Category: Networking

Microsoft AZ-700: Exercise – Deploy and Configure Azure Firewall Using the Azure Portal

Reading Time: 3 minutes

Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 7: Exercise – Deploy and Configure Azure Firewall Using the Azure Portal

Tasks (taken from MS Learn: Items without “Task” in front of them are personal additions)

  • Task 1: Create a virtual network and subnets.
    • Search and Choose Virtual Networks in Azure Portal
    • Click Create
      • Choose a resource group from the dropdown or click create new (create new in this example)
      • Enter a unique name in the dialog box and click OK
      • Enter a unique name under Instance Details
      • Select a region from the dropdown
      • Click Next : IP Addresses >
      • Select (check box) and the link to the default subnet
        • In right panel enter a unique subnet name
        • Enter an appropriate Subnet address range
        • Click Save
      • Click Add subnet for later use
        • Repeat above settings as appropriate
        • Click Add
      • Click Review + create
      • Once Validation has passed click Create
  • Task 2: Create a virtual machine.
    • Open PowerShell in cloudshell (Shell button next to portal search bar)
    • Upload Template and Parameters files
    • View and specify subscription
      • “az account show –output table”
      • “az account set –subscription “NAME from output above””
  • Set resource group variable
    • “$RGName = Test-FW-RG”
  • Return to Azure Portal to verify VM created
  • Select new VM and note IP Address
  • Task 3: Deploy the firewall and firewall policy.
    • Deploy template
      • “New-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateFile filename.json -TemplateParameterFile filename.parameters.json”
    • In Azure Portal Search and Click Firewalls
    • Select Create
      • Choose Resource group from dropdown
      • Enter Instance Name
      • Choose region from dropdown
      • Choose FW SKU (Standard in this example)
      • Choose Add New under Firewall Policy
        • Enter Unique Policy Name in dialog
        • Choose Region from dropdown
        • Select OK
      • Under Choose a virtual network toggle to Use existing
      • Choose VNet under dropdown
      • Choose Add new under Public IP address
        • Enter Unique Name in dialog
        • Click OK
      • Click Review + Create
      • Once validation passed click Create
      • When complete click Go to resource
      • On overview page copy Firewall private IP
      • In left panel click Public IP configuration under Settings
      • Note public IP address
  • Task 4: Create a default route.
    • Search and click Route Tables in Azure Portal
    • Click Create
      • Choose Resource group from dropdown
      • Choose Region from dropdown
      • Enter unique name
      • Click Review + create
      • Once validation complete click Create
      • Once complete click Go to resource
      • Under settings select Subnets
      • Click Associate
        • Verify Virtual network and Subnet are as expected
        • Select OK
      • Under settings choose Routes
      • Click Add
        • Enter a unique route name
        • In Address prefix destination dropdown choose IP Address
        • Enter Destination IP addresses/CIDR ranges
        • In Next hop type dropdown choose Virtual Appliance
        • Enter Next Hop address
        • Select Add
  • Task 5: Configure an application rule.
    • In Azure Portal navigate to FW policy created earlier
    • Click Application rules
    • Select Add a rule collection
      • Enter Unique name
      • Enter a priority (200 in this example)
      • Enter a name in the Name box
      • Enter Source IP (CIDR)
      • Enter Protocol (http,https)
      • Enter Destination (www.google.com)
      • Click Add
  • Task 6: Configure a network rule.
    • Choose Network Rules under settings
    • Choose Add a rule collection
      • Enter a unique name for collection
      • Enter priority value (200)
      • Choose Rule Collection Group from dropdown
      • Enter unique name for rule under Name box
      • Enter Source (CIDR)
      • Choose Protocol from dropdown
      • Enter Destination Port(s)
      • Enter Destination
      • Click Add
  • Task 7: Configure a Destination NAT (DNAT) rule.
    • Choose DNAT rules under settings
    • Select Add a rule collection
      • Enter unique name for rule collection
      • Enter priority value (200)
      • Choose Rule collection group from dropdown
      • Enter unique name for rule
      • Enter Source IP as wildcare (*)
      • Choose protocol from dropdown
      • Enter Destination Port
      • Enter Destination IP
      • Enter IP addr in Translated address or FQDN box
      • Enter Translated Port
      • Click Add
  • Task 8: Change the primary and secondary DNS address for the server’s network interface.
    • Navigate to created VM earlier in Azure Portal
    • Click Networking under settings
    • Click the Network Interface for the VM
    • Click DNS servers under settings
      • Toggle to Custom
      • Add Primary and Secondary DNS Server
      • Click Save
    • Restart VM
      • Overview
      • Restart
      • Yes
  • Task 9: Test the firewall.
    • Launch Remote Desktop Connection
    • Enter FW Public IP:3389
    • Connect
    • Connect
    • Enter Credentials for VM and click OK
    • Open Internet Explorer and Browse to Google
    • In dialog select OK
    • Browse to microsoft.com – blocked due to FW
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-exercise-deploy-and-configure-azure-firewall-using-the-azure-portal/

Microsoft AZ-700: Design and Implement Azure Firewall

Reading Time: 3 minutes

Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 6: Design and Implement Azure Firewall

Azure. FW is managed, cloud based security service protecting VNet resources. Fully stateful FWaaS with build-in HA and unrestricted cloud scalability.

