Network security plays a vital role in public cloud infrastructure design. Azure cloud is providing multiple network security options for the cloud infra and application services.
Few of Azure offerings in network and application security service are below
- Network Security Group
- Application Security Group
- Isolated Virtual Network
- Access Control List
- Azure DDoS protection
- Azure Front Door
- App Service Environment
- Azure Firewall (firewall-as-a-service)
- Third party Network Virtual Appliances (Cisco, F5, Barracuda, Palo Alto etc.)
In this article we are going to focus on the high-level functionality, design decision and best practices for Azure Firewall and Network Virtual Appliances (NVA).
Azure Firewall:
Azure firewall is a cloud native stateful firewall as a service. This offers high availability and scalability form azure side. You can avail the service with pay as you go model. It has a published and committed SLA. It fits into DevOps model for deployment and uses cloud native monitoring tools.
Below rules and tags are supported by Azure Firewall
- Application FQDN filtering rules
- Network traffic filtering rules
- FQDN tags
- Service tags
- Threat intelligence
- Outbound SNAT support
- Inbound DNAT support
- Multiple public IP addresses
- Azure Monitor logging
- Forced tunneling
- Certifications
See more here.
Third party Network Virtual Appliances:
There are large number of brands offering their network appliance to Azure echo system. You may easily get your favorite network solution provider’s NVA in Azure marketplace. This will give you the same experience that you are already getting with your on-premises network devices. Technically the NVAs are virtual machine instances so you are fully responsible for high availability and scalability of your firewall services.
NVAs today are provide a diverse set of capabilities such as
- Firewalls
- WAN optimizers
- Application delivery controllers
- Routers
- Load balancers,
- Proxies, and more
Considering the facts before designing the network security for the organization:
| Azure Firewall | Third Party NVA | |
| Cost | Azure Firewall is about 30-50% less cost than NVA | VM+ Software |
| Business Need | Customer’s Call | Customer’s Call |
| Existing Skills and Trust | Must learn few new concepts for configuring Azure firewall | If you trust the brand and you have a large skill base |
| Licensing | Consumption: instance + per GB | VM + Software |
| Maintenance | Azure will take care | Customer responsibility |
| Ownership | Set & monitor | Manage VM / OS / Software |
| Support | Included in your Azure Support plan | Per NVA vendor billing model |
| Complexity | Simple | Difficult |
Best Practices for implementing Network Security:
- Use strong network controls
- Logically segment subnets
- Adopt a Zero Trust approach
- Control routing behavior
- Deploy perimeter networks for security zones
- Avoid exposure to the internet with dedicated WAN links
- Optimize uptime and performance
- Disable RDP/SSH Access to virtual machines
- Secure your critical Azure service resources to only your virtual networks
For more in depth understanding on Azure network security and design see Azure security best practices and patterns .
