This article is a solution idea. If you'd like us to expand the content with more information, such as potential use cases, alternative services, implementation considerations, or pricing guidance, let us know by providing GitHub feedback.
You can build an entire IT infrastructure to run your organization by using various Azure services. Azure also offers security services to protect your infrastructure. By using Azure security services, you can improve the security posture of your IT environment. You can mitigate vulnerabilities and avoid breaches by implementing a well-architected solution that follows recommendations from Microsoft.
Some security services incur fees while others have no additional charges. Free services include network security groups (NSGs), storage encryption, TLS/SSL, shared access signature tokens, and many others. This article covers such services.
This article is the third in a series of five. To review the previous two articles in this series, including the introduction and a review of how you can map threats against an IT environment, see the following articles:
Potential use cases
This article presents Azure security services according to each Azure service. In this way, you can think of a specific threat against resource—a virtual machine (VM), an operating system, an Azure network, an application—or an attack that might compromise users and passwords. Then use the diagram in this article to help you understand which Azure security services to use to protect resources and user identities from that type of threat.
Download a Visio file of this architecture.
©2021 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
The Azure security layer in this diagram is based on Azure Security Benchmark (ASB) v3, which is a set of security rules that are implemented through Azure policies. ASB is based on a combination of rules from CIS Center for Internet Security and National Institute of Standards and Technology. For more information about ASB, see Overview of the Azure Security Benchmark v3.
The diagram doesn't contain all the Azure security services that are available, but it shows the security services that are most commonly used by organizations. All the security services that are identified in the architectural diagram can work together in any combination according to your IT environment and your organization's security requirements.
This section describes the components and services that appear in the diagram. Many of those are labeled with their ASB control codes, in addition to their abbreviated labels. The control codes correspond to the control domains that are listed in Controls.
AZURE SECURITY BENCHMARK
Each security control refers to one or more specific Azure security services. The architecture reference in this article shows some of them and their control numbers according to the ASB documentation. The controls include:
- Network security
- Identity management
- Privileged access
- Data protection
- Asset management
- Logging and threat detection
- Incident response
- Posture and vulnerability management
- Endpoint security
- Backup and recovery
- DevOps security
- Governance and strategy
For more information about security controls, see Overview of the Azure Security Benchmark (v3).
The following table describes the network services in the diagram.
Label Description Documentation NSG A free service that you attach to a network interface or subnet. An NSG allows you to filter TCP or UDP protocol traffic by using IP address ranges and ports for inbound and outbound connections. Network security groups VPN A virtual private network (VPN) gateway that delivers a tunnel with IPSEC (IKE v1/v2) protection. VPN Gateway AZURE FIREWALL A platform as a service (PaaS) that delivers protection in layer 4 and is attached to an entire virtual network. What is Azure Firewall? APP GW + WAF Azure Application Gateway with Web Application Firewall (WAF). Application Gateway is a load balancer for web traffic that works in layer 7 and adds WAF to protect applications that use HTTP and HTTPS. What is Azure Application Gateway? NVA Network Virtual Appliance (NVA), a virtual security services from the marketplace that is provisioned on VMs on Azure. Network Virtual Appliances DDOS DDoS protection implemented on the virtual network to help you mitigate different types of DDoS attacks. Azure DDoS Network Protection overview TLS/SSL TLS/SSL deliver encryption in transit for most Azure services that exchange information, such as Azure Storage and Web Apps. Configure end-to-end TLS by using Application Gateway with PowerShell PRIVATE LINK Service that allows you to create a private network for an Azure service that initially is exposed to the internet. What is Azure Private Link? PRIVATE ENDPOINT Creates a network interface and attaches it to the Azure service. Private Endpoint is part of Private Link. This configuration lets the service, by using a private endpoint, be part of your virtual network. What is a private endpoint?
INFRASTRUCTURE AND ENDPOINTS
The following table describes infrastructure and endpoint services that are shown in the diagram.
Label Description Documentation BASTION Bastion provides jump server functionality. This service allows you to access your VMs through remote desktop protocol (RDP) or SSH without exposing your VMs to the internet. What is Azure Bastion? ANTIMALWARE Microsoft Defender provides anti-malware service and is part of Windows 10, Windows 11, Windows Server 2016, and Windows Server 2019. Microsoft Defender Antivirus in Windows DISK ENCRYPT Disk Encryption allows you to encrypt the disk of a VM. Azure Disk Encryption for Windows VMs KEYVAULT Key Vault, a service to store keys, secrets, and certificates with FIPS 140-2 Level 2 or 3. Azure Key Vault basic concepts RDP SHORT Azure Virtual Desktop RDP Shortpath. This feature allows remote users to connect to the Virtual Desktop service from a private network. Azure Virtual Desktop RDP Shortpath for managed networks REVERSE CONNECT A built-in security feature from Azure Virtual Desktop. Reverse connect guarantees that remote users receive only pixel streams and don't reach the host VMs. Understanding Azure Virtual Desktop network connectivity
APPLICATION AND DATA
The following table describes application and data services that are shown in the diagram.