  • Azure Firewall Features
    • Built-in HA
      • HA so no extra load balancers required or configuration needed
    • Unrestricted cloud scalability
      • Azure FW can scale out as much as needed. No need to budget for peak traffic
    • App FQDN filtering rules
      • Limit outbound HTTP/S or Azure SQL traffic to specific list of FQDNs including wildcard
      • Doesn’t require TLS term
    • Net traffic filtering rules
      • Centrally create allow/deny rules by
        • Source/Dest IP
        • Port
        • Protocol
      • Azure FW is fully stateful
      • Rules enforced and logged across multiple subscriptions and VNets
    • FQDN tags
      • Make it easy to allow well-known Azure service traffic through FW
      • Create an app rule and include Windows Update tag for example
    • Service tags
      • Represents group of IP address prefixes minimizing complexity for rule creation
      • Cannot create personal service tag or specify which IP addrs included in tag
      • MS manages prefixes by tag and auto updates as addrs change
    • Threat intelligence
      • Threat intelligence-based filtering (IDPS) possible to alert and deny traffic from/to known malicious IP/Domains
      • IP addrs/domains sources from MS Threat Intelligence feed
    • TLS inspection
      • FW can decrypt outbound traffic, process, reqncrypt and send to DST
    • Outbound SNAT support
      • All outbound VNet traffic Ips translate to Azure FW public IP (Source Network Address Translatioin (SNAT))
      • Identify and allow traffic originating from VNet to remote Inet DSTs
    • Inbound DNAT support
      • Inbound Inet traffic to FW public IP translated (Destination Network Addr Translation) filtered to. Private IP on VNet
    • Multiple public IP addrs
      • Associate multiple (up to 250) with FW for specific DNAT/SNAT scenarios
    • Azure Monitor Logging
      • All events integrated to Azure Monitor
      • Allows archival of logs to storage account
      • Stream events to Event Hubs
      • Send to Azure Monitor Logs
    • Forced tunneling
      • Configure Azure FW to route all Inet bound traffic to a next hop instead of direct to Inet
      • Example to send to on-prem FW or NVA to process
    • Web categories
      • Allow or deny user access to web site categories
      • Categories included in Azure FW Standard
      • Categories more fine-tuned in Premium Preview
      • Standard matches FQDN, in Prekmium match on entire URL for HTTP or HTTP/S
    • Certs
      • Azure FW is PCI, SOC, ISO, and ICSA Labs compliant
  • Rule processing in Azure Firewall
    • In Azure FW, Possible to configure NAT rules, network rules, app rules. FW denies all traffic by default until manual rules configured to allow
  • Rule processing with classic rules
    • Rule collections are processed according to type in priority order
      • Lower numbers to higher from 100 – 65000
    • A rule collection name is only letters, numbers, underscores, period and hyphens
    • Must being with a letter or number
    • Must end with letter,number,underscore
    • Max name – 80 chars
    • Increments of 100 for priority allowing additional rules in between later
  • Rule processing with Firewall Policy
    • FW Policy, rules organized inside Rule Collections contained in Rule Collectioin Groups
    • Rule Collection types
      • DNAT
      • Network
      • Application
    • Define multiple types in single group
    • Can define zero+ rules in a collection
    • Rules in collection MUST be SAME type
    • FW Policy – rules processed on Rule Collection Group Priority
      • Number between 100 (highest) and 65000 (lowest)
      • Highest rule in group processed first
    • Application rules always processed after network rules which are always processed after DNAT rules
  • Deploying and configuring Azure FW
    • Consideration Factors
      • FW centrally create,enforce,log app/network connectivity policies across subscriptions and VNets
      • FW uses static, public IP for VNet resources
      • FW fully integrated with. Azure Monitor for log/analytics
    • Steps for deployment
      • Create resource group
      • Create VNet and subnets
      • Create workload VM in subnet
      • Deploy FW and Policy to VNet
      • Create default outbound route
      • Configure app rule
      • Configure network rule
      • Configure DNAT rule
      • Test
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-design-and-implement-azure-firewall/

Microsoft AZ-700: Deploy Network Security Groups by Using the Azure Portal

Reading Time: 3 minutes

Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 5: Deploy Network Security Groups by Using the Azure Portal

NSG in Azure allows filtering network traffic to/from Azure resources in a VNet. NSG contains security rules to allow/deny inbound traffic to, or outbound from several types of resources. Each rule specifies source/destination, port, protocol.

  • NSG Security Rules
    • NSG contains zero, or as many rules as you want, within subscription Limits
    • Each rule has a series of properties
      • Name
        • Must be unique within NSG
      • Priority
        • Number between 100-4096
        • Processed in order with lower number handled first
        • Once traffic matches rule processing stops
      • SRC or DST
        • Can be set to
          • Any
          • Individual IP
          • CIDR block
          • Service tag
          • App security group
      • Protocol
        • TCP
        • UDP
        • ICMP
        • ESP
        • AH
        • Any
      • Direction
        • Rx
        • Tx
      • Port Range
        • Individual Port
        • Range of Ports
      • Action
        • Allow
        • Deny
    • FW evaluates rules using source, source port, dest, dest port, protocol
  • Default security rules
    • (Table below from MS Learn)
    • Deployment scenario examples based on diagram below (Diagram from MS Learn)
      •  
      • For inbound traffic Azure processes rules in NSG associated to subnet first (if exists), and then rules in NSG associated to interface (if exists)
        • VM1
          • Subnet1 associated with NSG1
          • Security rules are processed
          • VM1 is in Subnet1
          • Unless rule created that allows port 80 in, the DenyAllInbound default rule denies the traffic
            • In this case never evaluated by NSG2 as it’s associated to network interface
          • If NSG1 has rule allowing port 80, NSG2 then processes traffic
          • To allow port 80 to VM both NSG1 and NSG2 must have rule that llows port 80 from inet
        • VM2
          • NSG1 rule processed because VM2 in Subnet 1
          • Since VM2 has no NSG associated with interface all traffic received through NSG1 or denied all traffic by NSG1
          • Traffic either allowed or denied to all resources in same subnet when NSG is associated with subnet
        • VM3
          • No NSG associated with Subnet2 – traffic allowed into subnet and processed by NSG2 as it’s associated to interface attached to VM3
        • VM4
          • Traffic allowed to VM4 since NSG isn’t associated to Subnet3 or interface of virtual machine
          • All traffic allowed through a subnet & interface if they doesn’t have NSG associated
      • For outbound traffic Azure processes rules in NSG associated with interface first then subnet (if there is one in both cases)
        • VM1
          • Security rules in NSG2 processed Unless security rule denying port 80 out to internet, then the AllowInternetOutbound default rule allows traffic in both NSG1 and 2
          • If NSG2 has rule denying port 80 traffic is denied and NSG1 never evaluates
          • To deny port 80 from VM either/or both of NSGs must have rule denying 80 or internet
        • VM2
          • All traffic sent through interface to subnet since interface is attached to VM2 doesn’t have NSG associated
          • NSG1 rules are processed
        • VM3
          • If NSG2 has rule denying 80 traffic denied
          • If NSG2 has rule allowing port 80 allowed out to internet since NSG isn’t associated to Subnet2
        • VM4
          • All traffic allowed from because NSG isn’t associated to network interface on VM or Subnet3
  • Application Security Groups
    • ASG enables configuration of network security as natural extension to apps structure
    • Allows grouping VMs and defining network security policy on these groups
    • Can reuse security policy at scale without manual maintenance of IP addresses
    • Platform handles complexity of IP addresses and multi rule sets
    • Create rules using service tags/ASG’s and avoid rules with individual Ips or ranges to minimize security rules needed
  • Filter network traffic with an NSG using Azure Portal
    • Use NSG to filter Rx/Tx from VNet
    • NSG contain security rules filtering traffic by IP, port, protocol and are applied to resources in a subnet
    • Key stages to filter traffic with NSG
      • Create Resource Group
      • Create VNet
      • Create App Security Groups
      • Create Network Security Groups
      • Associate NSG with subnet
      • Create security rules
      • Associate NICs to an ASG
      • Test filters
    • More detailed steps see MS Learn site: Tutorial: Filter network traffic with a network security group using the Azure portal
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-deploy-network-security-groups-by-using-the-azure-portal/

Microsoft AZ-700: Exercise – Configure DDoS Protection on a Virtual Network Using the Azure Portal

Reading Time: 2 minutes

Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 4: Exercise – Configure DDoS Protection on a Virtual Network Using the Azure Portal

Tasks (taken from MS Learn: Items without “Task” in front of them are personal additions)

  • Task 1: Create a DDoS Protection plan.
    • Search and click DDoS Protection Plans in Azure Portal
    • Click Create
      • Select or Create New Resource Group (create new in this example)
      • Enter unique name and click OK
      • Enter unique name under Instance Details
      • Choose Region from dropdown
      • Click Review + Create
      • Once Validated click Create
  • Task 2: Enable DDoS Protection on a new virtual network.
    • Search and click Virtual Networks in Azure Portal
    • Click Create
      • Choose Resource Group from dropdown
      • Enter unique Name under Instance details
      • Choose Next : IP Addresses >
      • Choose Next : Security >
      • Toggle DDoS Network Protection to Enable
      • Choose DDoS Protection Plan created earlier from dropdown
      • Select Review + Create
      • Once validated select Create
  • Task 3: Configure DDoS telemetry.
    • Search and click Public IP Addresses in Azure Portal
    • Click Create
      • Enter unique name
      • Enter DNS Name Label
      • Choose Resource Group from dropdown
      • Click Create
    • Search for DDoS protection plan created earlier
    • Choose Metrics under Monitoring
      • Set Scope to MyPublicIPAddress
      • Click Apply
      • Set Metrick from dropdown
        • Inbound packets dropped
  • Task 4: Configure DDoS diagnostic logs.
    • Search and select my public IP address
    • Choose Diagnostic settings under Monitoring
      • Select Add diagnostic setting
        • Check all 3 boxes under Categories
        • Check AllMetrics box under metrics
        • Check send to Log Analytics workspace box
  • Task 5: Configure DDoS alerts.
    • Search and navigate to Virtual Machines in Portal
    • Click Create > Azure Virtual Machine
      • Choose Resource Group from dropdown
      • Provide Virtual Machine Name
      • Choose Review + Create
      • Once Validated click Create
      • Click Download private key and create resource in Generate new key pair dialog
      • Click Go to resource
        • Click Networking under settings
        • Click link next to Network Interface
        • Select IP configurations under settings
        • Chose ipconfig1
          • Under Public IP address choose MyPublicIPAddress
          • Click Save
    • Navigate to DDoS protection plans in Azure Portal
      • Choose MyDDoSProtectionPlan as created earlier
        • Click Alerts under monitoring
          • Click Create > Alert Rule
          • Delete existing resource
          • Click Select Scope
          • Under Filter by resource choose search for and choose Public IP Addresses from the dropdown
          • Choose MyPublicIPAddress as created earlier
          • Click Done
        • Choose Next : Condition >
          • Choose Under DDoS attack or not
            • Select Maximum under Aggregation type dropdown
            • Select Greater than or equal too under Operator dropdown
            • Enter Threshold value (1 in this example)
            • Select Next: Actions >
            • Select Next : Details >
              • Enter Alert rule name
              • Choose Review + create
              • Click Create
  • Task 6: Monitor a DDoS test attack.
    • Search Public IP Addresses in Azure Portal and on page click MyPublicIPAddress as created above
    • Copy the IP Address
    • Click Metrics under Monitoring section in left panel
      • In the Metric dropdown choose Under DDoS attack or not
      • Value changes from 0 to 1 if under attack
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-exercise-configure-ddos-protection-on-a-virtual-network-using-the-azure-portal/

Microsoft AZ-700: Deploy Azure DDoS Protection by Using the Azure Portal

Reading Time: 3 minutes

Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 3: Deploy Azure DDoS Protection by Using the Azure Portal

  • Distributed Denial of Service (DDoS)
    • DoS attack that has goal of preventing access to services/systems
    • Originates from one location
    • DDoS attack originates from multiple networks and systems
    • DDoS are largely available and security concern facing customers moving apps to the cloud
    • DDoS tries to drain API’s or app resources making it unavailable
    • DDoS can be targeted at endpoints that are publicly reachable via internet
  • DDoS Implementation
    • Azure DDoS Protection, combining with app design best practices aids in defense again DDoS attacks.
    • Multiple service tiers available
      • Network Protection
        • Provides mitigation capabilities over DDoS infra Protection
        • Tuned specifically to AZ VNet resources
        • Simple to enable and requires no app modification
        • Policies applied to public IP associated with resources in VNet
        • Real-time telemetry through Azure Monitor views during attach, and historically
        • Rich mitigation analytics via diagnostic settings
        • App layer protection available via Azure App Gateway WAF
        • Protection for IPv4 and IPv6 public addrs
      • IP Protection
        • DDoS IP Protection is pay-per protected IP
        • Contains same core features as DDoS Network Protection
        • Value-added services such as
          • DDoS rapid response support
          • Cost Protection
          • Discounts on WAF
    • Protects resources in VNets
    • Protection includes:
      • VM Public IP Addresses
      • Load Balancers
      • App Gateways
    • When coupled with App. Gateway WAF can provide full L3-7 mitigation capabilities
  • Types of DDoS Attacks
    • Can mitigate the following types of attacks
      • Volumetric attacks
        • Flood network layer with large amounts of what looks like legit traffic
        • Include UDP floods, amplification flood, and other spoofed-packet floods
      • Protocol Attacks
        • Attack renders target inaccessible exploiting L3 and L4 weaknesses
        • Includes SYN flood, reflection, and other protocol attacks
      • Resource (App) layer attacks
        • Target web application packets to disrupt transmission between hosts
        • Includes HTTP protocol violations, SQL injection, cross-site scripting, and other L7 attacks
  • Azure DDoS protection features
    • Examples include
      • Native platform integration
        • Native integration into Azure and configured via portal
      • Turnkey protection
        • Simplified config protecting all resource right away
      • Always-on traffic monitoring
        • App traffic patterns monitored 24/7
      • Adaptive tuning
        • Profiling and adjusting to service traffic
      • Attack analytics
        • Detailed reports every 5 mins during attack
        • Complete summary after attack ends
      • Attack Metricks and alerts
        • Summary metrics from each attack through. Azure Monitor
        • Alerts configured at start/stop of attack, and duration of attack
        • Uses built-in attack metrics
      • Multi-layered protection
        • When deployed with WAF, DDoS Protection protected network and app layer
  • More details about some of the above DDoS Protection Features
  • Always-on traffic monitoring
    • Monitors actual traffic utilization
    • Constantly compares against defined thresholds
    • When threshold exceeded, mitigation initiated automatically
    • When back below threshold, mitigation stopped
    • During mitigation, traffic towards protected resource redirected and checks performed
      • Ensure packets conform to inet specs and aren’t malformed
      • Interact with client to determine if traffic potentially spoofed (e.g. SYN Auth or SYN Cookie or dropping packet to force re-transmit)
      • Rate-limit packets if no other enforcement can be performed
    • DDoS protection drops attack traffic and forwards remaining traffic
    • Within a few minutes – notified using Azure Monitor metrics
    • Configuring logging on DDOS Protection telemetry logs for future analysis
    • Metric data is retained for 30 days.
  • Adaptive real-time tuning
    • DDoS Protection service aids to protect customers and prevent impacts to others
  • Attack metrics, alerts, logs
    • DDoS Protection exposes rich telemetry using Azure Monitor
    • Configure alerts for any metric DDoS Protection uses
    • Integrate logging with Splunk (Azure Event Hubs, Azure Monitor Logs, and Azure Storage for advanced analysis using Azure Monitor Diagnostics
    • Steps
      • In Portal
        • Monitor > Metrics
          • Select Resource group
          • Select resource type of Public IP Address
          • Select the Azure Public IP Address
        • DDoS metrics visible in the Available metrics pane
    • DDoS Protection applies 3 autotuned mitigation policies for each public IP of protected resource in VNet DDoS is enabled
      • SYN
      • TCP
      • UDP
    • View policy thresholds
      • Inbound [SYN/TCP/UDP] packets to trigger mitigation metrics
    • Policy thresholds autoconf via machine learning-based network traffic profiling
    • DDoS mitigation occurs for IP under attack only when threshold exceeded
    • If pub IP under attack, value for Under DDoS attack or not metric changes to 1 while mitigation being performed
  • Multi-layered Protection
    • Specific resource attacks at app layer – recommended a WAF be configured
    • WAF inspected inbound web traffic to block SQL Injection, Cross Site Scripting, DDoS, and other L3 attacks
    • Azure provides WAF as feature of App Gateway for centralized protection of web apps
    • Other WAF offerings from partners in Azure Marketplace
    • Even web app FW are susceptible to volumetric and state exhaustion
      • Enable DDoS protection on WAF VNet to aid in protection of these
  • Deploying DDoS Protection Plan
    • Key stages of deploying DDoS Protection:
      • Create Resource Group
      • Create DDoS Protection Plan
      • Enable DDoS Protection on new/existing VNet or IP addr
      • Configure DDoS telemetry
      • Configure DDoS diagnostic logs
      • Configure DDoS alerts
      • Run a test DDoS attack to verify results
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-deploy-azure-ddos-protection-by-using-the-azure-portal/

Microsoft AZ-700: Get Network Security Recommendations with Microsoft Defender for Cloud

Reading Time: 3 minutes

Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 2: Get Network Security Recommendations with Microsoft Defender for Cloud

Network security is various tech, devices, processes and provides rules and configs to protect the CIA of networks/data. Every org though have some sort of network security

  • NS-1: Establish network segmentation boundaries
    • Security Principle to ensure that VNet deployment aligns with segmentation strategy
    • Any workload that incurs high risk should be isolated in VNets
  • NS-2: Secure cloud services with network controls
    • Security Principle to secure cloud services establishing private access point to resource(s)
    • Should also disable/restrict public access if you can
  • NS-3: Deploy firewall at edge of enterprise network
    • Security Principle to perform advanced filtering on net traffic to/from external networks
    • Can also use firewalls between internal segments
    • If needed, custom routes for subnet used to override system route
    • This forces net traffic to go through network appliance for security
  • NS-4: Deploy IDS/IPS
    • Security Principle to inspect network and payload to/from workloads
    • Ensure IDS/IPS always tuned for high-quality alerts
  • NS-5: Deploy DDOS Protection
    • Security Principle to protect network/apps from attacks
  • NS-6: Deploy web app firewall
    • Security Principle to deploy WAF and configure rules to protect web apps/API’s from app specific attacks
  • NS-7: Simplify net security config
    • Security Principle to use tools to simplify, centralize, enhance network security management
  • NS-8: Detect & Disable insecure services/protocols
    • Security Principle to protect from insecure services/protocols at OS/App/Software package
    • Deploy controls if disabling isn’t possible
  • NS-9: Connect on-prem or cloud privately
    • Security Principle to use private connection between networks
  • NS-10: Ensure DNS security
    • Security Principle to ensure DNS security config against known risks
  • Using Microsoft Defender for Cloud for Regulatory Compliance
    • Defender for Cloud aids in streamlining meeting regulatory compliance requirements using the “Regulatory Compliance Dashboard”
    • This shows status of all assessments within environment you have chosen standards and regulations for
    • As you act and reduce risk posture improves
  • Regulatory Compliance Dashboard
    • Shows overview of status with set of supported compliance regulations
    • View overall score, number of pass/fail assessments within each standard
  • Compliance Controls
    • Contains
      • Subscriptions the standard is applied on
      • List of all controls for said standard
      • View details of passing/failing assessment associated with control
      • Number of affected resources
      • Severity of the alert
    • Some are grayed out as they don’t have Any MS Defender for Cloud assessments associated
    • Check their requirement and assess them
    • Some controls may be process-related not technical
  • Exploring details of compliance with a specific standard
    • To generate PDF report with a summary of status choose Download Report
    • Provides high-level summary of compliance status for standard based on MS Defender for Cloud assessment data
    • Organized according to controls of said standard
    • Can be share with stakeholders and aid in providing evidence to internal/external auditors
  • Alerts in MS Defender for Cloud
    • Automatically collects/analyzes/integrates log data from Azure resources
    • List of prioritized security alerts shown along with. Info needed to investigate and remediation steps
  • Manage security alerts
    • Defender for Cloud overview page shows Security Alerts tile at top and a link in the left panel
    • Security alerts page shows active alerts
    • Sort by Severity, Title, Affected Resource, Activity Start Time
    • MITRE. ATTACK tactics and status
    • To filter select any of the relevant filters
  • Respond to security alerts
    • From Security alerts list click an alert
    • Another panel opens with description of alert and affected resources
    • View full details to display more info
    • Left pane shows high-level info regarding alert
      • Title
      • Severity
      • Status
      • Activity time
      • Description
      • Affected Resource
    • Right Pane includes
      • Alert details tab with more details
        • IP address
        • Files
        • Processes
        • Etc
      • Take Action Tab with Actions like
        • Mitigate the threat
          • Provides manual remediation steps
        • Prevent Future Attacks
          • Provides sec recommendations to aid in reducing attack server, increase security posture
        • Trigger Automated Response
          • Provides option to trigger logic app as response
        • Suppress similar alerts
          • Provides option to suppress further alerts with similar characteristics
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-get-network-security-recommendations-with-microsoft-defender-for-cloud/

Microsoft AZ-700: Exercise – Create a Front Door for a Highly Available Web Application

Reading Time: 2 minutes

Notes from MS Learn AZ-700 Module 4: Load balance non-HTTP(S) traffic in Azure – Unit 6: Exercise – Create a Front Door for a Highly Available Web Application

Tasks (taken from MS Learn: Items without “Task” in front of them are personal additions)

  • Task 1: Create two instances of a web app
    • Search and select App Services in Azure Portal
    • Click Create
      • Choose or Create new under Resource Group
      • Enter Unique name under Instance Details
      • Choose a Runtime stack from dropdown
      • Choose a region from dropdown
      • Choose or create new under Windows Plan (Create new in this example)
        • Enter Unique Name
        • Click OK
    • Click Review + Create
    • Once validated click Create
    • Repeat for second App Service
  • Task 2: Create a Front Door for your application
    • Search and click Front Door and CDN profiles in Azure Portal
    • Click Create
    • Leave Quick Create selected
    • Click Continue to create a Front Door
      • Select (or create new) a Resource group from the dropdown (choose from dropdown in this example)
      • Enter unique name under Profile details
      • Enter unique name under Endpoint settings
      • Select “App services” from Origin type dropdown
      • Select Origin host name from dropdown
      • Click Review + Create
      • Once Validated click Create
      • Click Go to resource once deployment complete
      • Click Origin groups
        • Click created origin group (default-origin-group in this example)
        • Click Add an origin
          • Enter Unique name
          • Select Origin type from dropdown
          • Select Host name from dropdown
          • Click Add
          • Click Update
  • Task 3: View Azure Front Door in action
    • Click Overview under the Frontdoor page
    • Copy Endpoint hostname and navigate to address
    • Search and click App Services in Azure Portal
    • Check box next to first App Service (WebAppContoso-2001)
    • Select Stop in menu bar
    • Select Yes to verify
    • Click refresh in menu bar
    • App should show status stopped
    • Go back to App browser tab and refresh
    • Should appear the same
    • Go back to Azure and stop second webapp
    • Return to App browser tab – refresh – should show Error code as unavailable now that both are stopped
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-exercise-create-a-front-door-for-a-highly-available-web-application/

Microsoft AZ-700: Design and Configure Azure Front Door

Reading Time: 4 minutes

Notes from MS Learn AZ-700 Module 4: Load balance non-HTTP(S) traffic in Azure – Unit 5: Design and Configure Azure Front Door

Front Door is MS modern cloud Content Delivery Network (CDN) providing fast, reliable, secure access between users and apps. Delivered using MS global edge network with hundreds of global/local POPs close to both enterprise network and consumer end users.

Orgs have apps to make available to customers, suppliers, users, etc. They must be highly available. Additionally they nee quick response and security. Front Door has many SKUs to achieve this.

Secure/Modern cloud CDN offers distributed platforms of servers. This minimizes latency. IT may desire to use CDN and web app FW to control HTTP/HTTPS traffic tx/rx target apps

  • Products available  (Table below from MS Learn)
  • Azure Front Door comparison
    • Offered in 2 tiers
      • Standard
      • Premium
    • Combine capability of Front Door (classic), CDN Standard from MS (classic) and Azure WAF into single secure cloud CDN with intelligent threat protection
    • Front Door exists in edge locations
    • Manages user requests for hosted apps
    • Users connect to app via MS Global Network
    • Routes requests to fastest/available app backend
    • MS Review the feature comparison table
  • Create a front door in Azure Portal
    • QuickStart
    • Can create through Quick Create via Custom Create allowing a more advanced config
  • Routing architecture
    • Front Door traffic routing has many stages
      • Routed from client to Front Door
      • Front Door uses config to determine origin to send traffic to
      • Front Door web app FW, routing rules, rules engine, caching config affect process
      • Diagram below from MS Learn outlines architecture
  • Front Door route rules config structure
    • Major parts
      • Incoming Match
        • HTTP Protocols (HTTP/HTTPS)
        • Hosts (ex www.something.com, *.something.com)
        • Paths (ex /, /users, /file.ext)
      • Route Data
        • Front Door speeds up processing using caching
        • If enabled for route – uses cached response
        • If no cached response – forwards to appropriate backend in configed pool
      • Route Matching
        • Front door attempts to match most-specific match first. Alg matches first on HTTP then Frontend host, then Path
          • Frontend host
            • Look for any routing with exact match on host
            • If none, reject and send 400 Bad Request error
          • Path Match
            • Look for routing rule with exact match to path
            • If none, look for routing rule with wildcard path matching
            • If none of above reject with 400 Bad Request error
    • If no routing rules for exact-match frontend with catch-all route Path (/*) then no match
    • Front Door redirects traffic at
      • Protocol
      • Hostname
      • Path
      • Query String
    • Above can be configured for individual microservice
  • Redirection types
    • Sets response status code for clients
    • Types supported (Table below from MS Learn)
  • Redirection protocol
    • Set protocol used for redirection – most common is set HTTP to HTTPS
    • HTTPS Only
      • Set protocol to HTTPS only – if looking to redirect HTTP to HTTPS.
      • Azure Front Door recommends always set redirect to HTTPS only
    • HTTP Only
      • Incoming request redirect to HTTP.
      • Use only when desired to keep traffic HTTP that is not encrypted
    • Match request
      • Option keeps proto used
  • Destination Host
    • Configured redirect routing, one can also change hostname or domain.
    • Set field to change hostname in URL or preserve hostname.
  • Destination Path
    • When replacing path segment of URL is desired
    • Or preservce path value
  • Destination fragment
    • Dest Frag is portion of URL after #
    • Can set field to add fragment to redirect URL
  • Query string parameters
    • Replace query string parameter in redirect URL
    • Replace any existing query string from inbound request set to ‘Replace’ and then appropriate value
    • Or keep original set of strings by setting to Preserver
  • Configure rewrite policy
    • Frond Door supports URL rewrite using optional Custom Forwarding Path
    • Host header used in fowarded request as configured for selected backend
    • Read backend host header to learn what it does and how to configure
    • Powerful part of URL rewrite is custom forwarding path copies any part of inbound path matching wildcard path to forward
  • Configure health probes including custom HTTP response code
    • Frond Door sends synthetic HTTP/HTTPS requests to each backend
    • Uses responses to determine “best” backend to route to
    • Front door has many edges globally, probe volume may be high (25 reqs/min to 1200 reqs/min
    • Default is probe every 30 seconds backend probe should be ~ 200 req/min
  • Supported HTTP methods for health probes
    • HTTP or HTTPS
    • Same TCP port configured for routing client reqs, can’t be overridden
    • Front Door supports HTTP methods
      • GET
        • Retrieves entity info in request URI
      • HEAD
        • Identical to GET except server MUST NOT return message-body in response
        • For lower load is default
  • Health probe responses
    • (Table below from MS Learn)
    • Front Door uses three step process for health determination
      • Exclude disabled backends
      • Exclude backends with health probe errors
        • Look at last n health probe. If x are healthy, backend is healthy
        • N configured by changing SampleSize preopery in lb settings
        • X configure by changing SuccessfulSamplesRequired property in lb settings
      • Health backends, Front Door additionally measure/maintains RTT for each backend
    • If single backend, choose disable health probes to reduce load.
  • Secure Front Door with TLS/SSL
    • Use HTTPS protocol to ensure sensitive data secure. When browser connects to website with HTTPS it validates website certificate and authority
    • Key attributes
      • No extra cost
      • Simple enablement
        • Provisioning via Azure Portal or REST API
      • Complete cert management
        • All cert procurement/management handled for you. Certs automatically provision/renew before expiry
    • Check Tutorial – Configure HTTPS on a custom domain for Azure Front Door | Microsoft Learn
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-design-and-configure-azure-front-door/

