Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Zero Trust model assumes breach and verifies each request as though it originates from an uncontrolled network. Azure network security services play a critical role in enforcing Zero Trust principles by inspecting, filtering, and logging traffic across your cloud environment.
The following recommendations help you assess and harden your Azure network security posture. Each recommendation links to a detailed guide describing the security check, its risk level, and remediation steps.
Tip
Some organizations might take these recommendations exactly as written, while others might choose to make modifications based on their own business needs. We recommend that all of the following controls be implemented where applicable. These patterns and practices help to provide a foundation for a secure Azure network environment. More controls will be added to this document over time.
Automated assessment
Manually checking this guidance against your environment's configuration can be time-consuming and error-prone. The Zero Trust Assessment transforms this process with automation to test for these security configuration items and more. Learn more in What is the Zero Trust Assessment?
Azure DDoS Protection
Azure DDoS Protection safeguards your public-facing resources from distributed denial of service attacks. The following recommendations verify that DDoS protection is enabled and properly monitored.
For more information, see Zero Trust recommendations for Azure DDoS Protection.
| Recommendation | Risk level | User impact | Implementation cost |
|---|---|---|---|
| DDoS Protection is enabled for all public IP addresses in VNets | High | Low | Low |
| Metrics are enabled for DDoS-protected public IPs | Medium | Low | Low |
| Diagnostic logging is enabled for DDoS-protected public IPs | Medium | Low | Low |
Azure Firewall
Azure Firewall provides centralized network security policy enforcement and logging across your virtual networks. The following recommendations verify that key protection features are active.
For more information, see Zero Trust recommendations for Azure Firewall.
| Recommendation | Risk level | User impact | Implementation cost |
|---|---|---|---|
| Outbound traffic from VNet-integrated workloads is routed through Azure Firewall | High | Low | Medium |
| Threat intelligence is enabled in deny mode on Azure Firewall | High | Low | Low |
| IDPS inspection is enabled in deny mode on Azure Firewall | High | Low | Low |
| Inspection of outbound TLS traffic is enabled on Azure Firewall | High | Low | Low |
| Diagnostic logging is enabled in Azure Firewall | High | Low | Low |
Application Gateway WAF
Azure Web Application Firewall on Application Gateway protects web applications from common exploits and vulnerabilities. The following recommendations verify that WAF is properly configured and monitored.
For more information, see Zero Trust recommendations for Application Gateway WAF.
| Recommendation | Risk level | User impact | Implementation cost |
|---|---|---|---|
| Application Gateway WAF is enabled in prevention mode | High | Low | Low |
| Request body inspection is enabled in Application Gateway WAF | High | Low | Low |
| Default rule set is enabled in Application Gateway WAF | High | Low | Low |
| Bot protection rule set is enabled and assigned in Application Gateway WAF | High | Low | Low |
| HTTP DDoS protection rule set is enabled in Application Gateway WAF | High | Low | Low |
| Rate limiting is enabled in Application Gateway WAF | High | Low | Medium |
| JavaScript challenge is enabled in Application Gateway WAF | Medium | Low | Low |
| Diagnostic logging is enabled in Application Gateway WAF | High | Low | Low |
Azure Front Door WAF
Azure Web Application Firewall on Front Door protects web applications at the network edge. The following recommendations verify that WAF is properly configured and monitored.
For more information, see Zero Trust recommendations for Azure Front Door WAF.
| Recommendation | Risk level | User impact | Implementation cost |
|---|---|---|---|
| Azure Front Door WAF is enabled in prevention mode | High | Low | Low |
| Request body inspection is enabled in Azure Front Door WAF | High | Low | Low |
| Default rule set is assigned in Azure Front Door WAF | High | Low | Low |
| Bot protection rule set is enabled and assigned in Azure Front Door WAF | High | Low | Low |
| Rate limiting is enabled in Azure Front Door WAF | High | Low | Medium |
| JavaScript challenge is enabled in Azure Front Door WAF | Medium | Low | Low |
| CAPTCHA challenge is enabled in Azure Front Door WAF | Medium | Low | Low |
| Diagnostic logging is enabled in Azure Front Door WAF | High | Low | Low |