Azure DDoS Protection

 

• Allows you to protect your Azure resources from denial of service (DoS) attacks.
• DDoS protection (layers 3 and 4) offers two service tiers: Basic and Standard.

Features

• Basic
• • Enabled by default (free).
  • It mitigates common network attacks.
  • Both basic and standard protects IPv4 and IPv6 public IP addresses.


• Standard
• • It has advanced capabilities to protect you against network attacks such as logging, alerting, and telemetry.
  • Mitigates the following attacks:
    • Volumetric attacks – flood the network layer with attacks.
    • Protocol attacks – exploit a weakness in layers 3 and 4.
    • Resource layer attacks – a layer 7 attack that disrupts the transmission of data between hosts.
  • Enables you to configure alerts at the start and stop of an attack.
  • The metric data is retained for 30 days.
  • Provides autotuned mitigation policies (TCP/TCP SYN/UDP) for each public IP.

Feature	Basic	Standard
Active traffic monitoring & always-on detection	Yes	Yes
Automatic attack mitigations	Yes	Yes
Availability guarantee	Azure Region	Application
Mitigation policies	Tuned for Azure traffic region volume	Tuned for application traffic volume
Metrics & alerts	No	Real-time attack metrics and resource logs via Azure Monitor
Mitigation reports	No	Post attack mitigation reports
Mitigation flow logs	No	NRT log stream for SIEM integration
Mitigation policy customization	No	Engage DDoS Experts

Azure Firewall

 

• A service that uses a static public IP address to protect your VNet resources.
• Azure Firewall is PCI, SOC, ISO, ICSA Labs, and HITRUST compliant.

Features

• A stateful firewall service.
• You can enable forced tunneling to route Internet-bound traffic to an additional firewall or virtual network appliance.
• Limit outbound traffic to a given FQDN list, including wild cards.
  • Filter any TCP/UDP protocol outbound traffic.
  • To use FQDNs in your rules, you must enable DNS proxy.
• Deny the traffic of a malicious IP address with threat intelligence-based filtering.
  • It has the highest priority rules and will always be processed first.
  • Threat intelligence modes: Off, Alert only, Alert and deny
• With a DNS proxy, a firewall listens to port 53 and forwards the DNS requests to a DNS server.
• You can minimize the complexity of creating a security rule using a service tag.
• Associate up to 250 public IP addresses in your firewall.
• It supports SNAT and DNAT translation.
  • SNAT – Source NAT for outbound VNet traffic.
  • DNAT – Destination NAT for inbound network traffic.
• Azure Firewall diagnostic logs (JSON format):
  • Application rule log
  • Network rule log
• You can store all your logs in a storage account, event hubs, and Azure monitor logs.
• Azure Firewall metrics:
  • Application/Network rules hit count
  • Data processed
  • Throughput
  • Firewall health state
  • SNAT port utilization
• To manage multiple firewalls, you can use Azure Firewall Manager.
• Protect your VDI deployments using Azure firewall DNAT rules and threat Intelligence filtering.

Pricing

• You are charged for each firewall deployment
• You are charged for any data processed by your firewall

Azure Active Directory (Azure AD)

 

• An identity and access management service that helps you access internal and external resources.
• Azure AD licenses: Free, Premium P1, Premium P2 and Pay as you go
  • Free – user and group management in your on-premises directory
  • Premium P1 – allows access to both on-premises and cloud resources.
  • Premium P2 – provides an additional feature called Azure AD Identity Protection.
  • Pay as you go – offers a feature called Azure AD B2C.

Features

• You can use Azure AD Authentication for a self-service password reset, MFA, custom banned password list, and smart lockout.
• Allows you to manage external identities using Azure AD B2B.
• Azure AD B2C is a business-to-customer identity as a service that allows you to control how your users sign up, sign in, and manage their profiles when using your applications.
• Azure AD B2C provides you control on how your users sign up, sign in, and manage their profiles when using your applications.
• You can manage the access in your cloud apps with conditional access.
• With Azure AD Device Management, it allows you to manage and configure device identities.
• If you need to manage domain services such as domain join, group policy, and authentication, you can use Azure AD Domain Services.
• Identity Governance ensures that only the authorized people have the right access to specific resources.
• Supports hybrid identity to access resources in the cloud or on-premises.
• Use Azure AD Connect to accomplish your hybrid identity goals:
  • A sign-in method that uses password hash synchronization.
  • Pass-through authentication allows users to use the same password on-premises and in the cloud.
  • Enable federation integration to sign in to Azure AD-based services without having to enter their passwords again.
  • Synchronization between your on-premises environment and Azure AD.
  • Health Monitoring with Azure AD Connect Health.

