azure Governance
Benjamin Hüpeden
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
Karina Matos
 
Azure key vault
Azure key vaultAzure key vault
Azure key vault
Rahul Nath
 
Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?
Zscaler
 
Cloud Reference Architecture - Part 1 Foundation
Cloud Reference Architecture - Part 1 FoundationCloud Reference Architecture - Part 1 Foundation
Cloud Reference Architecture - Part 1 Foundation
Ammar Hasayen
 
Multi cloud security architecture
Multi cloud security architecture Multi cloud security architecture
Multi cloud security architecture
Maganathin Veeraragaloo
 
Zero Trust Network Access
Zero Trust Network Access Zero Trust Network Access
Zero Trust Network Access
Er. Ajay Sirsat
 
Azure Sentinel.pptx
Azure Sentinel.pptxAzure Sentinel.pptx
Azure Sentinel.pptx
Mohit Chhabra
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model Presentation
Gowdhaman Jothilingam
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
SecOps for Dummies
SecOps for DummiesSecOps for Dummies
SecOps for Dummies
Liberteks
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud Security
Alert Logic
 
Azure Networking (1).pptx
Azure Networking (1).pptxAzure Networking (1).pptx
Azure Networking (1).pptx
Razith2
 
SQRRL threat hunting platform
SQRRL threat hunting platformSQRRL threat hunting platform
SQRRL threat hunting platform
DataWorks Summit/Hadoop Summit
 
Azure WAF
Azure WAFAzure WAF
Azure WAF
Cheah Eng Soon
 
Securing your Azure Identity Infrastructure
Securing your Azure Identity InfrastructureSecuring your Azure Identity Infrastructure
Securing your Azure Identity Infrastructure
Vignesh Ganesan I Microsoft MVP
 
Azure governance
Azure governanceAzure governance
Azure governance
girish goudar
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
Lorenzo Barbieri
 
CCI2019 - Architecting and Implementing Azure Networking
CCI2019 - Architecting and Implementing Azure NetworkingCCI2019 - Architecting and Implementing Azure Networking
CCI2019 - Architecting and Implementing Azure Networking
walk2talk srl
 
Brk30176 enterprise class networking in azure
Brk30176 enterprise class networking in azureBrk30176 enterprise class networking in azure
Brk30176 enterprise class networking in azure
Abou CONDE
 

More Related Content

What's hot

Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)
Cloudflare
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 

What's hot (20)

Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)
 
Azure Governance
Azure GovernanceAzure Governance
Azure Governance
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
 
Azure key vault
Azure key vaultAzure key vault
Azure key vault
 
Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?
 
Cloud Reference Architecture - Part 1 Foundation
Cloud Reference Architecture - Part 1 FoundationCloud Reference Architecture - Part 1 Foundation
Cloud Reference Architecture - Part 1 Foundation
 
Multi cloud security architecture
Multi cloud security architecture Multi cloud security architecture
Multi cloud security architecture
 
Zero Trust Network Access
Zero Trust Network Access Zero Trust Network Access
Zero Trust Network Access
 
Azure Sentinel.pptx
Azure Sentinel.pptxAzure Sentinel.pptx
Azure Sentinel.pptx
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model Presentation
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
 
SecOps for Dummies
SecOps for DummiesSecOps for Dummies
SecOps for Dummies
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud Security
 
Azure Networking (1).pptx
Azure Networking (1).pptxAzure Networking (1).pptx
Azure Networking (1).pptx
 
SQRRL threat hunting platform
SQRRL threat hunting platformSQRRL threat hunting platform
SQRRL threat hunting platform
 
Azure WAF
Azure WAFAzure WAF
Azure WAF
 
Securing your Azure Identity Infrastructure
Securing your Azure Identity InfrastructureSecuring your Azure Identity Infrastructure
Securing your Azure Identity Infrastructure
 
Azure governance
Azure governanceAzure governance
Azure governance
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
 

