Blog Post

Azure Network Security Blog
17 MIN READ

Azure Network Security Ninja Training

camilamartins's avatar
camilamartins
Icon for Microsoft rankMicrosoft
May 14, 2021

Last updated - August 06, 2025

 

In this blog post, we will walk you through basic to advanced scenarios for Azure network security. Ready to become an Azure NetSec ninja? Dive right in!

 

Check back here routinely, as we will keep updating this blog post with new content as it becomes available.

 

Anything in here that could be improved or may be missing? Let us know in the comments below, we’re looking forward to hearing from you.

 

Latest Highlight: Public Preview: Azure Web Application Firewall on Application Gateway for Containers

Application Gateway for Containers, Azure’s application (layer 7) load balancing and dynamic traffic management solution for workloads running in a Kubernetes cluster, now supports Web Application Firewall (WAF) in public preview. With the addition of Azure WAF support, Application Gateway for Containers workloads can now protect workloads from web-based attacks like SQL injections, cross-site scripting, protocol anomalies, and more. 

 

Azure Network Security Ninja Training Sections

Knowledge Check

 

Take the Azure Network Security Ninja Knowledge Test to confirm your Azure Network Security Ninja Skills.

  1. Once you have completed the training, take the knowledge check here.
  2. If you score more than 80% in the knowledge check, request your certificate here. If you achieved less than 80%, please review the training material again and re-take the assessment.

 

1 The Basics

1.1 Introduction to network security concepts

This module introduces general concepts of network and web application security.

1.1.1 Network security in Azure

Be familiar with network security concepts and ways you can achieve a secure network deployment in the Azure cloud.

1.1.2 Web application protection in Azure

Be familiar with web application protection concepts and ways you can achieve a secure web application deployment in the Azure cloud.

 

1.2 Introduction to Azure network security products

1.2.1 Azure DDoS Protection

1.2.1.1 Azure DDoS Protection - Network Protection

 

Azure DDoS Network Protection, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks.

 

       Azure DDoS Network Protection

For more information, check the Azure DDoS Protection documentation.

MS Learn Training Material: Azure DDoS Protection (34 minutes)

This MS Learn module will show you how to guard your Azure services from a denial-of-service attack using Azure DDoS Protection.

 

1.2.1.2 Azure DDoS Protection - IP Protection 

IP Protection is a new SKU for Azure DDoS Protection that is designed with SMBs in mind and delivers enterprise-grade, and cost-effective DDoS protection. You can defend against L3/L4 DDoS attacks with always-on monitoring and adaptive tuning that ensure your application is always protected. With IP Protection, you now have the flexibility to enable protection on a single public IP. Azure DDoS Protection integrates seamlessly with other Azure services for real-time alerts, metrics, and insights to strengthen your security posture.

 

 

1.2.2 Azure Firewall and Azure Firewall Manager

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

 

For more information, check the Azure Firewall documentation.

Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.

 

For more information, check the Azure Firewall Manager documentation.

MS Learn Training Material: Azure Firewall and Azure Firewall Manager (48 minutes)

This MS Learn module will describe how Azure Firewall protects Azure Virtual Network resources, including the Azure Firewall features, rules, deployment options, and administration with Azure Firewall Manager.

 

1.2.3 Azure Web Application Firewall (WAF)

Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities. You can deploy WAF on Azure Application Gateway, Azure Front Door and Application Gateway for Containers.

 

For more information, check the Azure Web Application Firewall (WAF) documentation.

MS Learn Training Material: Azure Web Application Firewall (WAF) (40 minutes)

This MS Learn module will show how Azure Web Application Firewall protects Azure web applications from common attacks, including its features, how it’s deployed, and its common use cases.

 

2 Architecture and Deployments

2.1 Standalone Deployments

 

2.1.1 Azure DDoS Protection

When deploying Azure DDoS Protection, keep in mind that public IPs in ARM-based VNETs are currently the only type of protected resource. Public IPs that are part of PaaS services (multitenant) are not supported for Azure DDoS Network Protection SKU at this time.

 

The main steps to deploy Azure DDoS Network Protection are:

Do you prefer videos? Check out the Getting started with Azure Distributed Denial of Service (DDoS) Protection (60 minutes) webinar. You can also quickly browse through the contents of the presentation deck.

2.1.2 Azure Firewall

You can choose to deploy Azure Firewall Basic SKU, Azure Firewall Standard SKU or Azure Firewall Premium SKU. Check the documentation below to get an understanding of their feature differences:

 

 

It is also possible to upgrade or downgrade between the Azure Firewall Standard and Azure Firewall Premium SKUs. This upgrade/downgrade feature allows you to easily and efficiently move between these two SKUs without service downtime, with a single click of a button.

 

 

During your planning stages, it’s also a good idea to refer to the known issues for these products. Being aware of these known issues will save you time and stress when deploying your Azure Firewall.

 

Deploy and configure Azure Firewall using the Azure portal.

 

Azure Firewall logs and metrics

 

Azure Firewall Customer Controlled Updates

 

       Azure Firewall Draft and Deployment (Preview)

 

Integrate Azure Firewall with Azure Standard Load Balancer

 

Use Azure Firewall to protect Azure Kubernetes Service (AKS) Deployments

 

Azure Firewall DNS settings

 

Azure Firewall in forced tunneling mode

 

Azure Firewall Explicit Proxy (Preview)

Azure Firewall can be configured in proxy mode to enable the sending application direct traffic to the firewall's private IP address without the use of a User Defined Route (UDR).

 

Azure Firewall Protection for O365

Azure Firewall integration with O365 enables the ability to secure and manage traffic destined to O365 endpoints in an efficient and simplified manner. This is achieved through the use of Azure Firewall built-in service tags and FQDN tags which group the required IPv4 addresses by Office365 service and category. The service tags and FQDN tags can be used in the Firewall Network rules or Application rules to secure traffic destined to the O365 endpoint or IP address.

 

Do you prefer videos? Check out the Manage application and network connectivity with Azure Firewall (50 minutes) webinar. You can also quickly browse through the contents of the presentation deck.

 

You can also check out this Azure Firewall Deep Dive on YouTube (82 minutes). It covers almost everything you need to know!

 

Azure Firewall NAT

Network Address Translation (NAT) is a method used to map one IP address to another, helping with scenarios such as IP address translation between private and public networks. Azure Firewall supports two types of NAT: Source Network Address Translation (SNAT), which changes the source IP address of outbound traffic, and Destination Network Address Translation (DNAT), which maps inbound traffic to a specific destination IP address.

 

Private IP DNAT support was recently introduced, allowing Azure Firewall to map inbound traffic to private IP addresses in your network. This feature enables secure and scalable connectivity to internal resources, even when those resources are hosted on private IPs within a virtual network, broadening Azure Firewall’s capability for handling traffic across both public and private endpoints.

 

2.1.3 Azure Web Application Firewall (WAF)

 

Azure Web Application Firewall DRS and CRS Rules and Rule Groups

The Azure Web Application Firewall consists of the Core Rule Sets (CRS) or Default Rules Sets (DRS) which are rules that protect web applications from common vulnerabilities and exploits. These rulesets are managed by Azure making them easy to deploy to protect against a common set of security threats.

 

The Application Gateway WAF consists of rules based on the OWASP CRS 3.2, 3.1 or 3.0. Additionally, the Application Gateway WAF now supports the Default Ruleset (DRS) 2.1. The Default Ruleset (DRS) is an Azure managed ruleset that is baselined from the OWASP CRS rules and includes the Microsoft Threat Intelligence (MSTIC) rules that are written in partnership with the Microsoft Intelligence team.

 

For more information, check out: Web Application Firewall DRS and CRS rule groups and rules.

 

Azure Web Application Firewall Sensitive Data Protection 

The sensitive data protection for WAF is a feature that masks sensitive data (such as passwords, IP addresses) that can be read within the WAF logs. Normally, when a WAF rule is triggered, the WAF logs the details of the request in clear text. To protect against the exposure of sensitive data, the Web Application Firewall's (WAF's) Log Scrubbing tool (preview) assists to remove sensitive data from the WAF logs by using a rules engine that allows one to build custom rules to identify specific portions of a request that contain sensitive information. Once identified, the tool scrubs that information from your logs and replaces it with *******.

 

 

Azure Web Application Firewall Sensitive JavaScript Challenge (Preview)

The Azure WAF JavaScript Challenge is a powerful security feature designed to help protect web applications from automated bot attacks. When a client attempts to access a protected web application, the WAF injects a lightweight JavaScript challenge that must be executed by the client’s browser. Legitimate browsers can handle this challenge seamlessly, while malicious bots typically fail to execute the JavaScript, thus blocking their access. This proactive approach significantly reduces the risk of automated attacks such as scraping, credential stuffing, and other malicious activities, enhancing the overall security posture of web applications without disrupting the user experience.

 

 

       Azure Web Application Firewall CAPTCHA (Preview)

Azure Web Application Firewall (WAF) offers a CAPTCHA feature designed to differentiate human users from automated bots. This interactive challenge requires suspected traffic to complete a CAPTCHA test, blocking malicious automated requests while allowing legitimate users to proceed seamlessly. As a result, WAF helps protect applications from bot-driven attacks, including brute-force attempts and account takeover risks.

 

Azure Web Application Firewall Inspection Limits and Size Limits

Azure WAF has introduced the capability to independently configure inspection limits and size limits, giving users more flexibility in managing traffic. Previously, the inspection limit and size limit were tied together, meaning that requests exceeding the defined size limit were not only rejected but also excluded from inspection. Now, with this separation, users can configure different thresholds: the size limit controls whether a request is allowed based on its size, while the inspection limit governs the maximum request size that will be inspected for threats. This separation allows large requests to pass without triggering rejections, while still inspecting smaller requests for security risks, providing a more balanced and customizable security posture.

 

 

Check out the below resources on how to create and use a WAF policy:

 

 

2.2 Advanced Deployments

2.2.1 On-Prem Hybrid

2.2.2 vWAN (Secured Virtual Hub)

2.2.3 vWAN (Secured Virtual Hub) with 3rd party SECCaaS

2.2.4 Hub and Spoke

2.2.5 Forced Tunneling with 3rd party NVAs

2.2.6 Multi-product combination in Azure

2.2.7 TLS Inspection on Azure Firewall

Do you prefer videos? Check out the Content Inspection Using TLS Termination with Azure Firewall Premium (50 minutes) webinar. You can also quickly browse through the contents of the presentation deck.

2.2.8 Per-Site or Per-URI WAF policies on Azure Application Gateway

Do you prefer videos? Check out the Using Azure WAF Policies to Protect Your Web Application at Different Association Levels (50 minutes) webinar. You can also quickly browse through the contents of the presentation deck.

 

3 Operations

3.1 Centralized Management

3.1.1 Azure Firewall Manager and Firewall Policy

Do you prefer videos? Check out the Getting started with Azure Firewall Manager (35 minutes) webinar. You can also quickly browse through the contents of the Azure Firewall Manager presentation deck.

  • Azure Firewall Manager now also manages WAF Policy and DDoS Protection plans. This will assist organizations to easily manage and control their network security policy deployments. Check out What is Azure Firewall Manager? | Microsoft Learn for more information on this.

3.1.2 Web Application Firewall (WAF) Policy

 

 

3.2 Optimizing

3.2.1 Azure Firewall Policy Analytics

 

Azure Firewall Policy Analytics provides deeper insights, centralized visibility and greater granular control to Azure Firewall rules and policies. Policy Analytics enables one to easily and efficiently fine-tune Azure Firewall rules and policies ensuring enhanced security and compliance.

 

3.2.2 Web Application Firewall (WAF) tuning

 

Do you prefer videos? Check out the Boosting your Azure Web Application (WAF) deployment (45 minutes) webinar and Azure WAF Tuning for Web Applications (webinar). You can also quickly browse through the contents of the presentation deck.

3.3 Governance

3.3.1 Built-in Azure Policies for Azure DDoS Network Protection

3.3.2 Built-in Azure Policies for Azure Web Application Firewall (WAF)

3.3.3 Built-in Azure Policies for Azure Firewall

3.3.4 Restrict creation of Azure DDoS Network Protection plans with Azure Policy

If you are looking to prevent unplanned or unapproved costs associated with the creation of multiple DDoS plans within the same tenant, check out this Azure Policy template. This policy denies the creation of Azure DDoS Network Protection plans on any subscriptions, except for the ones defined as allowed.

 

3.4 Responding

3.4.1 Azure Web Application Firewall (WAF)

This Logic App Playbook for Sentinel will add the source IP address passed from the Sentinel Incident to a custom WAF rule blocking the IP. For a more comprehensive description of this use case, check our blog post Integrating Azure Web Application Firewall with Azure Sentinel.

3.4.2 Azure DDoS Network Protection

During an active access, Azure DDoS Network Protection customers have access to the DDoS Rapid Response (DRR) team, who can help with attack investigation during an attack and post-attack analysis.

 

This DDoS Mitigation Alert Enrichment template will alert administrators of a DDoS event, while adding essential information in the body of the email for a more detailed notification.

 

4 Integrations

 

Using Azure Sentinel with Azure Web Application Firewall

 

You can integrate Azure WAF with Azure Sentinel for security information event management (SIEM). By doing this, you can use Azure Sentinel’s security analytics, playbooks and workbooks with your WAF’s log data.

In this blog post, we cover in further detail how to configure the log connector, query logs, generate incidents, and automate responses to incidents.

 

Using Azure Sentinel Solutions for Azure Firewall

 

The Azure Firewall Solution provides new threat detections, hunting queries, a new firewall workbook and response automation as packaged content. This enables you to find the appropriate solution easily and then deploy all the components in the solution in a single step from the Solutions blade in Azure Sentinel.

 

In this blog post, we cover in further detail how automate detections and response for Azure Firewall events using Azure Sentinel.

 

Azure Firewall and Azure WAF Integrations in Security Copilot

Security Copilot’s integration with Azure Firewall empowers analysts to thoroughly investigate malicious traffic detected by the Intrusion Detection and Prevention System (IDPS) across all firewalls in their network. Using natural language queries within the standalone Security Copilot experience, analysts can efficiently explore threats without needing to write complex KQL queries.

With Azure Web Application Firewall (WAF) integration, security and IT teams can streamline operations and concentrate on high-impact tasks. Copilot enhances this process by summarizing data and delivering rich, contextual insights into the WAF threat environment. Both integrations simplify threat analysis, making it easier for analysts to interact with data using everyday language.

Network Security Capabilities Available today in Copilot:

Azure Firewall:

  • Retrieve the top IDPS signature hits for an Azure Firewall
  • Get additional details to enrich the threat profile of an IDPS signature beyond log information
  • Look for a given IDPS signature across your tenant, subscription or resource group
  • Generate recommendations to secure your environment using Azure Firewall’s IDPS feature

Azure WAF:

  • Retrieve contextual details about WAF detections and the top rules triggered
  • Retrieve the top malicious IPs in the environment along with related WAF rules and patterns triggering the attack
  • Get information on SQL Injection attacks blocked by Azure WAF
  • Get information on XSS attacks blocked by Azure WAF

Check out these articles to learn more about the integrations:

5 Hands-on Labs

Azure Network Security - Workshop: These labs will help you get ramped up with Azure Network Security and provide hands-on practical experience for product features, capabilities, and scenarios. The labs are divided into 4 main tracks, being one track for each of the following products: Azure DDoS, Azure Firewall, Azure Application Gateway WAF and Azure Front Door WAF. The labs contain multiple scenarios covering features that will help you learn how to use and implement them in your own environment - Azure Network Security Workshop Labs

 

Network Security Demo lab: Azure pre-configured test deployment kit for POC is available in this repository. You can use this lab to validate Proof of Concepts for the different Network security products. You can find more information on set up and demo in the NetSec POC blogpost.

WAF Attack test lab: Set up a Web Application Firewall lab environment to verify how you can identify, detect and protect against suspicious activities in your environment. This blogpost provides steps to protect against potential attacks, and you can deploy the template from GitHub.

 

Interactive Guide: If you cannot set up a lab environment, you can still get a hands-on experience with our Azure network security interactive guide. In this guide, we will show you how you can protect your cloud infrastructure with Azure network security tools.

 

6 Resource References

 

Register for upcoming webinars or watch recordings of past webinars in our Microsoft Security Community!

Check out and be sure to contribute with our Azure Network Security samples in GitHub!

Check out our Azure Network Security blog posts in our Tech Community!

Provide feedback and ideas about Azure products and features in our Azure Feedback portal!

 

Updated Aug 06, 2025
Version 60.0
azure ddos protection
azure firewall
azure firewall manager
azure network security
azure waf

30 Comments

Sort By