Recent Discussions
SEP 26, 2023 | Ask-Me-Anything | Azure Firewall, Azure WAF and Azure DDoS
UPDATED, post-AMA: Here is the AMA recording in case you missed the live session. ************************************************************* Please join us in this Ask Me Anything session with the Azure Network Security CxE PM team. During this session, the Azure Network Security SME (Subject Matter Experts), will answer your questions on Azure Firewall, Azure Firewall Manager, Azure Web Application Firewall and Azure DDoS. This will be a great forum for our Public Community members to learn, interact and have their feedback listened to by the Azure Network Security team. Feel free to post your questions about Azure Network Security solution areas anytime in the comments before the event starts. The team will be answering questions during the live session, with priority given to the pre-submitted questions from the comments below. If you are new to Microsoft Tech-Community, please follow the sign-in instructions. To register for the upcoming live AMA Sep 26, 2023, visit aka.ms/SecurityCommunity. Mohit_Kumar andrewmathu SaleemBseeu davidfrazee ShabazShaik tobiotolorin gusmodena
How does Microsoft Azure ensure Secured Data Migration to the Cloud?
Many organizations, especially those dealing with sprawls of unstructured personal and sensitive data, have preconceived notions and fears about moving their data to the Cloud, in general. But, once they are a part of the Microsoft Trusted Cloud, organizations can rely on Azure for best-in-class security, reliability, compliance, privacy, and a vast ecosystem of trusted people, partners, and processes to support their customers moving to the Cloud. Microsoft Azure is the only cloud provider that offers a secure and consistent platform for companies to work with the Cloud without requiring high-level skill sets to handle the cloud complexities. Microsoft Azure provides various integrated data services and analytics tools to unlock the intelligence hidden in the data. They provide open frameworks and tools with a choice for integrating Azure cloud services with any infrastructure, cloud, or on-premises.
Azure Firewall Public IP and DDoS protection
Hi, We have a zero trust network setup where we use Azure Firewall Standard Edition with hub/spoke model, there is mandatory requirement to assign few Public IP addresses to the firewall, we have included these assigned public IP addresses to a DDoS plan as well. There is no ingress in this environment (It is backend message processing system which does not need any internet / frontend web APIs). As we are running this in production, we see many DDoS mitigation alerts on firewall Public IPs. We are thinking of reducing cost and removing DDoS protection plan because only resources that are the plan are firewall's public IP addresses, hence the questions are: 1. how the azure firewall will behave if assigned public IPs are not included in DDoS protection plan? 2. Do azure firewall internally have bult in mechanism to defend against DDoS attacks on its public IPs 3. Is there standard recommendation that when Azure firewall is deployed, customers also must use DDoS plan?
not able to see Diagnostic Setting option under monitoring for Load balancer to collect log data
hi all , i am not seeing that option to collect and ingest data in to log analytic workspace. please help Diagnostic settings option is not there , how to ingest data in that case like i was bale to see that option in Application gateway , but not in load balancerLimit of WAF Exclusion
Hi, @camilamartins @tobiotolorin, All, Based on the Link, https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#application-gateway-limits there is a limit of 40 exclusions per Application Gateway. But does it apply to the URI-based WAF policy as well? To explain more, we've 10+ applications Passing via application Gateway. The idea is to have a separate WAF policy for each application with Fine-tuning. We expect at least 10+ in each WAF policy (Applied at URI) does it add up to the application gateway, or if the limit applies to the policy set at the application gateway level? Appreciate your inputs !Priority of WAF rule
Hi camilamartins tobiotolorin, Thank you for your excellent work in the WAF blog and sessions. I have questions regarding custom rules, In Prevention mode, I know if a request matches the custom rules, then it does not check for Managed rules. Is it the same behaviour for the Detention Mode as well? or does it match the custom rule, But still check for other rules? Appreciate your inputs!
Azure WAF - Resources for understanding policies
I am looking for some guidance around setting up the WAF including suitable exclusions. The issue I am running into is the documentation does not identify why something was triggered. For example, I know the http header Referrer contains something that is triggering XSS. I believe it is because in the url there are the two characters "on" in the endpoint "https://mysite.com/onecode?para1=test¶2=fred", but I am just making an educated guess. I would then think I would create an exclusion to say do not trigger if the url contains "onecode". That is not really good enough though as what if the url contains onecode and another occurrence of "on" that should trigger XSS (for example in one of the parameters). I would think everyone would have this issue so I am surprised I did not find anything in docs or Architecture Centre.global secure access and azure VPN
Hi all, I have enabled Global Secure Access in our environment to assess how it might benefit us. We also use Azure Point to Site VPN, and I am running into problems that the two clash. Is there a solution to allowing the two coexist. Do we somehow whitelist traffic to Azure to allow them to coexist or is this still in the pipeline?
New Blog | Enhancing Cybersecurity: Geomatch Custom Rules in Azure WAF
This blog post will introduce you to the geomatch custom rules feature of Azure Web Application Firewall and show you how to create and manage them using the Azure portal, Bicep and PowerShell. Read the full blog post here: Enhancing Cybersecurity: Geomatch Custom Rules in Azure WAF - Microsoft Community HubWhat is the Azure file storage and its function?
Azure file storage is mainly used if we want to have a shared drive between two servers or across the users. The first thing we need for Azure file storage is an Azure storage account. Unlimited number of file shares can be created within a storage account. We can then upload files into created folders. Once we create a file share, we can further arrange that on any virtual machine, whether it is in Azure or outside. Azure File Storage is tremendously useful for many organizations, especially in “lift and shift” structure, where there is a need to shift on-premises applications to the cloud without any changes. At the same time, the Azure Files services help in sustaining large scale and enterprise requirements. Azure File Storage Key Functions: - Migrate existing applications to the cloud: Many existing applications access the data using file-based APIs and are designed to share the data using Server Message Block (SMB) file shares. Azure File Storage allows you to migrate on-premises file share-based applications to Azure without having to manage highly available file server VMs. Sharing server data across on-premises and cloud: Users can now store server data such as files, event data, and backups in the cloud to leverage the availability, scalability, and durability into the Azure storage platform. Data can be shared by applications running in the cloud with on-premises applications by using the same stability implemented by on-premises SMB servers. Simplifies hosting high availability workload data: Azure File Storage delivers continuous availability; hence it simplifies the effort to host HA workload data in the cloud. The persistence enabled in SMB increases the availability of the file share which makes it possible to manage applications such as SQL Server in Azure with the files and data stored in shared file storage.
Azure Key Vault, what is the best practice when accessing is from Power Platform?
Whenever we think about storing secrets, keys securely we use Azure Key Vault, but by default the key vaults are accessible from Internet, and when the client app is built in Power Platform there isn't a way to secure the Azure Key Vault with private endpoint, virtual networking, or firewall. So apart from the usual access policies, monitoring, and alerts, what other defence mechanisms we can utilize to prevent snooping eyes? The https://learn.microsoft.com/en-au/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services list does not include Power Platform, as expected.I don't understand the two WAF Mode
I have read the documentation on the two types of Waf (Detection and Prevention). Detection mode: Monitor and log all threat alerts. Enable logging diagnostics for Application Gateway in the Diagnostics section. You must also ensure that WAF logging is selected and enabled. The Web Application Firewall does not block incoming requests when operating in Detect mode. Prevention mode: Blocks intrusions and attacks that are detected by the rules. The attacker receives a "403 unauthorized access" exception and the connection is closed. Prevention mode logs these attacks in the WAF logs. But then in Owasp Rules we have the ability to assign WAF actions that Allow, Block, Log, Anomaly Score. I don't understand, because if I create a WAF police in prevention mode, I think it is not necessary to change the WAF actions, right? How do you see when an anomaly score is detected and where do you see this internal score, is this seen in the logs? This for me is very confusing, and I need help. Thanks!New Blog Post | Exclude Public IP addresses in Azure DDOS network protection
Full Article: Exclude Public IP addresses in Azure DDOS network protection - Microsoft Community Hub Azure DDOS network protection provides security for services deployed in virtual networks against volumetric attacks by way of always-on traffic monitoring and adaptive real time tuning. This may be achieved by applying DDOS protection plans to the different virtual networks in the different architectural tiers such as the Hub and Spoke network, Windows N-tier and Paas Web App architectures. Management of Azure services involves careful planning around available resources. One capability that is often requested by Azure DDoS protection customers is the ability to exclude certain public IP addresses from the protection plan to accommodate their prioritized workloads. For instance, public IPs attached to services in hybrid networking may be protected by DDoS plans in the hub or in the spoke virtual network depending on the type of architecture in use and the Public IP tier. A security administrator might also opt to use a DDoS IP protection SKU for certain workloads over DDoS Network protection. Original Post: New Blog Post | Exclude Public IP addresses in Azure DDOS network protection - Microsoft Community Hub
Recent Blogs
- With the adoption of the NIS2 Directive EU 2022 2555, cybersecurity obligations for both public and private sector organizations have become more strict and far reaching. NIS2 aims to establish a hig...Sep 26, 2025
- The internet’s transport layer is undergoing one of its most significant evolutions in decades. QUIC (Quick UDP Internet Connections) — the protocol underpinning HTTP/3 — is rapidly becoming the defa...Sep 24, 2025
