A whole set of features have been released in Azure such as NSGs, Forced Tunnelling, Load Balancers, multiple VIPs, Reserved and static IPs etc. In addition, features like User Defined Routes, IP Forwarding, multi NIC VMs have enabled many Network Virtual Appliances providers like CheckPoint, Barracuda, F5 to release their products in Marketplace.
At the same time, not many people are aware of these features and how to use these features to build a secure network topology in Azure. Many times, I’ve heard people saying that it’s not easy building a secure network topology or DMZ in Azure as they are able to do in on-prem. This is not true. With all above feature, you can build a topology the way you want with security controls that you want. You can learn about all these new features and how to use these to build a DMZ like environment in Azure in the above session.
Also, if you are planning to secure your network topology. you must go through this white paper: Microsoft Cloud Services and Network Security. The white paper provides an overview of security and architectural issues that customers should consider when using Microsoft Cloud services accessed via ExpressRoute as well as creating secure services in Microsoft Azure’s Virtual Network. Then, it also provides example topologies and detailed step-by-step guidance (and scripts to build these topologies)
- Example 1 – Build a DMZ to protect applications with NSGs
- Example 2 – Build a DMZ to protect applications with a Firewall and NSGs
- Example 3 – Build a DMZ to protect networks with a Firewall, UDR, and NSG
- Example 4 – Adding a hybrid connection with a Site-to-Site, Virtual Appliance VPN
- Example 5 – Adding a hybrid connection with a Site-to-Site, Azure Gateway VPN
- Example 6 – Adding a hybrid connection with ExpressRoute