Concepts

• Users
  • You can create a new user in your organization or a guest user.
  • By enabling Multi-Factor Authentication, you provide additional security by requiring the user a second form of authentication. The additional forms that can be used with Azure AD MFA are: 
    • Microsoft Authenticator app
    • OATH hardware token
    • SMS
    • Voice call
  • You can also perform the following bulk operations: 
    • Bulk create
    • Bulk invite 
    • Bulk delete 
    • Bulk restore
    • Download users
  • Self-service password reset enables users to manage their passwords from any device, at any time, and from any location.
  • In the device settings, you can change the maximum number of devices per user.
  • You can assign licenses to multiple users or groups to allow them to use the licensed Azure AD services. Licenses are applied per tenant, and you can’t transfer them to other tenants.
• Groups
  • A collection of users, devices, groups, and service principals.
  • You can easily manage access to your resources by creating an Azure AD group.
  • A user can belong to multiple groups.
  • Groups do not have security credentials.
  • Group Types:
    • Security – it contains users, devices, groups, and service principals as its members. The users and service principals are the owners of this group.
    • Microsoft 365 – it contains users as its members. Both the users and service principals can be owners of this group.
  • Membership type:
    • Assigned – manually add users to be members of the group.
    • Dynamic user – automatically add and remove members using the dynamic membership rules.
    • Dynamic device – automatically add and remove members using the dynamic group rules.
• With external identities, you can allow users outside your organization to sign in using an external identity provider like Facebook and Google.
• Administrative roles can be used to grant access to Azure AD and other Microsoft services. There are two types of role definitions:
  • Built-in roles – it has a fixed set of permissions.
  • Custom roles – you can select permissions from a preset list. To create a custom role, you need to have an Azure AD Premium P1 or P2 plans.
• An Azure AD resource that can be a container for other Azure AD resources is called an administrative unit. It can only contain users and groups.
• Devices
  • Azure AD registered
    • The devices registered are personally owned devices (bring your own device or mobile device). These devices are signed in with a personal Microsoft account.
    • The supported operating systems are Windows 10, macOS, iOS, and Android.
    • A Mobile Device Management (MDM) helps you enforce configurations like storage must be encrypted, password complexity, and up-to-date security software.
    • Key capabilities:
      • Single sign-on (SSO) to cloud resources.
      • Conditional access when enrolled in Microsoft Intune or via App protection policy.
      • Enables phone sign in with Microsoft Authenticator app.
  • Azure AD joined
    • The devices and accounts are owned by an organization. It only exists in the cloud.
    • The supported operating systems are Windows 10 devices (except Windows 10 Home) and Windows Server 2019 Virtual Machines running in Azure.
    • Azure AD join is primarily used for organizations that do not have an on-premises Windows Server AD infrastructure.
    • Key capabilities:
      • SSO to both cloud and on-premises resources.
      • Conditional access through MDM enrollment and MDM compliance evaluation.
      • Self-service password reset and Windows Hello PIN reset on the lock screen.
      • Enterprise State Roaming across devices.
  • Hybrid Azure AD joined
    • The devices and Active Directory Domain Services account are owned by an organization. It exists both in the cloud and on-premises resources.
    • The supported operating systems are Windows 7, 8.1, 10, Windows Server 2008/R2, 2012/R2, 2016, and 2019.
    • You can implement hybrid joined devices if you have an existing on-premises AD footprint and you want to benefit from the capabilities provided by Azure AD.
    • Key capabilities:
      • SSO to both cloud and on-premises resources.
      • Conditional access through Domain join or through Microsoft Intune if co-managed.
      • Self-service password reset and Windows Hello PIN reset on the lock screen.
      • Enterprise State Roaming across devices.
• If you register your application to use Azure AD, the users in your organization can do the following:
  • Get an identity for their application that is recognized by Azure AD.
  • Get secrets/keys that the application will use for authentication.
  • Create a custom name and logo for your application.
  • Apply Azure AD authorization (RBAC and oAuth)
  • Declare the necessary permissions for the application.
• With application proxy, you can provide SSO and remote access for web apps hosted on-premises.

Monitoring

• Monitor the security and usage patterns of your environment with Azure AD reports and monitoring.
• With Azure AD Connect Health, you can view alerts, monitor performance and check usage analytics of your on-premises Active Directory and Azure AD.

Security

• Detect potential vulnerabilities and resolve suspicious actions with identity protection.
• Azure AD PIM helps you control the access within your organization.
• You can use security defaults to enable MFA in your organization.
• Enabling security defaults protects you from common identity-related attacks.
• You use block legacy authentication if a user is using a legacy application.
• Identity secure score helps you verify your configurations if it’s aligned with Microsoft’s best practice for security.
• You can lockout intruders that try to guess your users’ passwords or use brute-force methods in Azure AD using smart lockout.
• Manage, control, and monitor access to significant resources in your organization with Privileged Identity Management (PIM).

Azure ExpressRoute

 

• Enables you to establish a private connection between your on-premises data center or corporate network to your Azure cloud infrastructure.
• More secure, reliable, and faster than conventional VPN connections.
• Supports dynamic routing between your network and Microsoft via Border Gateway Protocol (BGP). The connection is redundant in every peering location for higher reliability.