Similar to Securing your cloud perimeter with azure network security brk3185

Brk30176 enterprise class networking in azure
Brk30176 enterprise class networking in azureBrk30176 enterprise class networking in azure
Brk30176 enterprise class networking in azure
Abou CONDE
 
Check Point Software Technologies: Secure Your AWS Workloads
Check Point Software Technologies: Secure Your AWS Workloads Check Point Software Technologies: Secure Your AWS Workloads
Check Point Software Technologies: Secure Your AWS Workloads
Amazon Web Services
 

Similar to Securing your cloud perimeter with azure network security brk3185 (20)

CCI2019 - Architecting and Implementing Azure Networking
CCI2019 - Architecting and Implementing Azure NetworkingCCI2019 - Architecting and Implementing Azure Networking
CCI2019 - Architecting and Implementing Azure Networking
 
Brk30176 enterprise class networking in azure
Brk30176 enterprise class networking in azureBrk30176 enterprise class networking in azure
Brk30176 enterprise class networking in azure
 
Azure F5 Solutions
Azure F5 SolutionsAzure F5 Solutions
Azure F5 Solutions
 
Protección y acceso a tu información y aplicaciones en Azure y O365 – Barracuda
Protección y acceso a tu información y aplicaciones en Azure y O365 – BarracudaProtección y acceso a tu información y aplicaciones en Azure y O365 – Barracuda
Protección y acceso a tu información y aplicaciones en Azure y O365 – Barracuda
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
366864108 azure-security
366864108 azure-security366864108 azure-security
366864108 azure-security
 
azure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdfazure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdf
 
Check Point Software Technologies: Secure Your AWS Workloads
Check Point Software Technologies: Secure Your AWS Workloads Check Point Software Technologies: Secure Your AWS Workloads
Check Point Software Technologies: Secure Your AWS Workloads
 
Global Azure Bootcamp 2018 - Azure Network Security
Global Azure Bootcamp 2018 - Azure Network SecurityGlobal Azure Bootcamp 2018 - Azure Network Security
Global Azure Bootcamp 2018 - Azure Network Security
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanO365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
 
zscaler-aws-zero-trust.pdf
zscaler-aws-zero-trust.pdfzscaler-aws-zero-trust.pdf
zscaler-aws-zero-trust.pdf
 
Staying Secure in the Cloud
Staying Secure in the CloudStaying Secure in the Cloud
Staying Secure in the Cloud
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 
TechWiseTV Workshop: SD-WAN Security
TechWiseTV Workshop: SD-WAN SecurityTechWiseTV Workshop: SD-WAN Security
TechWiseTV Workshop: SD-WAN Security
 
Azure 10 major services
Azure 10 major servicesAzure 10 major services
Azure 10 major services
 
VMware vRealize Network Insight 3.4 whats new
VMware vRealize Network Insight 3.4 whats newVMware vRealize Network Insight 3.4 whats new
VMware vRealize Network Insight 3.4 whats new
 
Azure governance v4.0
Azure governance v4.0Azure governance v4.0
Azure governance v4.0
 
Building Intelligent Cloud with Microsoft Azure
Building Intelligent Cloud with Microsoft AzureBuilding Intelligent Cloud with Microsoft Azure
Building Intelligent Cloud with Microsoft Azure
 
AWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App Security
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Recently uploaded (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

