What are the options for limiting inbound access from public IP to my Azure environment (External attacks), and what is the best practice?

EnterpriseArchitect 5,036 Reputation points
2023-08-13T12:47:21.5133333+00:00

My current project involves researching and exploring Azure Network security features I can leverage to make my existing environment more secure from external Public IP attacks. This is for the following items:

  • Azure Web App
  • Azure Virtual Machine - Remote Desktop Connection (RDP)
  • Azure Storage Account

What are the options and the best practice to secure inbound access to my Azure environment?

Thank you in advance.

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
622 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
600 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,267 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,002 questions
Azure Network Watcher
Azure Network Watcher
An Azure service that is used to monitor, diagnose, and gain insights into network performance and health.
161 questions
Accepted answer
  1. GitaraniSharma-MSFT 49,261 Reputation points Microsoft Employee
    2023-08-14T13:20:49.3366667+00:00

    Hello @EnterpriseArchitect ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know about the options and the best practice to secure inbound access to your Azure environment containing Azure webapps, Azure VMs and Azure Storage accounts.

    Apart from what @AirGordon has suggested above, I would like to add some more points below.

    For an overall list of considerations and recommendations for inbound and outbound connectivity between Azure and the public internet, you can refer the below doc:

    https://video2.skills-academy.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-inbound-and-outbound-internet-connectivity

    For a detailed Security overview in Azure App Service, you can refer the below docs:

    https://video2.skills-academy.com/en-us/azure/app-service/overview-security

    https://azure.github.io/AppService/2020/08/14/zero_to_hero_pt6.html

    Security recommendations for virtual machines in Azure:

    https://video2.skills-academy.com/en-us/azure/virtual-machines/security-recommendations

    Azure security baseline & recommendations for Storage:

    https://video2.skills-academy.com/en-us/security/benchmark/azure/baselines/storage-security-baseline

    https://video2.skills-academy.com/en-us/azure/storage/blobs/security-recommendations

    https://video2.skills-academy.com/en-us/azure/well-architected/services/storage/storage-accounts/security

    For web workloads, we highly recommend utilizing Azure DDoS protection and a web application firewall to safeguard against emerging DDoS attacks. Another option is to deploy Azure Front Door along with a web application firewall. Azure Front Door offers platform-level protection against network-level DDoS attacks.

    Refer: https://video2.skills-academy.com/en-us/azure/app-service/overview-security#ddos-protection

    So, you have 2 options:

    • Either go with Azure DDoS protection and an Application gateway web application firewall (WAF).

    Refer: https://video2.skills-academy.com/en-us/azure/ddos-protection/ddos-protection-reference-architectures#paas-web-application

    https://video2.skills-academy.com/en-us/azure/architecture/example-scenario/apps/fully-managed-secure-apps

    • Or go with Azure Front Door WAF.

    Refer: https://video2.skills-academy.com/en-us/azure/frontdoor/front-door-waf

    Azure Front Door has several features and characteristics that can help to prevent distributed denial of service (DDoS) attacks. Front Door is protected by the default Azure infrastructure DDoS protection. Apart from the default protection, we also recommend customers to enable Azure DDoS Protection on the origin VNet to protect their public IPs against DDoS attacks.

    Refer: https://video2.skills-academy.com/en-us/azure/frontdoor/front-door-ddos

    Difference between Application gateway and Azure Front Door:

    https://video2.skills-academy.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway#azure-front-door

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AirGordon 7,030 Reputation points
    2023-08-13T13:21:22.38+00:00

    I'd suggest reading this doc, it details the common protection for environments;

    1. Web Application Firewall (AppGw)
    2. IDPS (Azure Firewall)
    3. DDOS protection

    The other part of the doc that I like is the decision trees. You can focus on what your requirements are. EG. Do you require IDPS (Intrusion Detection and Protection System). There will be little point implementing expensive security controls that aren't a requirement for your environment.

    enter image description here