Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 7: Exercise – Deploy and Configure Azure Firewall Using the Azure Portal
Tasks (taken from MS Learn: Items without “Task” in front of them are personal additions)
Task 1: Create a virtual network and subnets.
Search and Choose Virtual Networks in Azure Portal
Click Create
Choose a resource group from the dropdown or click create new (create new in this example)
Enter a unique name in the dialog box and click OK
Enter a unique name under Instance Details
Select a region from the dropdown
Click Next : IP Addresses >
Select (check box) and the link to the default subnet
In right panel enter a unique subnet name
Enter an appropriate Subnet address range
Click Save
Click Add subnet for later use
Repeat above settings as appropriate
Click Add
Click Review + create
Once Validation has passed click Create
Task 2: Create a virtual machine.
Open PowerShell in cloudshell (Shell button next to portal search bar)
Upload Template and Parameters files
View and specify subscription
“az account show –output table”
“az account set –subscription “NAME from output above””
Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 6: Design and Implement Azure Firewall
Azure. FW is managed, cloud based security service protecting VNet resources. Fully stateful FWaaS with build-in HA and unrestricted cloud scalability.
Azure Firewall Features
Built-in HA
HA so no extra load balancers required or configuration needed
Unrestricted cloud scalability
Azure FW can scale out as much as needed. No need to budget for peak traffic
App FQDN filtering rules
Limit outbound HTTP/S or Azure SQL traffic to specific list of FQDNs including wildcard
Doesn’t require TLS term
Net traffic filtering rules
Centrally create allow/deny rules by
Source/Dest IP
Port
Protocol
Azure FW is fully stateful
Rules enforced and logged across multiple subscriptions and VNets
FQDN tags
Make it easy to allow well-known Azure service traffic through FW
Create an app rule and include Windows Update tag for example
Service tags
Represents group of IP address prefixes minimizing complexity for rule creation
Cannot create personal service tag or specify which IP addrs included in tag
MS manages prefixes by tag and auto updates as addrs change
Threat intelligence
Threat intelligence-based filtering (IDPS) possible to alert and deny traffic from/to known malicious IP/Domains
IP addrs/domains sources from MS Threat Intelligence feed
TLS inspection
FW can decrypt outbound traffic, process, reqncrypt and send to DST
Outbound SNAT support
All outbound VNet traffic Ips translate to Azure FW public IP (Source Network Address Translatioin (SNAT))
Identify and allow traffic originating from VNet to remote Inet DSTs
Inbound DNAT support
Inbound Inet traffic to FW public IP translated (Destination Network Addr Translation) filtered to. Private IP on VNet
Multiple public IP addrs
Associate multiple (up to 250) with FW for specific DNAT/SNAT scenarios
Azure Monitor Logging
All events integrated to Azure Monitor
Allows archival of logs to storage account
Stream events to Event Hubs
Send to Azure Monitor Logs
Forced tunneling
Configure Azure FW to route all Inet bound traffic to a next hop instead of direct to Inet
Example to send to on-prem FW or NVA to process
Web categories
Allow or deny user access to web site categories
Categories included in Azure FW Standard
Categories more fine-tuned in Premium Preview
Standard matches FQDN, in Prekmium match on entire URL for HTTP or HTTP/S
Certs
Azure FW is PCI, SOC, ISO, and ICSA Labs compliant
Rule processing in Azure Firewall
In Azure FW, Possible to configure NAT rules, network rules, app rules. FW denies all traffic by default until manual rules configured to allow
Rule processing with classic rules
Rule collections are processed according to type in priority order
Lower numbers to higher from 100 – 65000
A rule collection name is only letters, numbers, underscores, period and hyphens
Must being with a letter or number
Must end with letter,number,underscore
Max name – 80 chars
Increments of 100 for priority allowing additional rules in between later
Rule processing with Firewall Policy
FW Policy, rules organized inside Rule Collections contained in Rule Collectioin Groups
Rule Collection types
DNAT
Network
Application
Define multiple types in single group
Can define zero+ rules in a collection
Rules in collection MUST be SAME type
FW Policy – rules processed on Rule Collection Group Priority
Number between 100 (highest) and 65000 (lowest)
Highest rule in group processed first
Application rules always processed after network rules which are always processed after DNAT rules
Deploying and configuring Azure FW
Consideration Factors
FW centrally create,enforce,log app/network connectivity policies across subscriptions and VNets
FW uses static, public IP for VNet resources
FW fully integrated with. Azure Monitor for log/analytics
Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 5: Deploy Network Security Groups by Using the Azure Portal
NSG in Azure allows filtering network traffic to/from Azure resources in a VNet. NSG contains security rules to allow/deny inbound traffic to, or outbound from several types of resources. Each rule specifies source/destination, port, protocol.
NSG Security Rules
NSG contains zero, or as many rules as you want, within subscription Limits
Each rule has a series of properties
Name
Must be unique within NSG
Priority
Number between 100-4096
Processed in order with lower number handled first
Once traffic matches rule processing stops
SRC or DST
Can be set to
Any
Individual IP
CIDR block
Service tag
App security group
Protocol
TCP
UDP
ICMP
ESP
AH
Any
Direction
Rx
Tx
Port Range
Individual Port
Range of Ports
Action
Allow
Deny
FW evaluates rules using source, source port, dest, dest port, protocol
Default security rules
(Table below from MS Learn)
Deployment scenario examples based on diagram below (Diagram from MS Learn)
For inbound traffic Azure processes rules in NSG associated to subnet first (if exists), and then rules in NSG associated to interface (if exists)
VM1
Subnet1 associated with NSG1
Security rules are processed
VM1 is in Subnet1
Unless rule created that allows port 80 in, the DenyAllInbound default rule denies the traffic
In this case never evaluated by NSG2 as it’s associated to network interface
If NSG1 has rule allowing port 80, NSG2 then processes traffic
To allow port 80 to VM both NSG1 and NSG2 must have rule that llows port 80 from inet
VM2
NSG1 rule processed because VM2 in Subnet 1
Since VM2 has no NSG associated with interface all traffic received through NSG1 or denied all traffic by NSG1
Traffic either allowed or denied to all resources in same subnet when NSG is associated with subnet
VM3
No NSG associated with Subnet2 – traffic allowed into subnet and processed by NSG2 as it’s associated to interface attached to VM3
VM4
Traffic allowed to VM4 since NSG isn’t associated to Subnet3 or interface of virtual machine
All traffic allowed through a subnet & interface if they doesn’t have NSG associated
For outbound traffic Azure processes rules in NSG associated with interface first then subnet (if there is one in both cases)
VM1
Security rules in NSG2 processed Unless security rule denying port 80 out to internet, then the AllowInternetOutbound default rule allows traffic in both NSG1 and 2
If NSG2 has rule denying port 80 traffic is denied and NSG1 never evaluates
To deny port 80 from VM either/or both of NSGs must have rule denying 80 or internet
VM2
All traffic sent through interface to subnet since interface is attached to VM2 doesn’t have NSG associated
NSG1 rules are processed
VM3
If NSG2 has rule denying 80 traffic denied
If NSG2 has rule allowing port 80 allowed out to internet since NSG isn’t associated to Subnet2
VM4
All traffic allowed from because NSG isn’t associated to network interface on VM or Subnet3
Application Security Groups
ASG enables configuration of network security as natural extension to apps structure
Allows grouping VMs and defining network security policy on these groups
Can reuse security policy at scale without manual maintenance of IP addresses
Platform handles complexity of IP addresses and multi rule sets
Create rules using service tags/ASG’s and avoid rules with individual Ips or ranges to minimize security rules needed
Filter network traffic with an NSG using Azure Portal
Use NSG to filter Rx/Tx from VNet
NSG contain security rules filtering traffic by IP, port, protocol and are applied to resources in a subnet
Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 4: Exercise – Configure DDoS Protection on a Virtual Network Using the Azure Portal
Tasks (taken from MS Learn: Items without “Task” in front of them are personal additions)
Task 1: Create a DDoS Protection plan.
Search and click DDoS Protection Plans in Azure Portal
Click Create
Select or Create New Resource Group (create new in this example)
Enter unique name and click OK
Enter unique name under Instance Details
Choose Region from dropdown
Click Review + Create
Once Validated click Create
Task 2: Enable DDoS Protection on a new virtual network.
Search and click Virtual Networks in Azure Portal
Click Create
Choose Resource Group from dropdown
Enter unique Name under Instance details
Choose Next : IP Addresses >
Choose Next : Security >
Toggle DDoS Network Protection to Enable
Choose DDoS Protection Plan created earlier from dropdown
Select Review + Create
Once validated select Create
Task 3: Configure DDoS telemetry.
Search and click Public IP Addresses in Azure Portal
Click Create
Enter unique name
Enter DNS Name Label
Choose Resource Group from dropdown
Click Create
Search for DDoS protection plan created earlier
Choose Metrics under Monitoring
Set Scope to MyPublicIPAddress
Click Apply
Set Metrick from dropdown
Inbound packets dropped
Task 4: Configure DDoS diagnostic logs.
Search and select my public IP address
Choose Diagnostic settings under Monitoring
Select Add diagnostic setting
Check all 3 boxes under Categories
Check AllMetrics box under metrics
Check send to Log Analytics workspace box
Task 5: Configure DDoS alerts.
Search and navigate to Virtual Machines in Portal
Click Create > Azure Virtual Machine
Choose Resource Group from dropdown
Provide Virtual Machine Name
Choose Review + Create
Once Validated click Create
Click Download private key and create resource in Generate new key pair dialog
Click Go to resource
Click Networking under settings
Click link next to Network Interface
Select IP configurations under settings
Chose ipconfig1
Under Public IP address choose MyPublicIPAddress
Click Save
Navigate to DDoS protection plans in Azure Portal
Choose MyDDoSProtectionPlan as created earlier
Click Alerts under monitoring
Click Create > Alert Rule
Delete existing resource
Click Select Scope
Under Filter by resource choose search for and choose Public IP Addresses from the dropdown
Choose MyPublicIPAddress as created earlier
Click Done
Choose Next : Condition >
Choose Under DDoS attack or not
Select Maximum under Aggregation type dropdown
Select Greater than or equal too under Operator dropdown
Enter Threshold value (1 in this example)
Select Next: Actions >
Select Next : Details >
Enter Alert rule name
Choose Review + create
Click Create
Task 6: Monitor a DDoS test attack.
Search Public IP Addresses in Azure Portal and on page click MyPublicIPAddress as created above
Copy the IP Address
Click Metrics under Monitoring section in left panel
In the Metric dropdown choose Under DDoS attack or not
Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-exercise-configure-ddos-protection-on-a-virtual-network-using-the-azure-portal/
Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 2: Get Network Security Recommendations with Microsoft Defender for Cloud
Network security is various tech, devices, processes and provides rules and configs to protect the CIA of networks/data. Every org though have some sort of network security
Notes from MS Learn AZ-700 Module 4: Load balance non-HTTP(S) traffic in Azure – Unit 6: Exercise – Create a Front Door for a Highly Available Web Application
Tasks (taken from MS Learn: Items without “Task” in front of them are personal additions)
Task 1: Create two instances of a web app
Search and select App Services in Azure Portal
Click Create
Choose or Create new under Resource Group
Enter Unique name under Instance Details
Choose a Runtime stack from dropdown
Choose a region from dropdown
Choose or create new under Windows Plan (Create new in this example)
Enter Unique Name
Click OK
Click Review + Create
Once validated click Create
Repeat for second App Service
Task 2: Create a Front Door for your application
Search and click Front Door and CDN profiles in Azure Portal
Click Create
Leave Quick Create selected
Click Continue to create a Front Door
Select (or create new) a Resource group from the dropdown (choose from dropdown in this example)
Enter unique name under Profile details
Enter unique name under Endpoint settings
Select “App services” from Origin type dropdown
Select Origin host name from dropdown
Click Review + Create
Once Validated click Create
Click Go to resource once deployment complete
Click Origin groups
Click created origin group (default-origin-group in this example)
Click Add an origin
Enter Unique name
Select Origin type from dropdown
Select Host name from dropdown
Click Add
Click Update
Task 3: View Azure Front Door in action
Click Overview under the Frontdoor page
Copy Endpoint hostname and navigate to address
Search and click App Services in Azure Portal
Check box next to first App Service (WebAppContoso-2001)
Select Stop in menu bar
Select Yes to verify
Click refresh in menu bar
App should show status stopped
Go back to App browser tab and refresh
Should appear the same
Go back to Azure and stop second webapp
Return to App browser tab – refresh – should show Error code as unavailable now that both are stopped
Notes from MS Learn AZ-700 Module 4: Load balance non-HTTP(S) traffic in Azure – Unit 5: Design and Configure Azure Front Door
Front Door is MS modern cloud Content Delivery Network (CDN) providing fast, reliable, secure access between users and apps. Delivered using MS global edge network with hundreds of global/local POPs close to both enterprise network and consumer end users.
Orgs have apps to make available to customers, suppliers, users, etc. They must be highly available. Additionally they nee quick response and security. Front Door has many SKUs to achieve this.
Secure/Modern cloud CDN offers distributed platforms of servers. This minimizes latency. IT may desire to use CDN and web app FW to control HTTP/HTTPS traffic tx/rx target apps
Products available (Table below from MS Learn)
Azure Front Door comparison
Offered in 2 tiers
Standard
Premium
Combine capability of Front Door (classic), CDN Standard from MS (classic) and Azure WAF into single secure cloud CDN with intelligent threat protection
Notes from MS Learn AZ-700 Module 4: Load balance non-HTTP(S) traffic in Azure – Unit 4: Configure Azure Application Gateway
App Gateway has components combining to route requests to pool and verify server health. (Image taken from MS Learn
Frontend configuration
App Gateway can have
Public IP
Private IP
Both
Backend configuration
Backend pool used to route requests to backend servers
Create empty backend pool and then add backend targets later is possible
Targets include
NICs
Public IP’s
Private IP’s
VM Scale Sets
Configure Health Probes
Azure App Gateway by default monitors back-end pool resources
Automatically removes unhealthy resources from pool
Continuous monitoring of unhealthy and adds them back when return to healthy
By default, probes same port defined in back-end HTTP settings
Custom probe can be configured with custom port
Source IP addr depends on backend pool
If server addr is public, source is app gateways frontend public IP
If server addr is private, source is app gateway subnet private IP address space
Default health probe
App gateway has default health probe if custom probes no configured
Monitoring via HTTP GET to IP or FQDN configured in back-end pool
Default is configured for HTTPS
Example
App gateway set to use backend receiving HTTP on port 80
Default is every 30 seconds with a 30 second timeout
HTTP looking for response code 200-399
If fails for a server in pool forwarding stopped to server
Requests restart when successful response
Default health probe settings (Table below from MS Learn)
Probe propertyValueDescription Probe URL <protocol>://127.0.0.1:<port>/ The protocol and port are inherited from the backend HTTP settings to which the probe is associated Interval 30 The amount of time in seconds to wait before the next health probe is sent. Time-out 30 The amount of time in seconds the application gateway waits for a probe response before marking the probe as unhealthy. If a probe returns as healthy, the corresponding backend is immediately marked as healthy. Unhealthy threshold 3 Governs how many probes to send in case there’s a failure of the regular health probe. In the v2 SKU, the health probes wait the probe interval before checking again. The back-end server is marked unreachable after the consecutive probe failure count reaches the unhealthy threshold.
