Azure Network Security

[email protected]
 Protection services enabling zero trust

DDoS protection Web Application Firewall Azure Firewall Network Security Groups VNET Integration

Advanced Network and

Application threat
protection for Azure cloud
Infrastructure.

Application protection Segmentation

Azure network security

Front Door
Azure NSG/ASG Application
and UDR Gateway
Azure
Firewall
Virtual
Network
DDoS
Protection
with WAF

Deployments with WAF Isolation

Internet
Network Security Group allow https

Region us-west

Virtual Network
vnet1: 10.1.0.0/16

allow http

NSG NSG

10.1.1.0/24

10.1.2.0/24
web app

Action Name Source Destination Port

Allow Webrule Internet 10.1.1.0/24 443
Allow Webtoapp web app 80
Deny DenyAll Any Any Any
Network Security Group
Azure Private Link
Access to Azure PaaS services

Communication over public IP address

public IP address

Virtual Network (10.0.0.0/16)

Private Link

Hub VNet

PRIVATE

10.0.0.4

ER
VNet Peering

Spoke VNet

On-premises
Private Endpoint: DNS Integration

Using Custom DNS on Azure

Using Private Zone DNS
✓ Resolving on Custom DNS on Azure with
✓ Same connection URL, no change required on Applications
conditional forwarding for Azure DNS
✓ Easy to configure DNS server to resolve from VNet
✓ Integrate Private Zone DNS with private
✓ Internet remains resolving to Public IP address
record for VNet
✓ Resolve from on premises using same
Custom DNS
Private Zone DNS
Domain: privatelink.service.windows.net
A: myresource -> 10.1.1.20

DNS Conditional Forwarders

service.windows.net
-> Azure DNS name servers

10.1.1.20
Private Link Service

Application running behind Standard

Load Balancer

Private Link Service tied to Frontend IP

configuration of Standard Load Balancer
Standard Application VMs
Private Link Load Balancer
Service
Frontend IP Configuration can be either Subnet
Public or Private (10.0.1.0/24)

Virtual Network
(10.0.0.0/16)
Private Link Service
Service Consumer Service Provider

Deny Internet Deny Internet

10.0.1.5
Private
Link

Microsoft Network
VMs Private Standard
Private Link Load Balancer Application VMs
Endpoint
Service
Subnet Subnet
(10.0.1.0/24) (10.0.1.0/24)

Virtual Network Virtual Network

(10.0.0.0/16) (10.0.0.0/16)
Approval Workflow

Service Consumer Service Provider

Create your application
behind a standard Load
Balancer. Standard ILB
Application VMs

Subnet
Create a Private Link
Service attached to SLB FE
IP.

Share the private link service ID <ServiceName>. <GUID>.

(Alias/ARM URI) with <region>.azure.privatelinkservice
Create a Private endpoint in any
consumers. You can either do
subnet by specifying a private Link
service URI/Alias. it offline or advertise publicly.

Configure your DNS record for

easy access using the private IP Act on the request –
address (CA). Accept/Reject It.

Connection
Succeeded/Rejected.
Azure Firewall
Azure Firewall
User configuration Microsoft Threat Intelligence
L3-L7 connectivity policies Known malicious IPs and FQDNs

Spoke 1

 Key Benefits
VNET/VWAN

Spoke 2

 Supported SKUs

Spoke VNets

On-premises
Our History
GA GA GA GA
Firewall Standard AZ support/Multiple PIP Firewall Manager Firewall Premium
Sept 2018 July 2019 July 2020 Aug 2021

01 02 05 07

2018 2019 2020 2021 2022

Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4

03 04 06 08 09

Preview Preview Preview Preview Preview

Threat Intelligence Firewall Manager Firewall Premium Perf boost/ (Planned)
May 2019 Feb 2020 Feb 2021 Network name Basic SKU
Jan 2022 April 2021
Azure Firewall
Secures digital assets using cloud-native firewall capabilities with
User configuration Microsoft Threat Intelligence
built-in high availability, auto-scalability, and zero maintenance. L3-L7 connectivity policies Known malicious IPs and FQDNs

Spoke 1
Key Benefits
▪ Network and Application traffic filtering
VNET/VWAN
▪ Built-in Threat intelligence
▪ Deploys and scale in minutes
▪ Supports E-W and N-S traffic filtering

Spoke 2
Supported SKUs
▪ Basic SKU for SMB segment (Public Preview)
▪ Standard SKU for enterprise & government organizations
▪ Premium SKU for high-security environments

Spoke VNets

On-premises
Our History
GA GA GA GA Preview
Firewall Standard AZ support/Multiple PIP Firewall Manager Firewall Premium Policy Analytics
Sept 2018 July 2019 July 2020 Aug 2021 Sep 2022

01 02 05 07 09

2018 2019 2020 2021 2022

Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4

03 04 06 08 10

Preview Preview Preview Preview Preview

Threat Intelligence Firewall Manager Firewall Premium Perf boost/ Basic SKU
May 2019 Feb 2020 Feb 2021 Network name Oct 2022
Jan 2022

©Microsoft Corporation
Azure
Firewall Use Cases to

VNET
VNET deployment
On-premises
▪ Firewall is in a Hub VNET. Hub VNET
▪ Secure traffic between spoke VNETs, subnets within VNETs and
traffic to the internet.
▪ Optionally secure traffic to Branch offices via ER/VPN Gateway.

Virtual WAN (aka Secure Hub)

▪ Firewall is inside a Virtual WAN hub.
▪ Secure traffic between VNETs, Branch offices and cross hub.
▪ Automate route configuration to easily attract traffic to the
firewall.

Forced Tunnel mode

▪ Internet breakout is via a 3rd party firewall deployed on-premise Branch office
VNET VNET
or elsewhere.
▪ Forced tunnel to on-premise firewalls is supported in VNET Secure Hub
environments. Virtual WAN environments supports 3P security
partner provider for breakout to the internet via CheckPoint &
ZScaler.
Branch office
©Microsoft Corporation
Azure
Azure Firewall Basic
Enterprise-grade security for small and medium businesses
Microsoft Threat Intelligence
User configuration Known malicious IPs and
Comprehensive, cloud-native network firewall security L3-L7 connectivity policies FQDNs

▪ Network and application traffic filtering

Spoke 1
▪ Threat intelligence to alert on malicious traffic
▪ Built-in high availability
▪ Seamless integration with other Azure security
services

Simple setup and easy-to-use

▪ Setup in just a few minutes Spoke 2

▪ Automate deployment (deploy as code)

▪ Zero maintenance with automatic updates Central VNet
▪ Central management via Azure Firewall Manager

Cost-effective
Designed to deliver essential protection at a price point Spoke VNets
that meets your needs
On-premises

©Microsoft Corporation
Azure
Azure Firewall Standard
Cloud native stateful Firewall as a service

A first among public cloud providers DNS Proxy + Custom DNS Web content filtering (web categories)

Central governance of all traffic flows

Spoke 1
▪ Built-in high availability and auto scale
▪ Network and application traffic filtering
▪ Centralized policy across VNets and subscriptions

Complete VNET protection

Filter Outbound, Inbound, Spoke-Spoke and Hybrid Connections traffic
(VPN and ExpressRoute) Spoke 2

Centralized logging Central VNet

Archive logs to a storage account, stream events to your Event Hub, or
send them to Log Analytics or Security Integration and Event
Management (SIEM) system of choice.

Spoke VNets
Best for Azure
DevOps integration, integration with Sentinel and ASC, FQDN Tags, On-premises
Service Tags, Integration with ASE, Backup and other Azure services.
©Microsoft Corporation
Azure
Azure Firewall Premium
Cloud native Next-Gen Firewall as a service
URL
IDPS Filtering
Includes Standard
TLS Inspection firewall capabilities
▪ Built-in TLS Inspection for Outbound and East-West traffic
TLS Web
▪ Inbound TLS termination is supported with Azure Application Gateway Inspection Categories
▪ Customer provided key pair via Azure Key Vault integration

Intrusion Detection Prevention System (IDPS) Spoke 1

▪ Detect alert and block inbound/outbound malicious traffic
▪ Supported for both encrypted and plain text protocols
▪ Signature-based detection that is continuously updated

URL Filtering
▪ Restrict user access to HTTP/HTTPS Web content Spoke 2
▪ Support for URL wildcards
Internet
Web Categories
VNET/VWAN
▪ Allow or deny user access to website categories such as gambling,
social media and others
▪ Web categories maintained and continuously updated Spoke VNets
▪ URL based category matching

Azure Firewall Standard

▪ Including all standard firewall capabilities
On-premises
©Microsoft Corporation
Azure
 Firewall Basic Firewall
Feature Category Feature Firewall Premium
Public Preview Standard

Application level FQDN filtering (SNI based) for HTTPS/SQL

Network level FQDN filtering – all ports and protocols

L3-L7 Filtering
Stateful firewall (5 tuple rules)

Network Address Translation (SNAT+DNAT)

Availability zones

Built-in HA
Reliability & Performance
Cloud scalability (auto-scale as traffic grows) Up to 250 Mbps Up to 30 Gbps Up to 100 Gbps

Fat Flow support N/A 1 Gbps 10 Gbps

Central management via Firewall Manager

Ease of Management
Policy Analytics (Rule Management over time)

Full logging including SIEM integration

Service Tags and FQDN Tags for easy policy management

Enterprise Integration Easy DevOps integration using REST/PS/CLI/Templates/ Terraform

Web content filtering (web categories)

DNS Proxy + Custom DNS

Threat intelligence-based filtering (known malicious IP address/ domains) Alert

Inbound TLS termination (TLS reverse proxy) Using App GW

Advanced Threat Protection Outbound TLS termination (TLS forward proxy)

Fully managed IDPS

URL filtering (full path - incl. SSL termination)

Azure Firewall
Rules Processing Logic

Threat Intelligence

NAT Rules

Network Rules

Application Rules
Policy Analytics (preview)
Manage Azure Firewall rules over time

Policy Insights
▪ Highlights key information of the Firewall policy such as
Policy limits, Duplicate rules, Wildcard in rules and more.

Policy Recommendations
▪ Recommendations to improve the Rules in the policy
including rules with low/no hits, overly permissive rules,
potentially malicious sources.

Rule Analytics
▪ Visibility into the traffic flows of the rules over time
▪ Rule hit count for Application, Network and DNAT rules

Single Rule Analysis

▪ Refine the rules permissions
▪ Inspect the flows hit per a specific rule
©Microsoft Corporation
Azure
Azure Firewall Workbook and Sentinel Integration

Azure Firewall Data Connector for Azure Sentinel

can be used to ingest logs to visualize data in
the Firewall Workbook available in Sentinel.

https://aka.ms/AzNetSec

©Microsoft Corporation
Azure
Optimize security with Azure Firewall solution for Microsoft
Sentinel (public preview)

Built-in Threat Detection

▪ Port scan
▪ Port sweep
▪ Abnormal deny rate for source IP
▪ Abnormal Port to protocol
▪ Multiple sources affected by the same TI destination

Hunting queries
▪ First time a source IP connects to destination port
▪ First time source IP connects to a destination
▪ Source IP abnormally connects to multiple destinations
▪ Uncommon port for the organization
▪ Uncommon port connection to destination IP

Automating response and correlation

©Microsoft Corporation
Azure
Response Automation
Azure Firewall Custom Connector
Take different actions against Azure Firewall, Firewall Policy,
and IP Groups using Playbooks.

Playbooks
▪ Add IP to IP Group
▪ Add IP to Threat Intel Allow List
▪ Add new rule to block IP

Playbook support for the Classic rules, Standard and

Premium policy:

Premium Standard
Playbook Name Classic Rules
Policy Policy
AzureFirewall-BlockIP-
Yes Yes Yes
addToIPGroup
AzureFirewall-
No Yes No
AddIPtoTIAllowList
AzureFirewall-BlockIP-
No No Yes
addNewRule

©Microsoft Corporation
Azure
Azure Firewall Manager
 Enterprise challenges
Complex network architecture and constantly changing threat environment

Need complete visibility into the network Centralized management and administration

Enforcing consistent security policies across multiple firewalls Simplify rule management across multiple firewall

Compliance using a zero-trust security model Networks are automatically secured and protected

Rapidly push firewall protection policy to respond

Respond to internet attacks
to new threats
Azure Firewall Manager
Single Pane of glass to manage Azure Firewall,
DDoS & WAF across Azure Tenant
Azure Firewall Management
▪ Deploy Azure Firewall across both VNET and
VWAN deployments
▪ Associate Azure Firewall Policy to one or
more Firewalls
▪ View and modify Azure Firewall Policy
▪ Gain insights into Firewall Traffic with Policy
Insights *Preview*

DDOS management
▪ View and create DDoS Protection Plans
▪ Associate DDoS plans to VNETs

WAF management
▪ Deploy and configure WAF policies
▪ Upgrade from legacy WAF configuration to
WAF policies on Azure Application Gateway
©Microsoft Corporation
Azure
Central security and policy management

Deploy and configure Azure Firewall policies, Azure WAF

policies, and Azure DDoS Protection plans
Global
Span different Azure regions and subscriptions from a single Azure Firewall Admin
pane of glass. Manager

Local
Enforce consistent configuration across Azure Firewall Admin
Manage Network address translation (NAT), network, and
application rule collections, as well as threat intelligence and
DNS settings.

DevOps optimized hierarchical Azure Firewall policies

Global firewall policies authored by Central IT with local derived VNet
Secured
vHub VNet
Secured
vHub VNet
Secured
vHub

firewall policies for DevOps self-service for better agility.

Manage Azure Firewall Policy independent of Azure Firewall Prod Hub: Staging hub: Dev Hub:
Global Policy Global Policy Global Policy + Local Policy
Azure Firewall Policy is a top-level resource with independent
access control and activity tracking.

©Microsoft Corporation
Azure
Multi security provider support (secure hub only)

Combine best of breed security

Azure Firewall for east-west (virtual network to virtual VNet 1 Secured vHub
network/branch to virtual network) traffic filtering.
3rd Party
Security partner of your choice for north-south (virtual network Sec-aaS
to Internet/branch to Internet) traffic filtering.
IPSec
VNet 2
Tunnel
Use Azure for Edge security
Azure VPN
Avoids routing internet traffic to on-premise. Firewall Gateway Internet

Route internet traffic directly from Azure.

Partners VNet 3

• Zscaler (currently runs on ZIA cloud, roadmap to run on Azure)

• Check Point (runs on Azure) Express Virtual WAN
Route /VPN
• iboss (runs on Azure)

Simplifies connectivity and security Private traffic B2V +

V2V via Azure Firewall
Easily attract traffic to your secured virtual hub for filtering and
Internet traffic via 3P
logging without manipulating User Defined Routes. Branch 1 Branch 2

©Microsoft Corporation
Azure
 Azure Firewall pricing page

Firewall Pricing

Fixed Cost Variable Cost

$0.395/Basic firewall/hour $0.065/GB processed by the firewall (Basic)
$1.25/Standard firewall/hour
$0.016/GB processed by the firewall (Standard &
$1.75/Premium firewall/hour Premium)

Most customers save 30%–50% in comparison to NVAs

When comparing with NVAs, consider the full TCO including
licensing, multiple VMs and 2 standard load balancers (traffic + rules charge)

Throughput limit 30 Gbps

Assume at least one firewall per region

©Microsoft Corporation
Azure
Azure Firewall Manager pricing page

Firewall Manager GA Pricing

Azure Firewall in Secured Virtual Hubs

Fixed fee: $1.25/firewall/hour
Variable fee: $0.016/GB processed by the firewall

Azure Firewall Manager policies

Fixed fee: $100/Policy/Region
Policies that are associated with a single hub are free of charge
Policy Analytics

Azure Firewall Manager 3rd party integration

Fixed fee: $0.4/Secured hub/hour
Virtual WAN VPN GA charges apply

©Microsoft Corporation
Azure
Azure Firewall Premium
Azure Firewall Premium
Cloud native next-gen Firewall as a service IDPS
URL
Filtering

TLS Inspection TLS Web

Inspection Categories
Built-in TLS Inspection for Outbound and East-West traffic
Inbound TLS termination is supported with Azure Application
Gateway
Spoke 1
Customer provided key pair via Azure Key Vault integration
Intrusion Detection Prevention System (IDPS)
Detect alert and block inbound/outbound malicious traffic
Supported for both encrypted and plain text protocols
Signature-based detection that is continuously updated Spoke 2
Internet
URL Filtering
Restrict user access to HTTP/HTTPS Web content Central VNet
Support for URL wildcards
Web Categories Spoke VNets

Allow or deny user access to website categories such as

gambling, social media and others
Web categories maintained and continuously updated
On-premises
URL based category matching
Azure Firewall Premium – without TLS Inspection
Azure Firewall Premium – TLS Inspection
 Azure Firewall Premium – TLS Inspection
• Azure Firewall intercepts outbound traffic for inspection
• Intermediary certificate should be uploaded to the Firewall to verify server certificate.
Azure Firewall with web applications
Azure Firewall with web applications
Azure Firewall Premium – TLS Inspection

Enable TLS Inspection in Firewall Policy

Key Vault Integration

Azure Firewall Premium
Cloud native next-gen Firewall as a service IDPS
URL
Filtering

TLS Web
Inspection Categories

Intrusion Detection Prevention System (IDPS) Spoke 1

Detect alert and block inbound/outbound malicious traffic

Signature-based detection that is continuously updated
Over 58,000 rules in over 50 categories
Detection and Prevention mode
Spoke 2
IDPS Bypass List
Internet
IDPS Private IP ranges (preview)
Central VNet

Spoke VNets

On-premises
Azure Firewall Premium Configuration
Azure Firewall Policy
Azure Firewall
Rules Processing Logic
Policy Analytics Preview
Manage Azure Firewall rules over time

Policy Insights

Policy Recommendations

Rule Analytics

Single Rule Analysis

©Microsoft Corporation
Azure
Azure Firewall Demo
Azure Web Application Firewall
Digital transformation brings about new challenges

Data Poor app

Exfiltration performance

96% 40%
of applications have at abandon website if
least one it takes longer than
vulnerability 3 sec to load

Developer / Security Architect / Web Manager

Web and DDoS

Attacks grew 50%
during COVID 1 sec Slow page
loads for
delay in page load global users
can result in
7% loss revenue

Enterprises need a modern cloud CDN to protect, optimize and scale their applications
 Azure web application protection

DDoS attacks Web Application attacks Malicious Bots

Global Regional

Global footprint with L3/L4 DDoS Mitigation

Azure Network Tuned to App Traffic Azure DDoS Standard
non-HTTP/S traffic
Patterns
filtering Edges

Azure WAF on Azure WAF on

Protects against Protects against
common L7 web Front Door common L7 web Application
attacks attacks Gateway

Legitimate traffic
Legitimate traffic
is allowed through is allowed through

Azure Web Application Firewall combined with the global scale of Azure Azure DDoS Protection Standard combined with Azure Web Application
Network Edges provides protection from multiple attack types Firewall provides adaptive protection from multiple attack types
 Custom rules
OWASP rules
Bot management
WAF policy
Incoming requests

logs

Azure Regional WAF

monitor
Azure Global WAF
(Front Door) (Application Gateway)

metrics

Azure regions
Azure Front Door
Modern cloud CDN that delivers optimized
experiences to users anywhere
Modern Architecture
• Fully REST API driven to automate and streamline deployment
• Tight integration with Azure
services including App Service,
Storage, API Manager, App Gateway
and Azure Sentinel
• Customizable rules for advanced routing
• Advanced analytics to monitor traffic and security in real time /*

/search/*
Fast Global Delivery
/statics/*

• Low latency, high throughput content delivery from cloud or on-prem

to global users
• Built on Microsoft massively-scaled private global network
• Supports static/dynamic content caching, file, OTT and video on-
demand
• SSL offload and dynamic app acceleration at the edge close to user
• Simplified cost model with fewer meters to plan for
Intelligent Security
• WAF, DDoS and Bot Manager protection
• Azure Private Link support to access resources securely
• Powered by Microsoft Threat Intelligence
Azure Front Door WAF

6
Azure WAF with Application Gateway
Protect from common application vulnerabilities

VM/VMSS
2

SQLi/XSS attack

3 WAF
Azure App
Service
Valid request
4

Azure Kubernetes
Crawler/Scraper L7 LB Service
5

6 On-Premises
Application Gateway & WAF
 Custom rules
OWASP rules
Bot management
WAF policy
Detection mode Incoming requests

Monitors and logs all threat alerts logs

Does not block incoming requests monitor

Azure Global WAF Azure Regional WAF
(Application Gateway)
Turn on Diagnostics and WAF logs
(Front Door)

metrics

Prevention mode
Blocks attacks identified by the rules
“403 Unauthorized access” error
Azure regions
WAF Policies Demo

Regional WAF +
App Gateway

Listener1

/path1 /path2
Azure WAF Pricing with Application Gateway v2
Azure DDoS Protection
What are DDoS attacks?

Bad actors generate malicious traffic to take down

the network or application (public) by either
impacting the availability or the performance of
the network or application.

Why should I care?

Any public IP receiving traffic from the internet is

susceptible to DDoS attacks.

Top cause of availability issue for large enterprises.

©Microsoft Corporation
Azure
How real are they?
01 03

DDoS attacks 73% of DDoS

increased by 43% attacks are
in H2 of 2021 under an hour

02 04

Attack bandwidth Attack vectors

©Microsoft Corporation Source: Azure DDoS Protection—2021 Q3 and Q4 DDoS attack trends
Azure
CY2021 Holiday Season

On November 11, 2021, we mitigated a 3.47 In December, we mitigated two more attacks that
Tbps (340M pps) DDoS UDP attack in Azure, surpassed 2.5 Tbps – one was a 3.25 Tbps UDP attack,
the largest attack ever reported in history! and the other attack was a 2.55 Tbps UDP attack.

Inbound UDP attack bandwidth mitigated (Tbps) Inbound UDP attack bandwidth mitigated (Tbps)

Inbound UDP attack bandwidth mitigated (Tbps)

©Microsoft Corporation
Azure
Azure DDoS Network Protection
Cloud scale DDoS protection for
Virtual Networks in Azure

Public Internet
01 Azure global network Azure

02 Adaptive tuning Spoke VNET Central VNET Spoke VNET

Inbound /
Inbound
03 Attack analytics & metrics Outbound

Azure DDoS

04
Integration with Microsoft
Defender for Cloud & Sentinel
Azure Firewall Azure WAF
05 DDoS Rapid Response (DRR)

06 SLA guarantee and cost protection

©Microsoft Corporation
Azure
Azure DDoS IP Protection (Preview)
DDoS protection designed for small & medium
businesses

Cost-effective, enterprise–grade
01
DDoS protection

Flexibility to enable protection on

02
an individual public IP resource

03 Easy to configure and monitor

Integration with Microsoft

04
Defender for Cloud & Sentinel

©Microsoft Corporation
Azure
SKU comparison
DDoS IP Protection
Feature DDoS Network Protection
(Preview)
Active traffic monitoring & always on detection

L3/L4 Automatic attack mitigation

Automatic attack mitigation

Application based mitigation policies

Metrics & alerts

Mitigation reports

Mitigation flow logs

Mitigation policies tuned to customers application

Integration with Firewall Manager

Azure Sentinel data connector and workbook

DDoS rapid response support

Cost protection

©Microsoft Corporation WAF discount

Azure
 Microsoft’s DDoS Protection Scale

Inbound &
62 80+ Tbps 2,000 Outbound
Mitigations
regions mitigation capacity Attack mitigations daily

©Microsoft Corporation
Azure
DDoS integration with Azure
Firewall Manager

Take actions to protect unprotected virtual

networks within Firewall Manager to improve
network security posture.

