Utilizing Azure’s network security features to achieve Zero Trust

Since the COVID-19 pandemic breakthrough, the speed of digital transformation has accelerated, and enterprises are always looking to move their workloads to the cloud and make sure those workloads are secure. Organizations also require a new security architecture that can more readily adapt to the complexity of the contemporary workplace, embrace the hybrid workplace, and safeguard applications and data wherever they may be.

Microsoft’s Zero Trust Framework upholds three principles to safeguard assets everywhere:

Clearly establish: Always verify user identity and authorization using all relevant data, such as location, device health, service or workload, data classification, and anomalies.

Implement least privileged access: To safeguard both data and productivity, restrict user access via just-in-time and just-enough-access (JIT and JEA), risk-based adaptive policies, and data protection.

Suppose a breach reduce the blast radius and divide access. Use analytics to get visibility, drive threat detection, and strengthen defences while also verifying end-to-end encryption.

The third principle—assume breach—will be the main emphasis of this blog as we discuss several Azure network security capabilities that assist enterprises in addressing Zero Trust.

Network firewalling

Typically installed at the edge networks, network firewalls filter traffic between trusted and untrusted zones. This paradigm is expanded upon by the zero trust strategy, which suggests traffic filtering between internal networks, hosts, and applications.

The Zero Trust strategy implies breach and acknowledges the reality that malicious individuals exist everywhere. It suggests that instead of erecting a barrier separating trusted and untrusted zones, we should validate each attempt at access, restrict user access to JIT and JEA, and harden the resources themselves. This does not, however, prevent us from maintaining security zones. Network firewalling, which divides the network into smaller zones and regulates what data is permitted to travel between them, really offers a sort of checks and balances for network communications. We are forced to think about whether a specific link should cross a critical border as a result of this security-in-depth strategy.

In Zero Trust networks, where should firewalling be implemented? In order to protect your network, you need put firewalling in place both inside and outside of your network. Filtering and firewalling services are offered by Azure and are set up at the host as well as between virtual networks or subnets. Let’s talk about how Zero Trust is supported by Azure’s firewalling services.

Azure network security group (NSG)

In an Azure virtual network, you can use the Azure network security group to filter network traffic going to and coming from Azure services. Outside of the virtual machines, NSG is implemented at the host level (VMs). A subnet or VM NIC can be connected to NSG in terms of user setup. A type of perimeter filtering that we’ll talk about later is connecting an NSG to a subnet. The more appropriate use of NSG in the context of Zero Trust networks is connected to a particular VM (such as by means of assigning an NSG to a VM NIC). It allows filtering policies for each virtual machine, enabling the VM to take part in its own security. Instead of leaving all firewalling to a single, centralised firewall, it helps to ensure that each virtual machine (VM) filters its own network traffic.
Even though host firewalling can be set up at the guest OS level, Azure NSG provides security for a VM that is hacked. The on-host firewall could be disabled by an attacker who gains access to the VM and elevates its privileges. By implementing NSG outside of the VM and isolating host-level filtering, the firewalling system is protected from assaults with high confidence.

Filtering for both inbound and outbound traffic

NSG offers both inbound (to control traffic entering a VM) and outbound (to control traffic leaving a VM) filtering (regulate traffic leaving a VM). In Zero Trust networks, outbound filtering, particularly across resources in the vnet, is crucial to further hardening the workloads. This crucial inbound filtering layer of defence, for instance, can be lost as a result of a configuration error in incoming NSG rules, which is very difficult to spot. Subnets are still protected even in the event of such a crucial misconfiguration because to pervasive NSG outbound filtering.

Azure application security groups can help you simplify NSG configuration

By establishing network security as an extension of an application’s structure, Azure application security groups (ASGs) make the configuration and maintenance of NSGs simpler. You can organise VMs into groups using ASGs, and you can base network security policies on these groups. Network security can be reused at scale using ASGs without the need for manual upkeep of explicit IP addresses. In the condensed example that follows, we apply an NSG1 at the subnet level and assign two virtual machines to a WebASG (web application tier ASG), and another VM to a LogicASG (business logic application tier ASG).

Instead of handling each VM separately, we can apply security rules to ASGs. Instead of establishing a separate rule for each VM, the rule below permits HTTP traffic from the Internet (TCP port 80) to VM1 and VM2 in the web application tier by designating WebASG as the destination.

Priority Source Source ports Destination Destination ports Protocol Access
100 Internet * WebASG 80 TCP Allow


Azure Firewall

While host-level filtering is useful for establishing micro perimeters, virtual network or subnet level firewalling offers an additional crucial degree of security. It shields as much infrastructure as it can from unauthorised internet traffic and potential threats. In order to reduce the blast radius in case of attacks, it also protects east-west traffic.

A firewalling native network security service is called Azure Firewall. When combined with NSG, these two services offer crucial checks and balances for Zero Trust networks. While NSG establishes fine-grained host policy, Azure Firewall applies global rules. The administration of the firewalling policy may be made simpler by this distinction between host filtering and perimeter filtering.

The best practise for the zero-trust approach is to always encrypt data in transit to achieve end-to-end encryption. Customers frequently want access to their data, though, as well as the ability to use additional security measures on the unencrypted data from an operational standpoint.

With its transport layer security (TLS) inspection capabilities, Azure Firewall Premium can fully decrypt and encrypt traffic, enabling the use of intrusion detection and prevention systems (IDPS) and giving users access to the data itself.

DDoS Protection

Zero Trust aims to authenticate and authorise nearly everything on the network, but it does not offer effective DDoS attack mitigation, especially against volumetric attacks. DDoS assaults can affect any system that can accept packets, including those that have a Zero Trust design. Therefore, any Zero Trust solution must be completely secured against DDoS attacks.

DDoS mitigation features are offered by Azure DDoS Protection Standard to give defence against DDoS attacks. Any virtual network resource that is accessible via the internet has it automatically configured to assist safeguard it. No application or resource changes are necessary to enable protection on any virtual network, new or old.

Utilize Azure Firewall Manager to enhance SecOps

Providing centralised security policy and route management for cloud-based security perimeters, Azure Firewall Manager is a security management service.

In addition to managing Azure Firewall policies, Azure Firewall Manager now enables you to link your virtual networks to a DDoS defence strategy. Plans for DDoS prevention can be implemented to virtual networks across many subscriptions under a single-tenant. The Virtual Networks dashboard allows you to create a list of all virtual networks without DDoS protection plans and apply new or available protection plans to those networks.

Additionally, Azure Firewall Manager enables you to safeguard your users’ Internet access using your trusted, top-tier, third-party SECaaS products.

You can further optimise your SecOps with a one-stop-shop that offers you best-in-class networking security services, posture management, and workload protection—as well as SIEM and data analytics—by seamlessly integrating with Azure core security services, such as Microsoft Defender for Cloud, Microsoft Sentinel, and Azure Log Analytics.

Next steps

Organizations working to safeguard the current state of things must practise zero trust. For security professionals, it is a continual journey, but beginning with a few initial actions and continuing to iterate on them is the first step. We discussed a number of Azure security services in this blog post, along with how they help all organisations move toward zero trust.