Section 5 – Implement platform protection – Implement advanced network security – Implement Azure DDoS and Private Links

This will the final section of segment 5 and ending with:

  • Implement Azure Private Links
  • Implement Azure DDoS Protection

Azure Private Link enables you to access Azure PaaS Services and Azure hosted customer-owned/partner services over a private endpoint in your virtual network.

Traffic between your virtual network and the service travels the Microsoft backbone network. Exposing your service to the public internet is no longer necessary.

Private Link service workflow

How to setup?

Open Private Link Center.

From there You can see all the Private Endpoint that You have.

And create a new Private link.

Outbound settings

When You create a Private link, You need a Standard load balancer in front, yes it uses LB for providing the access.

TCP proxy V2 property lets the service provider use tcp proxy v2 to retrieve connection information about the service consumer. Service Provider is responsible for setting up receiver configs to be able to parse the proxy protocol v2 header.

Access security

You can use RBAC or Subscription based restrictions but You can also allow anyone with You alias to use Private Link.

Alias is a globally unique name for your service. It helps you mask the customer data for your service and at the same time creates an easy-to-share name for your service. When you create a Private Link service, Azure generates an alias for your service that you can share with your customers. Your customers can use this alias to request a connection to your service.

The alias is composed of three parts: Prefix.GUID.Suffix

  • Prefix is the service name. You can pick your own prefix. After “Alias” is created, you can’t change it, so select your prefix appropriately.
  • GUID will be provided by platform. This helps make the name globally unique.
  • Suffix is appended by Azure: region.azure.privatelinkservice

Complete alias: Prefix. {GUID}.region.azure.privatelinkservice

If You choose Anyone with your alias, Auto-approval controls the automated access to the Private Link service. The subscriptions specified in the auto-approval list are approved automatically when a connection is requested from private endpoints in those subscriptions.

Main page view

When You have created the Private Link, You will see the alias in the main page.

Once you disable the public access to the resources, You can then use the Private Link to connect with the Private Endpoint exposed inside the Link service.

ARM-templates

Here and examples how to create Private Endpoint for SQL

And here for Private Link

What is Azure DDoS Protection?

DDoS Protection leverages the scale and elasticity of Microsoft’s global network to bring massive DDoS mitigation capacity in every Azure region. Microsoft’s DDoS Protection service protects your Azure applications by scrubbing traffic at the Azure network edge before it can impact your service’s availability.

See the source image

Azure DDoS protection does not store customer data.

Features

  • Native platform integration: Natively integrated into Azure. Includes configuration through the Azure portal. DDoS Protection Standard understands your resources and resource configuration.
  • Turnkey protection: Simplified configuration immediately protects all resources on a virtual network as soon as DDoS Protection Standard is enabled. No intervention or user definition is required.
  • Always-on traffic monitoring: Your application traffic patterns are monitored 24 hours a day, 7 days a week, looking for indicators of DDoS attacks. DDoS Protection Standard instantly and automatically mitigates the attack, once it is detected.
  • Adaptive tuning: Intelligent traffic profiling learns your application’s traffic over time, and selects and updates the profile that is the most suitable for your service. The profile adjusts as traffic changes over time.
  • Multi-Layered protection: When deployed with a web application firewall (WAF), DDoS Protection Standard protects both at the network layer (Layer 3 and 4, offered by Azure DDoS Protection Standard) and at the application layer (Layer 7, offered by a WAF). WAF offerings include Azure Application Gateway WAF SKU as well as third-party web application firewall offerings available in the Azure Marketplace.
  • Extensive mitigation scale: Over 60 different attack types can be mitigated, with global capacity, to protect against the largest known DDoS attacks.
  • Attack analytics: Get detailed reports in five-minute increments during an attack, and a complete summary after the attack ends. Stream mitigation flow logs to Microsoft Sentinel or an offline security information and event management (SIEM) system for near real-time monitoring during an attack.
  • Attack metrics: Summarized metrics from each attack are accessible through Azure Monitor.
  • Attack alerting: Alerts can be configured at the start and stop of an attack, and over the attack’s duration, using built-in attack metrics. Alerts integrate into your operational software like Microsoft Azure Monitor logs, Splunk, Azure Storage, Email, and the Azure portal.
  • DDoS Rapid Response: Engage the DDoS Protection Rapid Response (DRR) team for help with attack investigation and analysis. To learn more, see DDoS Rapid Response.
  • Cost guarantee: Receive data-transfer and application scale-out service credit for resource costs incurred as a result of documented DDoS attacks.

A single Azure DDoS Protection Plan in a tenant can be used across multiple subscriptions. The DDoS Protection service will have a fixed monthly charge. The fixed monthly charge includes protection for 100 resources. Protection for additional resources will be charged on a monthly per-resource basis.

How to?

Microsoft released Azure security baseline for Azure DDoS Protection Standard that will comply to Azure Security Benchmark.

Architecture

DDoS Protection Standard is designed for services that are deployed in a virtual network. For other services, the default DDoS Protection Basic service applies. The following reference architectures are arranged by scenarios, with architecture patterns grouped together.

Application running on load-balanced VMs

Diagram of the reference architecture for an application running on load-balanced VMs

Application running on Windows N-tier

Diagram of the reference architecture for an application running on Windows N-tier

PaaS web application

Diagram of the reference architecture for a PaaS web application

Protecting on-premises resources

Protecting on-prem resources

How to enforce with Azure Policy

Azure policies is the way and here is the policy.

And the policy itself, if you want to put it to our Azure pipeline.

Creating with ARM-templates

Here is an example how to create DDoS with templates.

Things to remember

Azure Private Link enables you to access Azure PaaS Services and Azure hosted customer-owned/partner services over a private endpoint in your virtual network. Traffic between your virtual network and the service travels the Microsoft backbone network. Exposing your service to the public internet is no longer necessary.

You need a Standard load balancer to deploy Private Links.

Complete alias: Prefix. {GUID}.region.azure.privatelinkservice

DDoS Protection leverages the scale and elasticity of Microsoft’s global network to bring massive DDoS mitigation capacity in every Azure region. Microsoft’s DDoS Protection service protects your Azure applications by scrubbing traffic at the Azure network edge before it can impact your service’s availability.

Attack analytics possible with Azure Sentinel

A single Azure DDoS Protection Plan in a tenant can be used across multiple subscriptions.

Link to main post

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *