Azure Virtual Network and Azure Active Directory better together? But, how?

Raphael Pothin 21 Reputation points MVP
2020-11-02T14:35:42.007+00:00

Hello everyone,

I am wondering what the best practices are concerning the security of Azure resources using Azure Virtual Network and Azure Active Directory.

Is it possible to secure Azure resources using only one of them?
Or do we absolutely need both if we want to properly secure our resources?

If I consider the (a bit extreme) scenarios below, how bad are they?

  • Secure a resource with only RBAC access authorizations (not using virtual network)
  • Secure a resource using a virtual network (and endpoints) but let multiple users in the team access it (without PIM for example)

Do you have some resources (blog articles, videos, podcasts...) that could help me better understand this requirement please?

Thank you in advance for your help.
Raphael

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,427 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,700 questions
0 comments
Accepted answer
  1. Mike Urnun 9,811 Reputation points Microsoft Employee
    2020-11-04T00:16:17.157+00:00

    Hi Raphael,

    I work on Integration related questions here and support the PaaS-tier services that you have listed out above, and Travis pinged me about this post and I'm making my response as an answer as we currently have 1000 character limit on comments on this channel. In short, your understanding is correct and that is a valid point of view. Upon reading your post, the following statement stands out to me with the two key phrases:

    In our case, we will manipulate sensitive data in an integration scenario between 2 Microsoft cloud solutions for internal use only...

    For securing sensitive data, you'll want network security and true isolation from the rest of the tenants on public Azure. Most enterprise/government-level compliance controls will require such isolation, and VNET integration is the feature that is offered from (mostly) the Premium SKUs of the PaaS-tier offerings above. Note that because of the PaaS nature of these services, you'll find some of them needing to use certain network ports and/or establish connectivity to other PaaS services (i.e: Storage, for telemetry-gathering, or pushing updates etc..) outside of your VNET (configured by you during VNET integration) under the covers for utility purposes. For example, Azure Functions requires connectivity to a Storage Account in order for it to run properly and offer its features (although the ability to isolate the storage solution in a VNET is coming very soon too). If you run into this type of issue and find your security requirements in conflict, feel free to open a new post here with the specific details, and rest assured as we have documentations and teams of engineers available to help and provide the necessary assistance. Alternatively, you may also choose to self-host these PaaS runtimes and run them in your own microservice architecture of your choice for greater control too, if need be.

    As for the internal-only use, I would probably throw in Azure Policy to be used in conjunction with RBAC for more automatic prevention. And of course, you can always look to use OAuth/OpenID Connect flows for any AuthN/Z scenarios between user-to-service, service-to-service communications. There are also Managed Identity and KeyVault integration which are all supported with the services listed above.. depending on your budget, requirements. Hope this is helpful, let me know if any questions.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. TravisCragg-MSFT 5,681 Reputation points Microsoft Employee
    2020-11-03T03:30:01.657+00:00

    The level of security needed for a resource is usually dependent upon how the resource is used / its requirements.

    Obviously the more security you can have on a service the better, but there are services that you need exposed to the internet (cannot secure via network), or do not need secured via AAD.

    Having only RBAC (AAD) security will allow anyone in your AAD directory to access the resource, and is fantastic for internal sites for employees working remote.

    Having only Network security (for example, Azure SQL) will only allow requests from your VNET. If your VNET is secure and you have additional security on the database, you might not need any additional AAD level security.

    What Azure Services are you looking to secure? I can find service specific best practices to provide additional guidance.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.