Azure Network Security on Microsoft Azure
Azure Network Security is a collection of security services for protecting network resources in Azure. The solution includes Azure Firewall, DDoS Protection, Web Application Firewall (WAF), Network Security Groups (NSGs), and other services that together enable a defense-in-depth strategy.
The services provide protection at various levels: from protection against volumetric DDoS attacks to stateful firewall functions to application-layer protection for web applications. Through central management via Azure Firewall Manager and integration with Azure Security Center, enterprises gain complete transparency of their network security.
For companies with GDPR requirements, all Azure Network Security services are available in European Azure regions and meet relevant compliance standards.
Typical Use Cases
Perimeter protection for cloud workloads: Azure Firewall as central firewall for outbound and inbound traffic with threat intelligence and IDPS functions.
DDoS defense: Azure DDoS Protection protects public IP addresses from volumetric, protocol-based, and resource-layer attacks with automatic mitigation.
Web Application Protection: Azure Web Application Firewall protects web applications from OWASP Top 10 threats, bot attacks, and zero-day exploits.
Zero Trust Architecture: Implementation of micro-segmentation with Network Security Groups and Application Security Groups for granular access control.
Frequently Asked Questions about Azure Network Security
What is the difference between NSG and Azure Firewall?
Network Security Groups (NSGs) are stateless Layer 4 firewalls for subnet and VM-level filtering based on 5-tuples. Azure Firewall is a stateful, fully managed firewall with Layer 7 functions, threat intelligence, FQDN filtering, and central management across multiple VNets.
Is Azure DDoS Protection Standard required?
Azure DDoS Protection Basic is automatically activated and free, but offers only basic protection. DDoS Protection Standard provides advanced mitigation, DDoS Rapid Response Support, cost guarantee during DDoS attacks, and detailed telemetry. Standard is recommended for production public endpoints.
How does Azure WAF work?
Azure Web Application Firewall can be deployed in front of Application Gateway, Front Door, or CDN. It uses OWASP ModSecurity Core Rule Sets (CRS) to detect SQL injection, cross-site scripting, and other web attacks. Custom rules enable specific protection measures.
Can I manage firewall rules centrally?
Yes, Azure Firewall Manager enables central management of firewall policies across multiple Azure Firewalls. Policies can be organized hierarchically and applied to different Virtual Hubs or VNets.
How does Network Security integrate with SIEM?
All Azure Network Security services can send logs to Azure Monitor, Log Analytics, and Azure Sentinel. Additionally, logs can be forwarded to third-party systems like Splunk or QRadar via Event Hub.
What does Azure Network Security cost?
Costs vary by services used: Azure Firewall approximately €1.00/hour plus data processing, DDoS Protection Standard approximately €2,500/month, WAF from approximately €0.02/policy-hour. NSGs are free.
Does Azure Firewall support TLS inspection?
Yes, Azure Firewall Premium offers TLS inspection (SSL Inspection) for outbound HTTPS traffic. Additionally, Premium includes IDPS, URL filtering, and web categories filtering.
Alternatives
alternatives:
- provider: “aws” product: “network-firewall”
- provider: “gcp” product: “cloud-armor”
Integration with innFactory
As a Microsoft Solutions Partner, innFactory supports you in implementing a comprehensive network security strategy in Azure. We help with architecture design, security assessments, migration, and ongoing security operations.
Contact us for a non-binding consultation on Azure Network Security.