Securing your cloud perimeter with azure network security brk3185

  • 1.
  • 2. Securing your cloud perimeter with Azure Network Security​
  • 3. Zero Trust Architecture Devices Security Policy Enforcement Identities Visibility and Analytics Automation Data Apps Infrastructure Network 1 2 3 https://www.Microsoft.com/en- us/security/
  • 4. Zero Trust Networking Maturity Model Security Enforcement ty and Analytics utomation Data Apps Infrastructure Network Network
  • 5. Segment Prevent lateral movement and data exfiltration Protect Secure network with threat intelligence Deploy securely across DevOps process Azure Network Security Connect Embrace distributed connectivity
  • 6. Achieving Zero Trust with Azure Networking Cloud-Native Network Security Services Networking Partner Solutions Defense-in-Depth + Software Defined Network (SDN) Virtual Networks Network Security Groups User Defined Routes Load Balancer Azure Firewall Azure DDoS Protection Azure Web Application Firewall Azure PrivateLink
  • 7. Photo of main entrance at the Orange County Convention Center.
  • 8. Network Segmentation Web Application Firewall Virtual Network Network Security Group Azure Firewall Subscription
  • 9. Multi-level Segmentation Network Security Group Subscriptions Virtual Network Azure Firewall Application Security Group or FQDN or Service Tag Kubernetes Services Container Networking Interface Web Application Firewall Private Link Vnet Peering Virtual WAN VPN Gateway
  • 10. Azure Firewall Manager Central network security policy and route management for globally distributed, software-defined perimeters Central deployment and configuration Automated routing Advanced security with 3rd party SECaaS [Roadmap] Split routing PREVIEW 3rd party SecSaaS 3rd party Sec SaaS
  • 11.
  • 12. Internet Corpnet Customer VNet Subnet 10.3.0.0/25 Cloud Native Firewall Central VNet Gateway VNet CSEO Infra L3 – L7 Connectivity Policies VNet Peering VNet Peering Subnet 10.1.0.0/27 Spoke 1 VNet Subnet 10.2.0.0/27 Spoke 2 Public Azure Source Destination Ports/Protocols LAB Internet HTTP - 80, HTTPS - 443 , KMS - 1688 Internet LAB Not available Source Destination Ports/Protocols LAB Azure Public HTTP - 80, HTTPS - 443 , KMS - 1688 Azure Public LAB Not available Source Destination Ports/Protocols LAB "CorpNet" HTTPS-443,HTTP-80, RDP, SSH, WinRM,445,ICMP "CorpNet" LAB HTTPS-443,HTTP-80, RDP, SSH, WinRM,445,ICMP Microsoft Core Services Engineering Labs @ Microsoft Goals Migrate 100’s of labs to Cloud Network Segmentation (From Corpnet and each other) Enable engineering agility and time to market Solution: Leverage cloud native Scalable Infrastructure Central Edge Controls Learnings : Scalability Improved Performance Improved (lack of Force Tunnel)
  • 13. Photo of main entrance at the Orange County Convention Center.
  • 14. Azure Web Application Firewall BRK3171 | 11/08 (9:15 - 10 AM) | Using Azure Web Application Firewall to protect your web applications and web APIs Azure Global WAF (Front Door) Azure Regional WAF (Application Gateway) Uniform policy WAF policy PaaS, IaaS, AKS, serverless and on-premises backends OWASP rules Bot management Custom rules Microsoft threat intelligence • Protect apps against automated attacks • Manage good/bad bots with Azure BotManager RuleSet Site and URI path specific WAF policies  Customize WAF policies at regional WAF for finer grained protection at each host/listener or URI path level Geo filtering on regional WAF  Enhanced custom rule matching criterion PREVIEW Unified WAF policy Protect your apps at network edge or in Azure regions
  • 15. Cloud scale DDoS protection for Azure Azure DDoS Protection Standard Azure Spoke VNET Central VNET Azure Firewall Spoke VNET Azure WAF Azure DDoS Public Internet Inbound Inbound / Outbound Internet Public IP 1 Public IP 2 DDoS Protection Standard Adaptive Tuning Engine Web Application 1 Web Application 2 Azure global network 1 2 Adaptive tuning 3 Attack analytics and metrics 4 DDoS Rapid Response (DRR) 5 SLA guarantee and cost protection
