Azure Network Security Ninja Training
Published May 14 2021 02:17 PM 86.8K Views
Microsoft

Last updated - November 30, 2022

In this blog post, we will walk you through basic to advanced scenarios for Azure network security. Ready to become an Azure NetSec ninja? Dive right in!

Check back here routinely, as we will keep updating this blog post with new content as it becomes available.

Anything in here that could be improved or may be missing? Let us know in the comments below, we’re looking forward to hearing from you.

Latest Highlight: Protect Against Text4Shell Vulnerability with Azure Firewall Premium and Azure Web Application Firew...

Text4Shell is a vulnerability in the Java library Apache Commons Text. This vulnerability, in specific conditions, allows an attacker to execute arbitrary code on the victim's machine (Remote Code Execution or "RCE"). Customers can detect and protect their resources against Text4Shell vulnerability using Azure native network security services, Azure Firewall Premium and Azure Web Application Firewall (WAF). You can utilize one of these services or both for multi-layered defense.

Azure Network Security Ninja Training SectionsAzure Network Security Ninja Training Sections

Knowledge Check

Take the Azure Network Security Ninja Knowledge Test to confirm your Azure Network Security Ninja Skills.

  1. Once you have completed the training, take the knowledge check here.
  2. If you score more than 80% in the knowledge check, request your certificate here. If you achieved less than 80%, please review the training material again and re-take the assessment.

1 The Basics

1.1 Introduction to network security concepts

This module introduces general concepts of network and web application security.

1.1.1 Network security in Azure

Be familiar with network security concepts and ways you can achieve a secure network deployment in the Azure cloud.

1.1.2 Web application protection in Azure

Be familiar with web application protection concepts and ways you can achieve a secure web application deployment in the Azure cloud.

1.2 Introduction to Azure network security products

Do you prefer videos? Check out the Introduction to Azure Network Security (50 minutes) webinar, which covers all products listed individually below. You can also quickly browse through the contents of the presentation deck.

1.2.1 Azure DDoS Protection Network Protection

Azure DDoS Network Protection, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks.

For more information, check the Azure DDoS Protection documentation.

MS Learn Training Material: Azure DDoS Protection (35 minutes)

This MS Learn module will show you how to guard your Azure services from a denial-of-service attack using Azure DDoS Protection.

1.2.2 Azure Firewall and Azure Firewall Manager

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

For more information, check the Azure Firewall documentation.

Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.

For more information, check the Azure Firewall Manager documentation.

MS Learn Training Material: Azure Firewall and Azure Firewall Manager (40 minutes)

This MS Learn module will describe how Azure Firewall protects Azure Virtual Network resources, including the Azure Firewall features, rules, deployment options, and administration with Azure Firewall Manager.

1.2.3 Azure Web Application Firewall (WAF)

Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities. You can deploy WAF on Azure Application Gateway or WAF on Azure Front Door.

For more information, check the Azure Web Application Firewall (WAF) documentation.

MS Learn Training Material: Azure Web Application Firewall (WAF) (40 minutes)

This MS Learn module will show how Azure Web Application Firewall protects Azure web applications from common attacks, including its features, how it’s deployed, and its common use cases.

2 Architecture and Deployments

2.1 Standalone Deployments

2.1.1 Azure DDoS Protection

When deploying Azure DDoS Protection, keep in mind that public IPs in ARM-based VNETs are currently the only type of protected resource. Public IPs that are part of PaaS services (multitenant) are not supported for Azure DDoS Network Protection SKU at this time.

The main steps to deploy Azure DDoS Network Protection are:

Do you prefer videos? Check out the Getting started with Azure Distributed Denial of Service (DDoS) Protection (60 minutes) webinar. You can also quickly browse through the contents of the presentation deck.

2.1.2 Azure Firewall

You can choose to deploy Azure Firewall Standard SKU or Azure Firewall Premium SKU (currently in Public Preview). Check the documentation below to get an understanding of their feature differences:

During your planning stages, it’s also a good idea to refer to the known issues for these products. Being aware of these known issues will save you time and stress when deploying your Azure Firewall.

Deploy and configure Azure Firewall using the Azure portal

Azure Firewall logs and metrics

Integrate Azure Firewall with Azure Standard Load Balancer

Use Azure Firewall to protect Azure Kubernetes Service (AKS) Deployments

Azure Firewall DNS settings

Azure Firewall in forced tunneling mode

Do you prefer videos? Check out the Manage application and network connectivity with Azure Firewall (50 minutes) webinar. You can also quickly browse through the contents of the presentation deck.

You can also check out this Azure Firewall Deep Dive on YouTube (82 minutes). It covers almost everything you need to know!