Features

• ExpressRoute connections enable access to Microsoft Azure services and Microsoft Office 365 services from your on-premises network.
• Provides connectivity to all regions within a geopolitical region.
• To extend connectivity across geopolitical boundaries, you can enable ExpressRoute Premium.
• ExpressRoute Global Reach allows you to exchange data across your on-premises environments by connecting it to your ExpressRoute circuits.
• ExpressRoute Direct provides dual 100Gbps connectivity that supports Active/Active scale connectivity.
• Supported bandwidth options up to 10 Gbps.
• ExpressRoute premium add-on (for ExpressRoute circuit) provides the following capabilities:
  • Increased route limits from 4,000 routes to 10,000 routes for Azure public and private peering.
  • Global access to services across any other region.
  • Increase the number of VNet links (from 10 to a larger limit) on every ExpressRoute circuit.

Use Cases

• Transferring large data sets.
• Developing and using applications that use real-time data feeds.
• Building hybrid environments that satisfy regulatory requirements mandating the use of private connectivity.

Pricing

• Billing Models:
  • Unlimited data – all inbound and outbound data transfer is free.
  • Metered data – all inbound data transfer is free but outbound data transfer is billed per GB. The rate of data transfer varies by region.
• ExpressRoute billing begins when a service key is issued to the customer.
• If the service is active for the entire month, you will be billed for the monthly fee regardless of your usage. However, if you cancelled the service during the month, then you are charged for the hours used.

Azure Front Door

 

• A service that uses Microsoft’s global network to improve the availability and performance of your applications to your local and global users.
• It works at the HTTP/HTTPS layer and uses a split TCP-based anycast protocol to ensure your users connect to the nearest Front Door point of presence.
• Supports a range of traffic-routing methods and backend health monitoring options for various application needs and automatic failover models.
• With URL-based routing, it routes the traffic to backend pools based on URL paths of the request.
• You can configure more than one website on the same Front Door with multiple-site hosting.
• Use cookie-based session affinity to redirect the user session to the same application backend.
• Redirect traffic based on protocol, hostname, path, and query string with URL redirect.
• URL rewrite allows you to configure a Custom Forwarding Path that will copy any part of the incoming path that matches a wildcard path to the forwarded path.
• Front Door supports end-to-end IPv6 connectivity and HTTP/2 protocol.

Security

• If you need your domain name to be visible in your Front Door URL, you must have a custom domain. Front Door also supports managed certificates or custom TLS/SSL certificates.
• You can create custom rules to protect your HTTP/HTTPS workload from exploitation using Azure Web Application Firewall.

Pricing

• You are charged based on the following:
  • Inbound and outbound data transfers
  • The number of routing rules
• Front Door has a limit of 100 custom domains. You will be charged for additional domains.

Azure DNS

 

• Enables you to host your DNS zone and manage your DNS records.
• DNS zone allows you to configure a private and public DNS zone.
• Alias recordsets:
  • A – maps the host to IPv4.
  • AAAA – maps the host to IPv6.
  • CNAME – create a record to point to another domain.
• A limit of 20 alias record sets per resource.
• Uses Anycast networking to route users to the closest name servers.
• You can monitor your DNS zone metrics using Azure Monitor.
  • QueryVolume – query traffic received.
  • RecordSetCount – the number of recordsets in your DNS.
  • RecordSetCapacityUtilization – percentage of utilization of your recordset capacity.
• Azure Private DNS allows you to use your custom domain name in your private VNet.
• Alias record allows you to point your naked domain or apex to a traffic manager or CDN endpoint.

Private DNS

• Allows you to manage and resolve domain names in a virtual network.
• Configure a split-horizon DNS to create zones with the same name.
• It also supports all types of DNS records types: A, AAAA, CNAME, MX, PTR, SOA, SRV, and TXT.
• A virtual network can be linked to only one private zone. But you can link multiple virtual networks to a single DNS zone.
• Private IP space in the linked virtual network allows reverse DNS.

Security

• To prevent accidental zone deletion, you can apply a ‘CanNotDelete’ lock.
• Create a custom role to ensure it doesn’t have a zone delete permission.
• You can deploy a DNS firewall to mitigate DNS-related security issues.

Pricing

• Billed on the number of hosted DNS zones.
• You are charged based on the number of DNS queries received.

Azure Traffic Manager

 

• A DNS-based traffic load balancer.
• Improves the responsiveness of your applications by sending the request to the closest endpoint.
• It offers a range of traffic-routing methods and endpoint monitoring options.

Features

• It is resilient to failure.
• You can obtain actionable insights about your users using a traffic view.
• Improve the availability of your applications by using traffic manager health checks.
• Offers automatic failover when an endpoint goes down.
• Traffic Manager endpoints: Azure, External, and Nested
• Combine multiple traffic-routing methods using nested traffic manager profiles.

Routing Methods

• Priority – allows you to set a primary endpoint for all traffic.
• Weighted – distribute traffic according to weights.
• Performance – routes users to the closest endpoint.
• Geographic – direct users to a specific endpoint.
• Multivalue – endpoints for IPv4/IPv6 addresses.
• Subnet – map a group of end-user IP address range to a specific endpoint.

Pricing

• You are charged based on the number of DNS queries received.
• You are also charged for each monitored endpoint.
• You can reduce your DNS query charges by configuring a larger TTL.
• You are charged for the number of data points used in the traffic view.