  • 16. New Partner WAF-as-a-Service Offerings in Azure • Advanced Security Stack with Bot Manager, Analytics & Threat Detection • Application Specific Rule Sets with positive / negative rules and auto policy generation Leverages the scale & reach of Azure Defended against DDoS attacks by Azure DDoS Protection Standard Consumption based pricing model & available on Azure Marketplace • Web application security, simplified • All the advanced WAF functionality with the ease of SaaS – deployed in minutes
  • 17. Photo of main entrance at the Orange County Convention Center.
  • 18. Clouds Business SaaS Consumer SaaS Azure Networking Connectivity Transforming your network approach Azure
  • 19. Azure Virtual WAN Region 2 Region 1 Region 3 Datacenter Point-to-site VPN ExpressRoute VNet VNet VNet Corp HQ Branch Branch Branch Branch VNet • ExpressRoute Integration • Point to site VPN Integration • Path selection from branch GA PREVIEW • Hub/Any-to-any connectivity • Azure Firewall integration Provides optimized and automated branch connectivity to, and through Azure
  • 20. On-premises VNet Azure Firewall VNet Other PaaS Consumer SaaS Business SaaS HQ/Branch Datacenter Virtual WAN Direct Internet Breakout for O365 Secure Internet access via Azure, based on IPs/FQDNs/Tags PaaS User-aware Internet access via 3rd Party Azure Firewall Manager Multiple Secured Virtuals Secured vHub Azure Firewall Manager Extend your Security Edge to Azure PREVIEW
  • 21. 21 Securing your cloud transformation ©2019 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Microsoft Azure Firewall Manager and Zscaler Internet Access Azure Region 1 Azure Region n “The Zscaler and Microsoft joint solution ensures best-in-class internet/web security and low-latency performance to empower enterprise users and applications to securely access any internet destination." Dhawal Sharma Sr. Director Product Management, Zscaler
  • 23.
  • 24.
  • 25. Microsoft Core Service Engineering Quantum Computing Private Network Need: Quickly create an isolated network for collaboration between Microsoft employees embedded at Universities around the world. Solution: Azure Virtual WAN Azure Firewall Azure VPN Full Deployment in less than a Day Azure 3rd Party Site1 University S1 University S2 University S3 Azure Virtual WAN Azure Firewall 3rd Party Site1 Remote User University S1 University S2 VNET VNET VNET VNET VNET 3rd Party Site1 University S3 3rd Party Site1 Remote User VPN Appliance HUB
  • 26. Azure Private Link Highly secure and private connectivity solution for Azure Platform Private endpoint Storage 10.0.0.5 SQL DW SQL Private Link Service Deny Internet Deny Internet ER Gateway On-premises Private Link Customer owned services Azure PaaS services Marketplace services Virtual Network (10.0.0.0/16) ER Private Peering Private access from Virtual Network resources, peered networks and on-premise networks In-built Data Exfiltration Protection Predictable private IP addresses for PaaS resources Unified experience across PaaS, Customer Owned and marketplace Services BRK3168 | 11/07 (9:15 - 10 AM) | Delivering services privately in your VNet with Azure Private Link
  • 27. Azure Bastion Secure and seamless RDP and SSH access to your virtual machines using zero trust GA RDP/SSH to your workload using HTML5 standards- based web-browser, directly in Azure Portal Resources can be accessed without public IP addresses Supported Azure resources include VMs, VM Scale Sets, Dev-Test Labs No agent required Azure Portal Remote Protocol (RDP, SSH, et al) SSL 443, Internet AzureBastionSubnet Port: 3389/22 “AzureBastionSubnet” Target VM Subnet(s) Private IP Azure VM Azure VM Azure VM Customer’s Virtual Network SSL Azure Bastion
  • 29. How it all works together Azure Hub VNET Public Internet Express Route VPN Gateway & Virtual WAN On-Premises Data Center, Branch Offices, Mobile Workers Azure Firewall Azure Regional WAF Azure DDoS Inbound Inbound / Outbound Azure Global WAF Private Link PaaS Services IaaS/PaaS Spoke VNET App on IaaS App on PaaS = Network Service Group + Private Link PRIVATE PaaS IaaS/PaaS Spoke VNET App on IaaS App on PaaS = Public PaaS Services Network Service Group Service Endpoints + PUBLIC PaaS
  • 31. Please evaluate this session Your feedback is important to us! https://aka.ms/ignite.mobileapp https://myignite.techcommunity.microsoft.com/evaluations
  • 32. Find this session in Microsoft Tech Community