Hello @EnterpriseArchitect ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know about the options and the best practice to secure inbound access to your Azure environment containing Azure webapps, Azure VMs and Azure Storage accounts.
Apart from what @AirGordon has suggested above, I would like to add some more points below.
For an overall list of considerations and recommendations for inbound and outbound connectivity between Azure and the public internet, you can refer the below doc:
For a detailed Security overview in Azure App Service, you can refer the below docs:
https://learn.microsoft.com/en-us/azure/app-service/overview-security
https://azure.github.io/AppService/2020/08/14/zero_to_hero_pt6.html
Security recommendations for virtual machines in Azure:
https://learn.microsoft.com/en-us/azure/virtual-machines/security-recommendations
Azure security baseline & recommendations for Storage:
https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/storage-security-baseline
https://learn.microsoft.com/en-us/azure/storage/blobs/security-recommendations
https://learn.microsoft.com/en-us/azure/well-architected/services/storage/storage-accounts/security
For web workloads, we highly recommend utilizing Azure DDoS protection and a web application firewall to safeguard against emerging DDoS attacks. Another option is to deploy Azure Front Door along with a web application firewall. Azure Front Door offers platform-level protection against network-level DDoS attacks.
Refer: https://learn.microsoft.com/en-us/azure/app-service/overview-security#ddos-protection
So, you have 2 options:
- Either go with Azure DDoS protection and an Application gateway web application firewall (WAF).
https://learn.microsoft.com/en-us/azure/architecture/example-scenario/apps/fully-managed-secure-apps
- Or go with Azure Front Door WAF.
Refer: https://learn.microsoft.com/en-us/azure/frontdoor/front-door-waf
Azure Front Door has several features and characteristics that can help to prevent distributed denial of service (DDoS) attacks. Front Door is protected by the default Azure infrastructure DDoS protection. Apart from the default protection, we also recommend customers to enable Azure DDoS Protection on the origin VNet to protect their public IPs against DDoS attacks.
Refer: https://learn.microsoft.com/en-us/azure/frontdoor/front-door-ddos
Difference between Application gateway and Azure Front Door:
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.