Microsoft AZ-700: Exercise – Deploy Azure. Application Gateway

Reading Time: 2 minutes

Notes from MS Learn AZ-700 Module 4: Load balance non-HTTP(S) traffic in Azure – Unit 4: Exercise – Deploy Azure. Application Gateway

Tasks (taken from MS Learn: Items without “Task” in front of them are personal additions)

  • Task 1: Create an application gateway
    • Search and Click Application Gateways in Azure Portal
    • Click Create
      • Select or Create New for Resource Group (Create new in this example)
        • Enter unique name
        • Click OK
      • Enter Application gateway name
      • Chose Region from dropdown
      • Select or Create New Virtual Network (create new in this example)
        • Enter unique name
        • Delete default subnet (trashcan icon next to “default” under subnets
        • Enter new subnet name
        • Enter address range
        • Repeat for backend subnet
        • Click OK
      • Click Next : Frontends >
      • Verify type is toggled to Public
      • Click Add New
        • Enter unique name
        • Click OK
      • Click Next : Backends >
      • Click Add a backend pool
        • Enter unique name
        • Toggle Add backend pool without targets to YES
        • Click Add
      • Click Next : Configuration >
      • Click Add a routing rule
        • Enter unique name
        • Set priority to 100
        • Enter unique listener name
        • Select Frontend IP from dropdown
        • Click Backend Targets tab on add rule screen
        • Choose Target type from dropdown
        • Choose or add new backend target (add new in this example)
          • Enter unique name
          • Select Add
        • Click add to save rule
      • Click Next: Tags >
      • Click Next : Review + create >
      • Once validated click Create
  • Task 2: Add backend targets
    • Open cloud shell (icon next to search bar in Azure Portal
    • Upload ARM template and parameters file in cloud shell (upload/download button in menu)
    • Verify Azure account (az account show –output table)
    • Set subscription in cloud shell (az account set –subscription “Name from output above”)
    • Set ResourceGroup variable ($RGName = “NAME”)
    • Deploy template (New-AzResourceGroupDeployment – ResourceGroupName $RGName -TemplateFile name.json -TemplateParameterFile name.parameters.json)
    • Verify creation (search Virtual Machines in Azure Portal)
  • Task 3: Add backend servers to backend pool
    • In Azure Portal search and select Application Gateways
    • Choose newly created Applicatioin Gateway
    • Under settings choose Backend pools
    • Choose “BackendPool” created previously
    • In Target type dropdown choose Virtual Machine
    • In Target dropdown choose the first BackendVM1-nic
    • Repeat for BackendVM2-nic
    • Click Save
  • Task 4: Test the application gateway
    • Under the Application Gateway click Overview
    • Copy and browse to the Frontend Public IP Address
      • Verify BackendVM1
    • Refresh browser
      • Verify BackendVM2
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-exercise-deploy-azure-application-gateway/

Microsoft AZ-700: Configure Azure Application Gateway

Reading Time: 5 minutes

Notes from MS Learn AZ-700 Module 4: Load balance non-HTTP(S) traffic in Azure – Unit 4: Configure Azure Application Gateway

App Gateway has components combining to route requests to pool and verify server health. (Image taken from MS Learn

