05 - Secure Multi-Cloud Environments Workshop - General Overview
05 - Secure Multi-Cloud Environments Workshop - General Overview
05 - Secure Multi-Cloud Environments Workshop - General Overview
Environments Workshop
Microsoft Defender for Cloud
Protect your multi-cloud and hybrid environments
Workshop Agenda
Using Microsoft Defender for Cloud to identify active threats on targeted hybrid
workloads.
Demonstrating investigation and response to threats using Defender for Cloud
Discovering vulnerabilities on existing Azure, hybrid and multi-cloud workloads
and explaining how to reduce attack surface area.
Providing guidance for production implementation of Microsoft Defender for
Cloud and hands-on experience of Azure Network Security product features
Cloud security challenges
View and manage your Understand the Ensure your configurations Identify sensitive
cloud resource bottom line of align with key data and prioritize
inventory your security compliance standards critical resources
posture, implement and enforce
recommendations, organizational policies
and monitor
over time
The security dashboard
Focused views
Easily access deep dive views for security posture,
resource inventory, workload protection, and more
450+out-of-the-box recommendations
Evaluated categories
Create custom recommendations to meet organizational
requirements
Support for:
CIS HIPAA
PCI Local/National compliance standards
NIST Azure Security Benchmark
SOC AWS Foundational Security best practices
ISO
Identify sensitive data in cloud resources
Integrated with Microsoft Purview
Azure
Any server Azure VMSS Key Vault
DNS
App Services Azure K8s Network Layer V1 Resource Manager Amazon EKS GKE clusters
Blob storage File storage Maria DB Azure Cosmos DB Amazon EC2 Google Compute
Use API connectors to onboard AWS and GCP accounts to posture management capabilities
Use the Azure Arc agent to onboard workloads outside of Azure and protect them against threats
Microsoft Sentinel
Secure Multi-Cloud
Environments Workshop
Azure Network Security Overview
Author name
Date
Contents
DDoS Protection
Virtual Network
Azure WAF
Virtual WAN
Azure Firewall
ExpressRoute
Azure Firewall Manager
VPN
Network Security Groups
DNS
Service Endpoints/Private Link
CDN
Network Watcher
Front Door
ExpressRoute Monitor
Traffic Manager
Azure Monitor
Application Gateway
Virtual Network TAP
Load Balancer
Azure DDoS
Protection: Standard
What is a DDoS attack?
A Distributed Denial of Service (DDoS) attack is an
attempt to make an online service unavailable by
$5,600/minute
exhausting its resources (bandwidth, compute etc.) Estimated cost of downtime for
It can break online commerce, be used as a form SMEs impacted by DDoS attacks
extortion or as a form of hacktivism —Gartner
3.4Tbps
(UDP Reflection)
2020
2018
2.3Tbps
(CLDAP Reflection)
1.7Tbps
(Memcached)
2016
2014
400Gbps 650Gbps
(Protocol Flood)
(NTP Amplification)
DDoS Attack Types
2 Adaptive tuning
Spoke VNET Central VNET Spoke VNET
Inbound /
Inbound
3 Attack analytics & metrics Outbound
Azure DDoS
Azure Traffic
Azure CDN DDoS Protection API Manager
Manager
Web application attack landscape
Increase in scale, sophistication, and new threats
Global Regional
Global footprint with Azure Network L3/L4 DDoS Mitigation Azure DDoS
non-HTTP/S traffic filtering Edges Tuned to App Traffic Patterns Standard
Protects against common Azure WAF on Protects against common Azure WAF on
L7 web attacks Front Door L7 web attacks Application Gateway
Azure Web Application Firewall combined with the global scale of Azure DDoS Protection Standard combined with Azure Web Application
Azure Network Edges provides protection from multiple attack types Firewall provides adaptive protection from multiple attack types
Azure WAF Key Features
Powerful custom rules engine
Custom rules
• Geo-match Filtering
OWASP rules
• IP Restriction Bot management
WAF Policy
• HTTP Request Parameter Filtering
Incoming requests
• Size Restriction
Logs
Conditional rate limiting at Azure Azure Global WAF Azure Regional WAF Monitor
network edge (Front Door) (Application Gateway)
Metrics
Preconfigured OWASP top 10
Microsoft Sentinel
Bot protection integration with
Microsoft Threat Intelligence
https://docs.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview
Azure Firewall
Azure Firewall
Cloud native stateful Firewall as a service
User configuration Microsoft Threat Intelligence
A first among public cloud providers L3-L7 connectivity policies Known malicious IPs and FQDNs
Application level FQDN filtering (SNI based) for HTTPS/SQL HTTP/s only
Central management
Inbound TLS termination (TLS reverse proxy) Using App GW Using ALB
IPSEC and SSL VPN gateway VPN Gateway VPN Gateway Transit Gateway
Advanced Next Generation Firewall features (e.g. DLP) Roadmap Vendor Dependent
Growing Azure Firewall ecosystem
GA GA GA
Support for partner security policy Easy integration for partners using
management tools standard Azure REST APIs
Azure Firewall
Manager
Enterprise challenges
Complex network architecture and constantly changing threat environment
Global policy
Hub Virtual Networks Local admin
Hub & Spoke Using Virtual network peering Automated using hub virtual network connection
VPN Gateway up to 10 Gbps and 30 S2S connections; More scalable VPN Gateway up 20 Gbps and 1000 S2S
On-prem connectivity
ExpressRoute connections; Express Route
Advanced internet security with 3rd party Security as a Service Customer established and managed VPN connectivity to Automated via Security Partner Provider flow and partner
partners partner service of choice. management experience
Web Application Firewall on Application Gateway Supported in Virtual Network Roadmap; can be used in spoke
Network Virtual Appliance Supported in Virtual Network Roadmap; can be used in spoke.
Central security and
policy management
Deploy and configure multiple Azure Firewall instances Azure Firewall Global
Manager Admin
Span different Azure regions and subscriptions from a
single pane of glass Local
Admin
Enforce consistent configuration across Azure Firewall
Manage Network address translation (NAT), network, and
application rule collections, as well as threat intelligence
and DNS settings. VNet VNet VNet
Partners
• Zscaler (currently runs on ZIA cloud, roadmap to run Express Virtual
Route WAN/VPN
on Azure)
• Check Point (runs on Azure)
• iboss (runs on Azure) Private traffic B2V +
V2V via Azure Firewall
Use best-in-breed
Breakout Office 365 traffic
third-party Protect VNet-to-Internet
Combine with Azure Firewall directly at branch; filter rest
Security-as-a-Service or Branch-to-Internet
for layered security of Internet traffic using
(SECaaS) partners with user traffic
SECaaS on Azure
Azure Firewall Manager
Supported Partners
Demo
Summary
Microsoft Defender for Cloud
Enable Defender Fix your top 5 Start a free trial Onboard AWS,
for Cloud Secure Score to protect your GCP and on-prem
to assess your recommendations workloads workloads with
security posture today Azure Arc