©Microsoft Corporation
Azure
Inline DDoS protection with
Gateway LB and Partner NVAs
Public preview
Inline L7 DDoS Protection

Gaming provider
DDoS attacks on game servers cause 2 gateway LB
outages ranging from 2-10 seconds Unfiltered
resulting in game disruption. game traffic
3
1
Unfiltered
Unfiltered
Existing solutions are focused to protect a game traffic
game traffic

load balanced, stateless, TCP service against 5 4

attacks that last for minutes/hours. L3/4 DDoS Filtered game Filtered game
Protection traffic traffic

These are ill-suited to protect against DDoS Azure DDoS Network Provider Virtual Network
Protection
attacks on game servers.
Game Servers
Gateway LB enables protection of game Consumer Virtual Network
servers via enabling gaming partners to
create an inline DDoS solution.

©Microsoft Corporation
Azure
Adaptive tuning
Internet

Public IP 1 Public IP 2
Protection policies tuned to your application’s
traffic profile.
DDoS Network Protection
Continuously profiles normal Public IP traffic.

Utilizes machine learning algorithms for adaptive

tuning and setting mitigation threshold.

Easy to setup with no user configuration

Web Application 1
is required.

Adaptive Web Application 2

Tuning
Engine

©Microsoft Corporation
Azure
Attack analytics and metrics

Telemetry through Azure Monitor

Provides near real-time network attack

mitigation flow logs

Attack data snapshots every 5 mins and

full post attack summary

Logging can be integrated with Azure

Sentinel, Splunk, OMS, and Azure Storage

©Microsoft Corporation
Azure
Microsoft Defender for Cloud
Integration

Recommendations for unprotected public IPs

Alerts Integration into a single dashboard

Regulatory Compliance recommendations

based on standards

©Microsoft Corporation
Azure
Azure DDoS Protection
Attack analytics and Microsoft Sentinel integration

©Microsoft Corporation
Azure
DDoS Rapid
Response (DRR)

Specialized DDoS Rapid Response Step

support during active attacks

1
Custom mitigation policy configuration

Step

©Microsoft Corporation
Azure
DDoS SLA Guarantee
and Cost Protection

99.99% SLA guarantee for Azure DDoS

Protection service

99.99% SLA guarantee that during attack the

target resource will not be impacted

Receive 100% service credits for resource costs

incurred as a result of a documented DDoS attack

©Microsoft Corporation
Azure
 Azure DDoS Network Protection - Pricing

Fixed Cost
$3K/month for the entire tenant (multiple subscriptions and VNETs)
$30/month for each IP above 100

Pricing includes
Cost protection against unforeseen scale out of resources
Access to rapid response support for DDoS cases without paying $75K/annum of ARR premium

Examples of resources protected under DDoS cost protection:

• Data process (ingress/egress) for Azure firewall, AppGW/WAF
• WAF is 100% discounted when DDoS Network Protection is enabled on the VNET; AppGW charges will apply
• Scale out of VMs, AKS
• Data egress for network bandwidth-happens during an amplification attack when DDoS impacted app makes outbound connections.
• Scale out of backend PaaS resources like SQL, CosmosDB, Storage, App Services etc.
©Microsoft Corporation
Azure Azure DDoS Protection Pricing | Microsoft Azure
 Azure DDoS IP Protection (Preview) - Pricing

Fixed Cost
$199/month per public IP resource protected

©Microsoft Corporation
Azure Azure DDoS Protection Pricing | Microsoft Azure
Azure Secure Hybrid Architecture
Internet

Azure Azure Front Door

Global WAF
Vnet-hub
Azure DDoS protection
10.0.0.0/16

Application Azure Firewall Private endpoints

ExpressRoute gateway
Vnet gateway WAF
PaaS Services

Vnet peering Vnet peering

vnet1 vnet2
10.1.0.0/16 10.2.0.0/16
Key takeaways
 Resources
Network security strategies on Azure
Best practices for network security
Azure Private Link
Azure Private Link service
Azure Firewall Standard features
Azure Firewall Premium features
Azure Firewall preview features
Azure Firewall Architecture with Application Gateways
Azure Firewall to inspect traffic to Private Endpoints
Integrate NAT gateway with Azure Firewall
Azure Secured Virtual Hub (Azure Virtual WAN)
Azure Web Application Firewall (WAF) policy
Azure DDoS Protection
Azure DDoS Protection SKU Comparison
©Microsoft Corporation
Azure
Questions
Thank You