Probe intervals
All App Gateway probes to backend independent of each other
Same probe config applies to each App Gateway instance
If multiple. Listeners, each probes backend independently
Custom health probe
Custom probes provide more granular health monitoring
Custom Probes
Custom hostname
URL path
Probe interval
Number of failed responses before unhealthy
Settings (Table below from MS Learn)
Probe propertyDescription Name Name of the probe. This name is used to identify and refer to the probe in back-end HTTP settings. Protocol Protocol used to send the probe. This property must match with the protocol defined in the back-end HTTP settings. Host Host name to send the probe. Path Relative path of the probe. A valid path starts with ‘/.’ Port If defined, this property is used as the destination port. Otherwise, it uses the same port as the HTTP settings that it’s associated to. This property is only available in the v2 SKU. Interval Probe interval in seconds. This value is the time interval between two consecutive probes Time-out Probe time-out in seconds. If a valid response isn’t received within this time-out period, the probe is marked as failed. Unhealthy threshold Probe retry count. The back-end server is marked down after the consecutive probe failure count reaches the unhealthy threshold.
Probe matching
Default: an HTTP(S) response code between 200-399 is healthy
Custom probes support two matching criteria to optionally modify default sense of “healthy”
HTTP response status code
Probe matching for user specified http code or range.
Comma-separated status codes or ranges supported
HTTP body match
Probe matching looking at HTTP body response matching user specified string
Looks only for presence of user specified string in body, not a full regular expression match.
Match criteria can be specified using New-AzApplicationGatewayProbeHealthResponseMatch cmdlet
Configure listeners
Logical entity checking for incoming requests using port, protocol, host, IP Addr
When configured must enter values that match inbound request values on gateway
When creating App Gateway in portal you also create default listener by choosing the protocol and port
Choose whether or not HTTP2 is enabled
Can edit default listener (appGatewayHttpListener) or create new
Listener Types
Basic
All requests accepted and sent to back-end
Multi-site
Requests sent to different back-ends based on host header/host name
Must specify a host name that matches incoming request
Order of processing listenters
V1 SKU
Requests matched in order of rules and type of listener
V2 SKU
Multi-site processed before basic
Front-end IP address
Choose IP planned to associate with listener
Listener listens requests on this IP
Front-end port
Choose port (new or existing)
Any value from allowed range
Can be used for public or. Private facing listeners
Protocol
HTTP
Traffic between client/app gw unencrypted
HTTPS
TLS term or end-to-end TLS encryption
TLS terminates at app gw
Traffic between client and app gw encrypted
If end-to-end TLS desired – choose HTTPS and configure back-end HTTP setting
Configuring TLS term and end-to-end TLS encryption
Must add certificate to listener so gw can derive symmetric key
Symmetric key used to encrypt and decrypt gw traffic
GW certificate must be in Personal Information Exchange (PFX) format
Allows export of private key for gw to use for encrypt/decrypt
Redirection Overview
App Gateway can redirect traffic
GW has generic redirection allowing for received traffic on one listener to send to another or external site
Simplifies app config and optimize resource useage
Types
301 Perm redirect
302 Found
303 See Other
307 Temp redirect
Capabilities
Global Redirection
From one. Listener to another on GW.
Enables HTTP to HTTPS on a site
Path-based Redirection
Enables HTTP to HTTPS only on specific site area
Redirect to external site
Requires new redirect config object
This specifies the target listener or external site
Element also supports options for appending URI path and query to redirected URL
Attached to source listener via new rule
App Gateway request routing rules
Request Routing Rule is key component of App GW as it determines how traffic is routed on the listener
Rule binds listener, backend pool, and backend HTTP settings
Accepted request, routing rule forwards it to backend or redirects
If forwarded – routing rule defines which pool to send to
Also determines if headers need to be rewritten
One listener to one rule
Types
Basic
All request associated to listener forwarded to backend using associated HTTP setting
Path-based
Allows routing request on listener to specific backend based on URL
If path of URL matches pattern it is routed per rule
Applies to path pattern only for URL path not parameters
If URL path does not match route to default backend and HTTP settings
HTTP settings
App GW routes to backend using port number, protocol, and other detailed settings
Port and Proto used in HTTP settings determine whether traffic between app gw and backend encrypted or not
Additional Uses
Determine whether user session kept on same server using cookie-based session affinity
Gracefully remove backend members using connection draining
Associate custom probe for backend monitoring
Set request timeout interval
Override host name and path
Provide one-select ease to specify settings for backend