All disks are encrypted using SSE by default.

With SSE, Azure manages the keys and

automatically decrypts data for any read operations without impact on performance.

Overview of Azure certificates

Transport Layer Security (TLS) is the basis for encryption of website data in transit.

Types of certificates
1. Service certificates are used for cloud services
2. Management certificates are used for authenticating with the management
API

Protect your network

A firewall is a service that grants server access based on the originating IP address of each
request.

To provide inbound protection at the perimeter, you have several choices.

Azure Firewall
Azure Firewall provides inbound protection for non-HTTP/S protocols. Examples of
non-HTTP/S protocols include: Remote Desktop Protocol (RDP) - 3389, Secure
Shell (SSH) -22, and File Transfer Protocol (FTP) - 21. It also provides outbound,
network-level protection for all ports and protocols, and application-level protection
for outbound HTTP/S.
Azure Application Gateway
Network virtual appliances (NVAs)

DDoS standard protection can mitigate the following types of attacks:

 Volumetric attacks. The attackers’ goal is to flood the network layer with a
substantial amount of seemingly legitimate traffic.
 Protocol attacks. These attacks render a target inaccessible, by exploiting a
weakness in the layer 3 and layer 4 protocol stack.
 Resource (application) layer attacks. These attacks target web application
packets to disrupt the transmission of data between hosts.

For communication between virtual machines, Network Security Groups (NSGs) are a critical
piece to restrict unnecessary communication.

You can completely remove public internet access to your services by restricting
access to service endpoints.

24 | P a g e