Protect assets by placing controls on network traffic originating in Azure, between on-premises and Azure hosted resources, and traffic to and from Azure. If security measures aren't in place attackers can gain access, for instance, by scanning across public IP ranges. Proper network security controls can provide defense-in-depth elements that help detect, contain, and stop attackers who gain entry into your cloud deployments.
How have you secured the network of your workload?
- Segment your network footprint and create secure communication paths between segments. Align the network segmentation with overall enterprise segmentation strategy.
- Design security controls that identify and allow or deny traffic, access requests, and application communication between segments.
- Protect all public endpoints with Azure Front Door, Application Gateway, Azure Firewall, Azure DDoS Protection.
- Mitigate DDoS attacks with Azure DDoS Protection for critical workloads.
- Keep virtual machines private and secure when connecting to the internet with Azure Virtual Network NAT (NAT gateway).
- Control network traffic between subnets (east-west) and application tiers (north-south).
- Protect from data exfiltration attacks through a defense-in-depth approach with controls at each layer.
Azure security benchmark
The Azure Security Benchmark includes a collection of high-impact security recommendations you can use to help secure the services you use in Azure:
The questions in this section are aligned to the Azure Security Benchmarks Network Security.
- Azure Virtual Network
- Azure Firewall
- Azure Virtual Network NAT
- Azure ExpressRoute
- Azure Private Link
- Azure DDoS Protection
Here are some reference architectures related to network security:
- Hub-spoke network topology in Azure
- Deploy highly available NVAs
- Azure Kubernetes Service (AKS) production baseline
We recommend applying as many as of the best practices as early as possible, and then working to retrofit any gaps over time as you mature your security program.
Combine network controls with application, identity, and other technical control types. This approach is effective in preventing, detecting, and responding to threats outside the networks you control. For more information, see these articles:
Ensure that resource grouping and administrative privileges align to the segmentation model. For more information, see Administrative account security.
Go back to the main article: Security
Submit and view feedback for