Let's look at the azure tools that can help you with your network protection.
We discussed the layered approach to security at the beginning of the module.
Protecting the perimeter of your network is an essential part of this approach
you can use as your security center to identify the resources that are publicly exposed but are not protected by a firewall.
A firewall is a device or service that inspects the network traffic and grants access. Based on the originated I P address network protocol and port.
You can create firewall rules that specify the I P address or IP ranges, protocols and ports. And the firewall will ensure that only allow requests are forwarded to their target resources
as you provide several firewall options for you to protect your network from external attacks.
As your firewall is a fully managed service that protects resources in your virtual network,
it has a built in high availability, and it can scale on demand
as your firewall is a layer three firewall and can protect you not only from http slash https attacks, but also other protocol attacks like ssh remote desktop protocol, file transfer protocol and so on.
We've discussed application gateway. In the past,
it has a built in Web application firewall that can protect your Web workloads from common attacks like cross site scripting and SQL injection.
The azure marketplace has offers for third party network virtual appliances that are similar to hardware appliances and offer advanced configurations for applications and solutions that require granular configuration.
Any resource exposed to the Internet is prone to distributed denial of service attacks.
The Attackers goal is to overwhelm the endpoints by sending so many requests that the resource becomes unresponsive.
Azure DDOS protection service can be used to provide defense against DDOS attacks
as Adidas monitors the traffic of the network perimeter.
If an attack is detected, you'll be notified using azure monitor metrics.
The service comes with two tiers. Basic is automatically enabled as part of the azure platform.
It uses the same algorithms that provide protection for all the other Microsoft services.
Standard provides additional capabilities that are based on the traffic and resources in your azure virtual network.
As Adidas uses machine learning to learn the communication patterns between the resources deployed in the Vienna and can mitigate various types of attack like volumetric ones where the attacker tries to simulate legit traffic
protocol attacks where protocol weaknesses are exploited or resource layer at attacks where the application traffic is disrupted.
Protection of the perimeter is just one of the layers of security that you can implement.
You also need to think of protection inside your network and prevent the lateral movement of an attacker if one of your existing defenses fails.
As we discussed previously, network security groups are critical to restricting the communication between your internal resources
network. Security groups are resourced based firewalls that allow you to create inbound and outbound routes based on I P addresses, protocols and ports.
It's recommended to deny all communication between systems that are not essential for the work of your application.
You can remove the public access to your azure services by restricting the access to the service endpoint, practically eliminating the traffic to the V net. Only
communication with your on premises workloads can be configured. Be the virtual private network that communicates with the VPN device on premises or via dedicated private connection using an express route that allows you to also have private connections to other Microsoft services like Office 3 65 and Dynamics 3 65.
This limits the exposure to those services as well.
In the next video, we'll see how you can use an azure advanced threat protection to detect threats on your cloud infrastructure.