  • Frontend configuration
    • App Gateway can have
      • Public IP
      • Private IP
      • Both
  • Backend configuration
    • Backend pool used to route requests to backend servers
    • Create empty backend pool and then add backend targets later is possible
    • Targets include
      • NICs
      • Public IP’s
      • Private IP’s
      • VM Scale Sets
  • Configure Health Probes
    • Azure App Gateway by default monitors back-end pool resources
    • Automatically removes unhealthy resources from pool
    • Continuous monitoring of unhealthy and adds them back when return to healthy
    • By default, probes same port defined in back-end HTTP settings
    • Custom probe can be configured with custom port
    • Source IP addr depends on backend pool
      • If server addr is public, source is app gateways frontend public IP
      • If server addr is private, source is app gateway subnet private IP address space
  • Default health probe
    • App gateway has default health probe if custom probes no configured
    • Monitoring via HTTP GET to IP or FQDN configured in back-end pool
    • Default is configured for HTTPS
    • Example
      • App gateway set to use backend receiving HTTP on port 80
      • Default is every 30 seconds with a 30 second timeout
      • HTTP looking for response code 200-399
      • If fails for a server in pool forwarding stopped to server
      • Requests restart when successful response
    • Default health probe settings (Table below from MS Learn)
      • Probe property Value Description Probe URL <protocol>://127.0.0.1:<port>/ The protocol and port are inherited from the backend HTTP settings to which the probe is associated Interval 30 The amount of time in seconds to wait before the next health probe is sent. Time-out 30 The amount of time in seconds the application gateway waits for a probe response before marking the probe as unhealthy. If a probe returns as healthy, the corresponding backend is immediately marked as healthy. Unhealthy threshold 3 Governs how many probes to send in case there’s a failure of the regular health probe. In the v2 SKU, the health probes wait the probe interval before checking again. The back-end server is marked unreachable after the consecutive probe failure count reaches the unhealthy threshold.
    • Probe intervals
      • All App Gateway probes to backend independent of each other
      • Same probe config applies to each App Gateway instance
      • If multiple. Listeners, each probes backend independently
  • Custom health probe
    • Custom probes provide more granular health monitoring
    • Custom Probes
      • Custom hostname
      • URL path
      • Probe interval
      • Number of failed responses before unhealthy
    • Settings (Table below from MS Learn)
      • Probe property Description Name Name of the probe. This name is used to identify and refer to the probe in back-end HTTP settings. Protocol Protocol used to send the probe. This property must match with the protocol defined in the back-end HTTP settings. Host Host name to send the probe. Path Relative path of the probe. A valid path starts with ‘/.’ Port If defined, this property is used as the destination port. Otherwise, it uses the same port as the HTTP settings that it’s associated to. This property is only available in the v2 SKU. Interval Probe interval in seconds. This value is the time interval between two consecutive probes Time-out Probe time-out in seconds. If a valid response isn’t received within this time-out period, the probe is marked as failed. Unhealthy threshold Probe retry count. The back-end server is marked down after the consecutive probe failure count reaches the unhealthy threshold.
  • Probe matching
    • Default: an HTTP(S) response code between 200-399 is healthy
    • Custom probes support two matching criteria to optionally modify default sense of “healthy”
      • HTTP response status code
        • Probe matching for user specified http code or range.
        • Comma-separated status codes or ranges supported
      • HTTP body match
        • Probe matching looking at HTTP body response matching user specified string
        • Looks only for presence of user specified string in body, not a full regular expression match.
    • Match criteria can be specified using New-AzApplicationGatewayProbeHealthResponseMatch cmdlet
  • Configure listeners
    • Logical entity checking for incoming requests using port, protocol, host, IP Addr
    • When configured must enter values that match inbound request values on gateway
    • When creating App Gateway in portal you also create default listener by choosing the protocol and port
    • Choose whether or not HTTP2 is enabled
    • Can edit default listener (appGatewayHttpListener) or create new
  • Listener Types
    • Basic
      • All requests accepted and sent to back-end
    • Multi-site
      • Requests sent to different back-ends based on host header/host name
      • Must specify a host name that matches incoming request
  • Order of processing listenters
    • V1 SKU
      • Requests matched in order of rules and type of listener
    • V2 SKU
      • Multi-site processed before basic
  • Front-end IP address
    • Choose IP planned to associate with listener
    • Listener listens requests on this IP
  • Front-end port
    • Choose port (new or existing)
    • Any value from allowed range
    • Can be used for public or. Private facing listeners
  • Protocol
    • HTTP
      • Traffic between client/app gw unencrypted
    • HTTPS
      • TLS term or end-to-end TLS encryption
      • TLS terminates at app gw
      • Traffic between client and app gw encrypted
      • If end-to-end TLS desired – choose HTTPS and configure back-end HTTP setting
    • Configuring TLS term and end-to-end TLS encryption
      • Must add certificate to listener so gw can derive symmetric key
      • Symmetric key used to encrypt and decrypt gw traffic
      • GW certificate must be in Personal Information Exchange (PFX) format
        • Allows export of private key for gw to use for encrypt/decrypt
  • Redirection Overview
    • App Gateway can redirect traffic
    • GW has generic redirection allowing for received traffic on one listener to send to another or external site
    • Simplifies app config and optimize resource useage
    • Types
      • 301 Perm redirect
      • 302 Found
      • 303 See Other
      • 307 Temp redirect
    • Capabilities
      • Global Redirection
        • From one. Listener to another on GW.
        • Enables HTTP to HTTPS on a site
      • Path-based Redirection
        • Enables HTTP to HTTPS only on specific site area
      • Redirect to external site
        • Requires new redirect config object
        • This specifies the target listener or external site
        • Element also supports options for appending URI path and query to redirected URL
        • Attached to source listener via new rule
  • App Gateway request routing rules
    • Request Routing Rule is key component of App GW as it determines how traffic is routed on the listener
    • Rule binds listener, backend pool, and backend HTTP settings
    • Accepted request, routing rule forwards it to backend or redirects
    • If forwarded – routing rule defines which pool to send to
    • Also determines if headers need to be rewritten
    • One listener to one rule
    • Types
      • Basic
        • All request associated to listener forwarded to backend using associated HTTP setting
      • Path-based
        • Allows routing request on listener to specific backend based on URL
        • If path of URL matches pattern it is routed per rule
        • Applies to path pattern only for URL path not parameters
        • If URL path does not match route to default backend and HTTP settings
  • HTTP settings
    • App GW routes to backend using port number, protocol, and other detailed settings
    • Port and Proto used in HTTP settings determine whether traffic between app gw and backend encrypted or not
    • Additional Uses
      • Determine whether user session kept on same server using cookie-based session affinity
      • Gracefully remove backend members using connection draining
      • Associate custom probe for backend monitoring
      • Set request timeout interval
      • Override host name and path
      • Provide one-select ease to specify settings for backend
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-configure-azure-application-gateway/

Load more