Label Description Documentation FRONTDOOR + WAF A content delivery network (CDN). Front Door combines multiple points of presence to deliver a better connection for users who access the service and adds WAF. What is Azure Front Door? API MANAGEMENT A service that delivers security for API calls and manages APIs across environments. About API Management PENTEST A set of best practices to execute a penetration test in your environment, including Azure resources. Penetration testing STORAGE SAS TOKEN A shared access token to allow others to access your Azure storage account. Grant limited access to Azure Storage resources using shared access signatures (SAS) PRIVATE ENDPOINT Create a network interface and attach it to your storage account to configure it inside a private network on Azure. Use private endpoints for Azure Storage STORAGE FIREWALL Firewall that allows you to set a range of IP addresses that can access your storage account. Configure Azure Storage firewalls and virtual networks ENCRYPTION
Protects your storage account with encryption at rest. Azure Storage encryption for data at rest SQL AUDIT Tracks database events and writes them to an audit log in your Azure storage account. Auditing for Azure SQL Database and Azure Synapse Analytics VULNERABILITY ASSESSMENT Service that helps you discover, track, and remediate potential database vulnerabilities. SQL vulnerability assessment helps you identify database vulnerabilities ENCRYPTION
Transparent data encryption (TDE) helps protect Azure SQL database services by encrypting data at rest. Transparent data encryption for SQL Database, SQL Managed Instance, and Azure Synapse Analytics
The following table describes identity services that are shown in the diagram.
Label Description Documentation RBAC Azure role-based access control (Azure RBAC) helps you manage access to Azure services by using granular permissions that are based on users' Microsoft Entra credentials. What is Azure role-based access control (Azure RBAC)? MFA Multifactor authentication offers additional types of authentication beyond user names and passwords. How it works: Microsoft Entra multifactor authentication ID PROTECTION Identity Protection, a security service from Microsoft Entra ID, analyzes trillions of signals per day to identify and protect users from threats. What is Identity Protection? PIM Privileged Identity Management (PIM), a security service from Microsoft Entra ID. It helps you to provide superuser privileges temporarily for Microsoft Entra ID (for example, Global Admin) and Azure subscriptions (for example, owner or contributor). What is Microsoft Entra Privileged Identity Management? COND ACC Conditional Access is an intelligent security service that uses policies that you define for various conditions to block or grant access to users. What is Conditional Access?
The example architecture in this article uses the following Azure components:
Microsoft Entra ID is a cloud-based identity and access management service. Microsoft Entra ID helps your users to access external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications. It also helps them access internal resources, like apps on your corporate intranet network.
Azure Virtual Network is the fundamental building block for your private network in Azure. Virtual Network enables many types of Azure resources to securely communicate with each other, the internet, and on-premises networks. Virtual Network provides a virtual network that benefits from Azure's infrastructure, such as scale, availability, and isolation.
Azure Load Balancer is a high-performance, low-latency Layer 4 load-balancing service (inbound and outbound) for all UDP and TCP protocols. It's built to handle millions of requests per second while ensuring that your solution is highly available. Azure Load Balancer is zone-redundant, ensuring high availability across Availability Zones.
Virtual machines is one of several types of on-demand, scalable computing resources that Azure offers. An Azure virtual machine (VM) gives you the flexibility of virtualization without having to buy and maintain the physical hardware that runs it.
Azure Kubernetes service (AKS) is a fully managed Kubernetes service for deploying and managing containerized applications. AKS provides serverless Kubernetes, continuous integration/continuous delivery (CI/CD), and enterprise-grade security and governance.
Azure Virtual Desktop is a desktop and app virtualization service that runs on the cloud to provide desktops for remote users.
Web Apps is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favorite language, and applications run and scale with ease on both Windows and Linux-based environments.
Azure Storage is highly available, massively scalable, durable, and secure storage for various data objects in the cloud, including object, blob, file, disk, queue, and table storage. All data written to an Azure storage account is encrypted by the service. Azure Storage provides you with fine-grained control over who has access to your data.
Azure SQL database is a fully managed PaaS database engine that handles most of the database management functions such as upgrading, patching, backups, and monitoring. It provides these functions without user involvement. SQL Database provides a range of built-in security and compliance features to help your application meet security and compliance requirements.
This article is maintained by Microsoft. It was originally written by the following contributors.
- Rudnei Oliveira | Senior Customer Engineer
Microsoft has more documentation that can help you secure your IT environment, and the following articles can be particularly helpful:
- Security in the Microsoft Cloud Adoption Framework for Azure. The Cloud Adoption Framework provides security guidance for your cloud journey by clarifying the processes, best practices, models, and experience.
- Microsoft Azure Well-Architected Framework. The Azure Well-Architected Framework is a set of guiding tenets that you can use to improve the quality of a workload. The framework is based on five pillars: reliability, security, cost optimization, operational excellence, and performance efficiency.
- Microsoft Security Best Practices. Microsoft Security Best Practices (formerly known as the Azure Security Compass or Microsoft Security Compass) is a collection of best practices that provide clear, actionable guidance for security-related decisions.
- Microsoft Cybersecurity Reference Architectures (MCRA). MCRA is a compilation of various Microsoft security reference architectures.
In the following resources, you can find more information about the services, technologies, and terminologies that are mentioned in this article:
- What are public, private, and hybrid clouds?
- Overview of the Azure Security Benchmark (v3)
- Embrace proactive security with Zero Trust
- Microsoft 365 subscription information
- Microsoft Defender XDR
For more details about this reference architecture, see the other articles in this series: