So we are starting to move to the cloud and our biggest concern is security, as it should be. The thing that I am not sure about is how to secure the end points from public (interent) access? Is this even possible or is there something else we can do to keep the environments in Azure out of the public eye?
This question is likely better suited to server fault. But until then...
In Azure IaaS V1, you can specify IP based ACLs (access control lists) to restrict inbound traffic.
In both IaaS v2, you can leverage NSG (network security groups) to help restriction trick into and out of specific VMs or virtual network sub-nets.
If you are using Azure Express Route (a leased line into an Azure facility), the VMs can be addressed directly from within the virtual network connection and don't need to have publically exposed endpoint.
Then there's also all the usual options such as securing the connections on the VMs themselves. :)
If you are using Azure Resource Groups along with your VMs (which is available on the new portal) you cannot use endpoints because it's not available there, so you should do the following to open up the HTTP port or ANY other port:
(Sign in to your account on the new portal)
1- Select the VM that you want to manage ports on.
2- In settings, click on Network Interfaces and select your network.
3- Go to Network Security Group and select your group.
4- Add Inbound or Outbound security rules depending on what you need.
Related
Right now we have multiple resources like storage accounts and key vaults where the team is using the firewall setting within the networking tab on the individual services. This means when their ip changes after a disconnect/connect to the company VPN they have to go in to each service and add their new IP address.
Not being well versed in Azure networking possibilities, what are some of the options we have to allow a group of incoming IP addresses to be able to access all these services without having to individually touch each service to add their new ip address?
All services are also on the same virtual network.
Thank You
I used to work on Azure Cloud services as a DevOps in the past.
There should be multiple ways to control incoming network traffic to your landing zone or azure resources. But you should consider your requirements meet the solution.
Here are few you could take a look at which I used:
Virtual network service endpoints
Azure Firewall
Network Security Groups
ExpressRoute
can anyone explain difference between Azure Application Gateway, Virtual Network Gateway, Virtual WAN, ExpressRoute, Arc and Private Link, please?
It seems to me all services are pretty similar helping with connecting either on-prem to Azure, in-Azure to in-Azure or public to Azure.
They're similar in that they all involve network traffic, but that's pretty much where the similarities end.
Application Gateway is a Layer 7 load balancing service with advanced features like SSL termination. It's used to route client requests to your applications.
Virtual Network Gateway is a VPN gateway for point-to-site (user) and site-to-site (office/datacenter) VPN connections to your own Azure VNETs. This would, for example, allow you to RDP into Azure VMs from your on-prem office using their private IPs.
ExpressRoute is similar to site-to-site, however it doesn't use IpSec tunnels, it's a dedicated, unencrypted connection from your location directly into Microsoft's backbone. (i.e. you don't traverse the public internet). There's no encryption and the connection is faster. This is a service you need to work with a 3rd party internet provider to implement.
Virtual WAN is more like a networking hub where there would be many site-to-site, point-to-site, ExpressRoute, etc... connections spanning a wide area (as the name implies). This would be for large enterpise organizations with many on-prem locations.
Arc is a means of adding your on-prem resources into Azure for management. e.g. you have a physical server somewhere and you want to manage it though ARM/portal.
Azure Private Link is a feature of many Azure services (storage, SQL PaaS, etc..) which allows you to create a private DNS record and assign a private IP address on your internal VNETs. This is used when you want to disable all public network access to a resource and only allow access from within your own VNET.
I have barely scratched the surface of the differences here, but suffice it to say, there are many differences. From this page, you can type the service name into the search and get more specific details on the offering. Hope this helps.
https://learn.microsoft.com/en-us/search/?terms=networking%20in%20azure
I've been searching for this for days and finally found most of the answer in this document https://learn.microsoft.com/en-us/azure/app-service-web/app-service-app-service-environment-control-inbound-traffic
It says that you can block ports to your web application service in Azure using a network security group. However, it says I have to keep some ports open.
e.g. "454: Required port used by Azure infrastructure for managing and maintaining App Service Environments via SSL. Do not block traffic to this port. This port is always bound to the public VIP of an ASE."
The question is does this port need to be open to the entire world? One of the options is open to virtual network (what virtual network is this?) I only want it open to the Azure infrastructure. How can I do this? What does VIP of an ASE mean?
Thanks,
Bestist :)
The question is does this port need to be open to the entire world?
It depends on your demand. If you want entire world(Internet) to access your app, you need open it.
what virtual network is this.
An Azure virtual network (VNet) is a representation of your own network in the cloud. It is a logical isolation of the Azure cloud dedicated to your subscription. You can fully control the IP address blocks, DNS settings, security policies, and route tables within this network. More information please refer to this link.
I only want it open to the Azure infrastructure. How can I do this?
Yes, you could do it. You should add Azure data center IP ranges to NSGs.
If you only want your virtual network devices to access your app services, you could configure NSG such as below:
What does VIP of an ASE mean?
VIP:A VIP is the public IP address associated with a VM. More information please refer to this link.
ASE: App Service Environments. More information please refer to this link.
Current guidelines to add an Endpoint mapping are way too complicated compared to the classic VMs model.
Is this the only way now to simply map a public port to an internal port?
https://azure.microsoft.com/pt-pt/documentation/articles/load-balancer-arm-powershell/
It's not the ultimate way to configure endpoints on IaaS VMs that use the ARM model. Actually - please note that it may change at the discretion of MS - each VM you create using the new portal will come by default with a network security group (NSG) with the same name as the VM, that you'll be able to search for later in the portal.
Then, you'll be able to edit those NSG to make them compliant with your requirements.
what is the AWS security groups equivalent in azure
if there is any in azure is this only for the PaaS services or also for IaaS ?
According to Amazon EC2 Documentation, a security group is just a single point for firewall settings applied to a given instance:
A security group acts as a firewall that controls the traffic allowed
to reach one or more instances. When you launch an instance, you
assign it one or more security groups. You add rules to each security
group that control traffic for the instance.
In Windows Azure you have to set these rules on a per-instance or per-service basis, there is no way to define some rules and apply them automatically to all instances.
But you can use PowerShell cmdlets for automating this task for your services.
Firewall rules apply mostly for PaaS: for your web/worker role services and for SQL Azure. In case of IaaS there are two sides: your VM with custom software firewall (depending upon your OS etc.) and the endpoints you create and manage in Azure Portal that relay in- and outbound traffic to your VM.
Azure Network security groups and other related improvements were announced today:
http://weblogs.asp.net/scottgu/azure-new-marketplace-network-improvements-new-batch-service-automation-service-more
Network Security group in Azure is the option you are looking for. But there is no option to create it directly. But can be created while creating Virtual Machines and can be associated with multiple Virtual Machines. For more detail,
http://tehcbase.com/aws-security-group-equivalent-in-microsoft-azure/