Microsoft Azure

as CSP

Nesrine riahi
Network and Security Consultant
I- Microsoft azure

1- Cloud computing :

Cloud computing is a platform that provide access to computing resources over the
internet.
So as a user all you need to do is go to a cloud service provider (CSP) through your laptop or
your computer through the internet ,connect to that cloud service provider and then there
you go you have access to computing resources (virtual machines , storges,…)
so, what is Microsoft azure?

2- Azure as CSP :

Azure is a comprehensive cloud computing platform and set of services provided by

Microsoft. It enables organizations to build, deploy, and manage applications and services
through Microsoft's global network of data centers.
Azure offers a wide range of services that cater to various computing needs, including
computing power, storage, databases, networking, artificial intelligence, Internet of Things
(IoT), and more.
It is one of the leading cloud platforms in the world, competing with other major cloud
providers like Amazon Web Services (AWS) and Google Cloud Platform (GCP)

• it's free to start and has a pay-per-use model which means you need to pay for the
services you use through azure. Azure provides various tools to monitor and manage
costs, allowing users to optimize their cloud spending.

• 80 percent of fortune 500 companies use azure services which means that most of
the bigger companies of the world recommend using azure.
• azure supports a wide variety of programming languages the c-sharp node.js java and
so much more.
• azure has 42 data centers which is more than any cloud service provider has now it
expects to have 12 more in a period which brings its total number of regions it covers
to 54.
• Scalability: Azure allows users to scale their resources up or down based on demand,
ensuring cost-effectiveness and optimal performance.
• Security and Compliance: Microsoft invests heavily in security measures and
compliance certifications, making Azure a trusted and secure cloud platform.

1
II- AD vs Azure AD

Azure Active Directory (Azure AD) and Active Directory (AD) are both identity and access
management solutions provided by Microsoft, but they serve different purposes and are used in
different environments.

1- Active directory:

Active Directory is a traditional on-premises directory service developed by Microsoft at

2000. It is primarily used in Windows Server environments to manage and organize resources such as
computers, users, groups, and devices within a network. AD is commonly employed in organizations
to provide centralized authentication, authorization, and accounting services (AAA) for users and
computers in a Windows domain. And the Key features of Active Directory include:

• User and computer account management: AD allows administrators to create and manage
user accounts and computer accounts, controlling access to network resources.
• Group policy management: Administrators can define policies to configure and control the
behavior of computers and users within the domain.
• Domain services: Active Directory enables the creation of a domain hierarchy to manage
resources efficiently.

2- Azure Active Directory:

Azure Active Directory is a cloud-based identity and access management service provided by
Microsoft as part of the Azure cloud platform. It is not a direct replacement for Active Directory but
rather complements it by extending identity and access management capabilities to cloud-based
applications and services.
features of Azure Active Directory:

• Cloud identity management: Azure AD enables organizations to manage and secure user
identities and access to cloud-based applications, such as Microsoft 365, Azure services, and
thousands of other SaaS applications.
• Single Sign-On (SSO): Users can access multiple cloud applications with a single set of
credentials, improving user experience and security.
• Application management: Azure AD allows administrators to control access to applications,
set up conditional access policies, and view application usage reports.
• Business-to-Business (B2B) collaboration: Organizations can securely collaborate with
external partners and grant them controlled access to resources.

2
III- IaaS, PaaS and SaaS services of Microsoft Azure

These models define the different levels of shared responsibility that a cloud provider and
cloud tenant are responsible for.

The following illustration demonstrates the services that might run in each of the cloud service
models:

3
 1- IaaS:
IaaS is the most flexible category of cloud services. It aims to give you complete control over
the hardware that runs your application. Instead of buying hardware, with IaaS, you rent it.

Advantages:
• No CapEx. Users have no up-front costs.

• Agility. Applications can be made accessible quickly and deprovisioned whenever

needed.

• Management. The shared responsibility model applies; the user manages and
maintains the services they have provisioned, and the cloud provider manages and
maintains the cloud infrastructure.

• Consumption-based model. Organizations pay only for what they use and operate
under an Operational Expenditure (OpEx) model.

• Skills. No deep technical skills are required to deploy, use, and gain the benefits of a
public cloud. Organizations can use the skills and expertise of the cloud provider to
ensure workloads are secure, safe, and highly available.

• Cloud benefits. Organizations can use the skills and expertise of the cloud provider to
ensure workloads are made secure and highly available.

• Flexibility. IaaS is the most flexible cloud service because you have control to
configure and manage the hardware running your application.

2- PaaS:

The PaaS model allows developers to focus solely on building applications without
the need to manage underlying infrastructure. Azure handles the management of servers,
storage, and networking, enabling developers to deploy applications quickly and efficiently.

4
Advantages:
• No CapEx. Users have no up-front costs.

• Agility. PaaS is more agile than IaaS, and users don't need to configure servers for running
applications.

• Consumption-based model. Users pay only for what they use, and operate under an OpEx
model.

• Skills. No deep technical skills are required to deploy, use, and gain the benefits of PaaS.

• Cloud benefits. Users can take advantage of the skills and expertise of the cloud provider to
ensure that their workloads are made secure and highly available. In addition, users can gain
access to more cutting-edge development tools. They can then apply these tools across an
application's lifecycle.

• Productivity. Users can focus on application development only, because the cloud provider
handles all platform management. Working with distributed teams as services is easier
because the platform is accessed over the internet. You can make the platform available
globally more easily.

Disadvantage

• Platform limitations. There can be some limitations to a cloud platform that might affect how
an application runs. When you're evaluating which PaaS platform is best suited for a
workload, be sure to consider any limitations in this area.

3- SaaS :
in the SaaS model, users access software applications over the internet, and the underlying
infrastructure and software management are entirely handled by the service provider (Microsoft, in
this case). Users typically pay a subscription fee to use the software on a per-user or per-usage basis.

Advantages:
• No CapEx. Users have no up-front costs.

• Agility. Users can provide staff with access to the latest software quickly and easily.

5
 • Pay-as-you-go pricing model. Users pay for the software they use on a subscription model,
typically monthly or yearly, regardless of how much they use the software.

• Skills. No deep technical skills are required to deploy, use, and gain the benefits of SaaS.

• Flexibility. Users can access the same application data from anywhere.

Disadvantage

• Software limitations. There can be some limitations to a software application that might
affect how users work. Because you're using as-is software, you don't have direct control of
features. When you're evaluating which SaaS platform is best suited for a workload, be sure
to consider any business needs and software limitations.

IV- Security services of Azure

Microsoft Azure provides a comprehensive set of security services to help organizations

safeguard their data, applications, and infrastructure in the cloud. These security services are
designed to address various aspects of security, including identity and access management, threat
protection, data protection, compliance, and more
Some of the key security services of Microsoft Azure include:

1- Azure Active Directory (Azure AD):

Azure AD is Microsoft's cloud-based identity and access management service. It provides features
such as single sign-on (SSO), multi-factor authentication (MFA), role-based access control (RBAC), and
identity protection to secure user identities and access to resources.

2- Azure Security Center :

Azure Security Center is a unified security management and threat protection service. It offers
threat detection, security recommendations, and security policy management for Azure resources. It
helps identify and remediate security vulnerabilities and threats across cloud workloads.

3- Azure Firewall :

Azure Firewall is a managed, cloud-based network security service that provides stateful firewall
capabilities. It protects Azure Virtual Networks (VNet) and allows administrators to create, enforce,
and log application and network connectivity policies.

6
 4- Azure DDoS Protection :

Azure DDoS Protection provides Distributed Denial of Service (DDoS) protection for Azure
resources. It automatically mitigates DDoS attacks, ensuring high availability and performance of
applications and services.

5- Azure Key Vault :

Azure Key Vault is a secure key management service that allows users to safeguard keys, secrets,
and certificates used by cloud applications and services. It centralizes and manages cryptographic
keys and secrets to protect sensitive information.

6- Azure Information Protection :

Azure Information Protection helps classify, label, and protect data based on its sensitivity. It
ensures that data is encrypted and controlled even when it is shared with others within or outside
the organization.

7- Azure Advanced Threat Protection (ATP):

Azure ATP is a cloud-based security solution that helps detect and investigate advanced threats,
insider risks, and security breaches in real-time. It monitors user behavior and provides insights to
help administrators take proactive security measures.

8- Azure Sentinel :

Azure Sentinel is a cloud-native security information and event management (SIEM) service that
provides intelligent security analytics and threat hunting. It collects and analyzes security data from
various sources to detect and respond to security threats.

9- Azure Backup and Azure Site Recovery:

These services offer data backup and disaster recovery capabilities, respectively. They ensure
business continuity and data protection in the event of data loss or system failures.

10- Azure Security and Compliance Blueprint:

These blueprints provide pre-defined security settings and compliance controls aligned with
industry standards and best practices. They help organizations quickly deploy secure and compliant
environments.

7
Azure simple architecture

The relationship between an Azure Virtual Machine (VM), Azure Virtual Network, and Network
Security Group (NSG) is closely intertwined, and connection methods such as RDP, SSH, and Azure
Bastion are used to access and manage the VM in this relationship. secure network environment.
Here is how these elements are connected:

1. Azure Virtual Network (VNet):

- The Azure Virtual Network is the foundation of the network infrastructure in Azure. It provides the
isolated and secure environment where your resources, including virtual machines, can be deployed.

- When you create an Azure Virtual Machine, you deploy it in a specific Virtual Network. This means
that the VM will be integrated into this virtual network and will have access to subnets, security rules,
Azure services connected to this VNet, etc.

8
 2. Azure Virtual Machine (VM):
- A Virtual Machine is an instance of an operating system (Windows or Linux) that runs on Azure's
physical servers. It is deployed in a specific Virtual Network and benefits from a private IP address
from the address range of the subnet where it is placed.

- You can access and manage the VM by logging into it using various login methods.

3. Network Security Group (NSG):

- An NSG is a network-level firewall that filters incoming and outgoing network traffic for resources
located in a Virtual Network. You can define rules to allow or deny traffic based on IP addresses,
ports, and protocols.

- For Virtual Machine security, you can create and associate an NSG to the subnet where the VM is
deployed. This allows you to control network traffic to the VM.

4. Connection methods:

• RDP (Remote Desktop Protocol): To access a Windows Virtual Machine, you can use the RDP
protocol from a remote computer. You need to make sure your VM has an NSG rule allowing
inbound traffic on TCP port 3389 (default port for RDP).

• SSH (Secure Shell): To access a Linux Virtual Machine, you can use the SSH protocol from a
remote terminal. Make sure your VM has an NSG rule allowing inbound traffic on TCP port 22
(default port for SSH).

• Azure Bastion: Azure Bastion is a secure access gateway service that allows RDP and SSH
access to your virtual machines from the Azure portal, without the need for a public IP
address directly on the VM. This enhances security by reducing potential attacks related to
exposing public ports on the VM.

In summary, an Azure Virtual Machine is deployed in an Azure Virtual Network and can be secured
using a Network Security Group. You can connect to the VM via RDP, SSH, or Azure Bastion,
depending on the VM's operating system and your security preferences. Virtual Network, NSG, and
connection methods work together to provide a secure and well-managed network infrastructure for
your virtual machines in Azure.

9
About azure bastion

Azure Bastion is a fully managed platform-as-a-service (PaaS) that provides secure and seamless
RDP/SSH access to Azure virtual machines directly through the Azure portal. It eliminates the need to
expose public IP addresses and manage network security groups to enable remote access to VMs.
With Azure Bastion, you can access your VMs securely from virtually anywhere using just a web
browser.

Key features and benefits of Azure Bastion:

1. Secure Remote Access: Azure Bastion provides a secure way to access your virtual machines in
Azure without exposing RDP/SSH ports to the internet. It uses SSL encryption for all data
transmissions, ensuring that your connections remain secure.

2. Fully Managed Service: Azure Bastion is a fully managed service by Microsoft, which means you
don't have to worry about patching, updates, or managing the underlying infrastructure.

3. Web-Based Access: You can access your VMs through a web-based interface directly from the
Azure portal. No additional client software or VPN is required, making it easier for users to connect
from various devices.

4. No Public IP Required: You don't need to assign a public IP address to your virtual machines when
using Azure Bastion, which reduces the attack surface and enhances security.

10
5. Network Integration: Azure Bastion is tightly integrated with Azure Virtual Networks. When you
enable Bastion for a Virtual Network, it is available to all the virtual machines within that network,
without any additional configuration.

6. Multi-Factor Authentication (MFA): Azure Bastion supports Azure Active Directory authentication
with MFA, adding an extra layer of security to the remote access process.

7. Session Recording: Azure Bastion offers session recording, allowing you to review and audit remote
access sessions for security and compliance purposes.

11