Last updated on February 2, 2022
In this blog post, we will walk you through basic to advanced scenarios for Azure network security. Ready to become an Azure NetSec ninja? Dive right in!
Check back here routinely, as we will keep updating this blog post with new content as it becomes available.
Anything in here that could be improved or may be missing? Let us know in the comments below, we’re looking forward to hearing from you.
Latest Highlight: Log4J Protection with Azure Firewall Premium and Log4J Protection with Azure WAF |
The remote code execution (RCE) vulnerabilities in Apache Log4j 2 referred to as “Log4Shell” (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832) has presented a new attack vector and gained broad attention due to its severity and potential for widespread exploitation. Check out how our cloud-native network security tools can help you detect and prevent this type of attack. |
Azure Network Security Ninja Training Sections
Take the Azure Network Security Ninja Knowledge Test to confirm your Azure Network Security Ninja Skills.
This module introduces general concepts of network and web application security.
Be familiar with network security concepts and ways you can achieve a secure network deployment in the Azure cloud.
Be familiar with web application protection concepts and ways you can achieve a secure web application deployment in the Azure cloud.
Do you prefer videos? Check out the Introduction to Azure Network Security (50 minutes) webinar, which covers all products listed individually below. You can also quickly browse through the contents of the presentation deck.
Azure DDoS Protection Standard, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks.
For more information, check the Azure DDoS Protection Standard documentation.
MS Learn Training Material: Azure DDoS Protection Standard (35 minutes)
This MS Learn module will show you how to guard your Azure services from a denial-of-service attack using Azure DDoS Protection Standard.
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
For more information, check the Azure Firewall documentation.
Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.
For more information, check the Azure Firewall Manager documentation.
MS Learn Training Material: Azure Firewall and Azure Firewall Manager (40 minutes)
This MS Learn module will describe how Azure Firewall protects Azure Virtual Network resources, including the Azure Firewall features, rules, deployment options, and administration with Azure Firewall Manager.
Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities. You can deploy WAF on Azure Application Gateway or WAF on Azure Front Door.
For more information, check the Azure Web Application Firewall (WAF) documentation.
MS Learn Training Material: Azure Web Application Firewall (WAF) (40 minutes)
This MS Learn module will show how Azure Web Application Firewall protects Azure web applications from common attacks, including its features, how it’s deployed, and its common use cases.
When deploying Azure DDoS Protection Standard, keep in mind that public IPs in ARM-based VNETs are currently the only type of protected resource. Public IPs that are part of PaaS services (multitenant) are not supported for Azure DDoS Protection Standard SKU at this time.
The main steps to deploy Azure DDoS Protection Standard are:
Do you prefer videos? Check out the Getting started with Azure Distributed Denial of Service (DDoS) Protection (60 minutes) webinar. You can also quickly browse through the contents of the presentation deck.
You can choose to deploy Azure Firewall Standard SKU or Azure Firewall Premium SKU (currently in Public Preview). Check the documentation below to get an understanding of their feature differences:
During your planning stages, it’s also a good idea to refer to the known issues for these products. Being aware of these known issues will save you time and stress when deploying your Azure Firewall.
Deploy and configure Azure Firewall using the Azure portal
Azure Firewall logs and metrics
Integrate Azure Firewall with Azure Standard Load Balancer
Use Azure Firewall to protect Azure Kubernetes Service (AKS) Deployments
Azure Firewall DNS settings
Azure Firewall in forced tunneling mode
Do you prefer videos? Check out the Manage application and network connectivity with Azure Firewall (50 minutes) webinar. You can also quickly browse through the contents of the presentation deck.
You can also check out this Azure Firewall Deep Dive on YouTube (82 minutes). It covers almost everything you need to know!
Do you prefer videos? Check out the Content Inspection Using TLS Termination with Azure Firewall Premium (50 minutes) webinar. You can also quickly browse through the contents of the presentation deck.
Do you prefer videos? Check out the Using Azure WAF Policies to Protect Your Web Application at Different Association Levels (50 minutes) webinar. You can also quickly browse through the contents of the presentation deck.
Do you prefer videos? Check out the Getting started with Azure Firewall Manager (35 minutes) webinar. You can also quickly browse through the contents of the Azure Firewall Manager presentation deck.
Do you prefer videos? Check out the Boosting your Azure Web Application (WAF) deployment (45 minutes) webinar. You can also quickly browse through the contents of the presentation deck.
If you are looking to prevent unplanned or unapproved costs associated with the creation of multiple DDoS plans within the same tenant, check out this Azure Policy template. This policy denies the creation of Azure DDoS Protection Standard plans on any subscriptions, except for the ones defined as allowed.
This Logic App Playbook for Sentinel will add the source IP address passed from the Sentinel Incident to a custom WAF rule blocking the IP. For a more comprehensive description of this use case, check our blog post Integrating Azure Web Application Firewall with Azure Sentinel.
During an active access, Azure DDoS Protection Standard customers have access to the DDoS Rapid Response (DRR) team, who can help with attack investigation during an attack and post-attack analysis.
This DDoS Mitigation Alert Enrichment template will alert administrators of a DDoS event, while adding essential information in the body of the email for a more detailed notification.
Using Azure Sentinel with Azure Web Application Firewall
You can integrate Azure WAF with Azure Sentinel for security information event management (SIEM). By doing this, you can use Azure Sentinel’s security analytics, playbooks and workbooks with your WAF’s log data.
In this blog post, we cover in further detail how to configure the log connector, query logs, generate incidents, and automate responses to incidents.
Using Azure Sentinel Solutions for Azure Firewall
The Azure Firewall Solution provides new threat detections, hunting queries, a new firewall workbook and response automation as packaged content. This enables you to find the appropriate solution easily and then deploy all the components in the solution in a single step from the Solutions blade in Azure Sentinel.
In this blog post, we cover in further detail how automate detections and response for Azure Firewall events using Azure Sentinel.
Network Security Demo lab: Azure pre-configured test deployment kit for POC is available in this repository. You can use this lab to validate Proof of Concepts for the different Network security products. You can find more information on set up and demo in the NetSec POC blogpost
WAF Attack test lab: Set up a Web Application Firewall lab environment to verify how you can identify, detect and protect against suspicious activities in your environment. This blogpost provides steps to protect against potential attacks and you can deploy the template from GitHub.
Interactive Guide: If you cannot set up a lab environment, you can still get a hands-on experience with our Azure network security interactive guide. In this guide, we will show you how you can protect your cloud infrastructure with Azure network security tools.
Register for upcoming webinars or watch recordings of past webinars in our Microsoft Security Community!
Check out and be sure to contribute with our Azure Network Security samples in GitHub!
Check out our Azure Network Security blog posts in our Tech Community!
Provide feedback and ideas about Azure products and features in our Azure Feedback portal!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.