2.1.3 Azure Web Application Firewall (WAF)

2.2 Advanced Deployments

2.2.1 On-Prem Hybrid

2.2.2 vWAN (Secured Virtual Hub)

2.2.3 vWAN (Secured Virtual Hub) with 3rd party SECCaaS

2.2.4 Hub and Spoke

2.2.5 Forced Tunneling with 3rd party NVAs

2.2.6 Multi-product combination in Azure

2.2.7 TLS Inspection on Azure Firewall

Do you prefer videos? Check out the Content Inspection Using TLS Termination with Azure Firewall Premium (50 minutes) webinar. You can also quickly browse through the contents of the presentation deck.

2.2.8 Per-Site or Per-URI WAF policies on Azure Application Gateway

Do you prefer videos? Check out the Using Azure WAF Policies to Protect Your Web Application at Different Association Levels (50 minutes) webinar. You can also quickly browse through the contents of the presentation deck.

3 Operations

3.1 Centralized Management

3.1.1 Azure Firewall Manager and Firewall Policy

Do you prefer videos? Check out the Getting started with Azure Firewall Manager (35 minutes) webinar. You can also quickly browse through the contents of the Azure Firewall Manager presentation deck.

  • Azure Firewall Manager now also manages WAF Policy and DDoS Protection plans. This will assist organizations to easily manage and control their network security policy deployments. Check out What is Azure Firewall Manager? | Microsoft Learn for more information on this.

3.1.2 Web Application Firewall (WAF) Policy

3.2 Optimizing

3.2.1 Web Application Firewall (WAF) tuning

Do you prefer videos? Check out the Boosting your Azure Web Application (WAF) deployment (45 minutes) webinar. You can also quickly browse through the contents of the presentation deck.

3.3 Governance

3.3.1 Built-in Azure Policies for Azure DDoS Network Protection

3.3.2 Built-in Azure Policies for Azure Web Application Firewall (WAF)

3.3.3 Restrict creation of Azure DDoS Network Protection plans with Azure Policy

If you are looking to prevent unplanned or unapproved costs associated with the creation of multiple DDoS plans within the same tenant, check out this Azure Policy template. This policy denies the creation of Azure DDoS Network Protection plans on any subscriptions, except for the ones defined as allowed.

3.4 Responding

3.4.1 Azure Web Application Firewall (WAF)

This Logic App Playbook for Sentinel will add the source IP address passed from the Sentinel Incident to a custom WAF rule blocking the IP. For a more comprehensive description of this use case, check our blog post Integrating Azure Web Application Firewall with Azure Sentinel.

3.4.2 Azure DDoS Network Protection

During an active access, Azure DDoS Network Protection customers have access to the DDoS Rapid Response (DRR) team, who can help with attack investigation during an attack and post-attack analysis.

This DDoS Mitigation Alert Enrichment template will alert administrators of a DDoS event, while adding essential information in the body of the email for a more detailed notification.

4 Integrations

Using Azure Sentinel with Azure Web Application Firewall

You can integrate Azure WAF with Azure Sentinel for security information event management (SIEM). By doing this, you can use Azure Sentinel’s security analytics, playbooks and workbooks with your WAF’s log data.

In this blog post, we cover in further detail how to configure the log connector, query logs, generate incidents, and automate responses to incidents.

Using Azure Sentinel Solutions for Azure Firewall

The Azure Firewall Solution provides new threat detections, hunting queries, a new firewall workbook and response automation as packaged content. This enables you to find the appropriate solution easily and then deploy all the components in the solution in a single step from the Solutions blade in Azure Sentinel.

In this blog post, we cover in further detail how automate detections and response for Azure Firewall events using Azure Sentinel.

5 Hands-on Labs

Network Security Demo lab: Azure pre-configured test deployment kit for POC is available in this repository. You can use this lab to validate Proof of Concepts for the different Network security products. You can find more information on set up and demo in the NetSec POC blogpost

WAF Attack test lab: Set up a Web Application Firewall lab environment to verify how you can identify, detect and protect against suspicious activities in your environment. This blogpost provides steps to protect against potential attacks and you can deploy the template from GitHub.

Interactive Guide: If you cannot set up a lab environment, you can still get a hands-on experience with our Azure network security interactive guide. In this guide, we will show you how you can protect your cloud infrastructure with Azure network security tools.

6 Resource References

Register for upcoming webinars or watch recordings of past webinars in our Microsoft Security Community!

Check out and be sure to contribute with our Azure Network Security samples in GitHub!

Check out our Azure Network Security blog posts in our Tech Community!

Provide feedback and ideas about Azure products and features in our Azure Feedback portal!

21 Comments
Version history
Last update:
‎Nov 30 2022 07:08 AM
Updated by: