Share via


Overview – Apply Zero Trust principles to Azure networking

This series of articles help you apply the principles of Zero Trust to your networking infrastructure in Microsoft Azure based on a multi-disciplinary approach. Zero Trust is a security strategy. It isn't a product or a service, but an approach in designing and implementing the following set of security principles:

  • Verify explicitly
  • Use least privileged access
  • Assume breach

Implementing the Zero Trust mindset to "assume breach, never trust, always verify" requires changes to cloud networking infrastructure, deployment strategy, and implementation.

The following articles show you how to apply Zero Trust approach to networking for commonly deployed Azure infrastructure services:

Important

This Zero Trust guidance describes how to use and configure several security solutions and features available on Azure for a reference architecture. Several other resources also provide security guidance for these solutions and features, including:

To describe how to apply a Zero Trust approach, this guidance targets a common pattern used in production by many organizations: a virtual-machine-based application hosted in a VNet (and IaaS application). This is a common pattern for organizations migrating on-premises applications to Azure, which is sometimes referred to as "lift-and-shift."

Threat Protection with Microsoft Defender for Cloud

For the Assume breach Zero Trust principle for Azure networking, Microsoft Defender for Cloud is an extended detection and response (XDR) solution that automatically collects, correlates, and analyzes signal, threat, and alert data from across your environment. Defender for Cloud is intended to be used together with Microsoft Defender XDR to provide a greater breadth of correlated protection of your environment, as shown in the following diagram.

Diagram of the logical architecture of Microsoft Defender for Cloud and Microsoft Defender XDR that provides threat protection for Azure networking.

In the diagram:

  • Defender for Cloud is enabled for a management group that includes multiple Azure subscriptions.
  • Microsoft Defender XDR is enabled for Microsoft 365 apps and data, SaaS apps that are integrated with Microsoft Entra ID, and on-premises Active Directory Domain Services (AD DS) servers.

For more information about configuring management groups and enabling Defender for Cloud, see:

Additional resources

See these additional articles for applying Zero Trust principles to Azure IaaS: