Bitscape - Azure Networking and Security Services

ISO 9001:2015, ISO 20000-1:2018 and ISO 27001:2015 Certified
Azure Networking and Security Services
info@bitscape.com | www.bitscape.com
Canada | USA | India
Azure Firewall
Azure Application Gateway
Agenda Azure Front Door
Azure Sentinel
Azure Defender
Azure Firewall & Azure
Firewall Manager
Azure networking services
DDoS Protection
Virtual Network
Azure WAF
Virtual WAN
Azure Firewall
ExpressRoute
Azure Firewall Manager
VPN
Network Security Groups
DNS
Service Endpoints/Private Link
CDN
Network Watcher Front Door
ExpressRoute Monitor
Traffic Manager
Azure Monitor
Application Gateway
Virtual Network TAP Load Balancer
©Microsoft Corporation Azure

Protection services enabling zero trust
DDoS protection Web Application Firewall Azure Firewall Network Security Groups VNET Integration
DDOS protection tuned to Centralized inbound web Advanced Network and Distributed inbound & Restrict access to Azure service
your application traffic application protection Application threat protection outbound network (L3-L4) resources (PaaS) to only your
patterns from common exploits for Azure cloud traffic filtering on VM, Virtual Network using VNET
and vulnerabilities Infrastructure. Container or subnet Injection, Private Link and
Service Endpoints
Application protection Segmentation

Azure Firewall
Azure Firewall
Cloud native stateful Firewall as a service
• A first among public cloud providers
User configuration Microsoft Threat Intelligence
L3-L7 connectivity policies Known malicious IPs and FQDNs
•Central governance of all traffic flows
Spoke 1
•Built-in high availability and auto scale
•Network and application traffic filtering
Threat intel, NAT,
Central VNet network and
•Centralized policy across VNets and subscriptions application traffic
filtering rules
allows inbound/
•Complete VNET protection outbound access
•Filter Outbound, Inbound, Spoke-Spoke and Hybrid Connections

traffic (VPN and ExpressRoute) Spoke 2
Azure Firewall
Traffic is denied
•Centralized logging by default
•Archive logs to a storage account, stream events to

your Event Hub, or send them to Log Analytics or Security
Azure to on-prem
Integration and Event Management (SIEM) system of choice traffic filtering
•Best for Azure

Spoke VNets
•DevOps integration, integration with Sentinel and ASC, FQDN
Tags, Service Tags, Integration with ASE, Backup and other Azure
On-premises
services
Azure Firewall
Key features
• Application rules • Threat Intel
• FQDN Filtering (HTTP/S, • Deny and Alert on known
MSSQL) malicious
• FQDN Tags (e.g., Windows IPs and domains
Update,
Azure Backup, ASE,HDI) Monitoring
• Default infrastructure rule Azure monitor logging

collection Azure monitor metrics
• Network watcher
Fully stateful network rules Scale and availability
• Service Tags Built-in auto scale (30 Gbps) and HA
• Multiple public IPs – up to 250

NAT support Availability Zones (99.99% SLA)
• Default Source Network Recently released
Address GA: FQDN filtering in network rules (all ports and
Translation (SNAT) protocols)
• Destination Network Address GA: Custom DNS and DNS Proxy
Translation (DNAT) GA: Web Categories (based on FQDN)
GA: Premium SKU
Azure Firewall Premium
Cloud native Next-Gen Firewall as a service
• TLS Inspection
URL
• Built-in TLS Inspection for Outbound and East-West traffic IDPS Filtering
• Inbound TLS termination is supported with Azure Application Gateway
• Customer provided key pair via Azure Key Vault integration
• Intrusion Detection Prevention System (IDPS) TLS Web
Inspection Categories
• Detect alert and block inbound/outbound malicious traffic
• Supported for both encrypted and plain text protocols
• Signature-based detection that is continuously updated
Spoke 1
• URL Filtering
• Restrict user access to HTTP/HTTPS Web content
• Support for URL wildcards
• Web Categories
• Allow or deny user access to website categories such as gambling, social media Spoke 2
Azure Firewall
and others Traffic is denied
Internet
by default
• Web categories maintained and continuously updated
Central VNet
• URL based category matching
Azure to on-prem
• Azure Firewall Standard Spoke VNets traffic filtering
• Including all standard firewall capabilities

On-premises
Azure Firewall versus Network Virtual Appliances – Cost comparison
Cost Azure Firewall NVAs
Compute Two plus VMs to meet peak requirements
Licensing $1.25 $1.75 Per NVA vendor billing model

/standard firewall/hour /premium firewall/hour
Standard Public Load Balancer

$0.016 First five rules: $0.025/hour
Additional rules: $0.01/rule/hour
/GB processed $0.005 per GB processed
(30%-50% cost saving)
First five rules: $0.025/hour

Standard Internal Load Balancer Additional rules: $0.01/rule/hour
$0.005 per GB processed
Ongoing/Maintenance Included Customer responsibility
Support Included in your Azure Support plan Per NVA vendor billing model

Azure Firewall Manager
Azure Firewall Manager Global admin
Azure region 1 Azure region N

Key features
Global policy
Local admin
Hub Virtual Networks

Brings centralized firewall management goodness to VNETs
VNet
Secure existing hub-and-spoke VNET deployments seamlessly Azure Firewall
Azure Firewall
Update configuration across multiple firewall instances
Secure Virtual Hub Secured vHub Hub VNET

Centralized security for virtual WAN hubs
Automated routing - secures V2I, B2I, V2V, B2V with just few clicks
Advanced security with 3rd party SECSaaS partners
Virtual WAN VPN
ER/VPN ER / VPN
HQ/ End-user Datacenter

branch devices
Central security and policy management
• Deploy and configure multiple Azure Firewall instances

•Span different Azure regions and subscriptions from a single pane of Global
glass Azure Firewall Admin
Manager
• Enforce consistent configuration across Azure Firewall Local

Admin
• Manage Network address translation (NAT), network, and
application rule collections, as well as threat intelligence
and DNS settings.
VNet VNet VNet
•DevOps optimized hierarchical Azure Firewall policies VNet VNet VNet VNet VNet VNet
•Global firewall policies authored by Central IT with local derived Secured Secured Secured
VNet vHub VNet VNet vHub VNet VNet vHub VNet
firewall policies for DevOps self-service for better agility
VNet VNet VNet VNet VNet VNet
VNet VNet VNet
• Manage Azure Firewall Policy independent of Azure

Prod Hub: Staging hub: Dev Hub:
Firewall Global Policy Global Policy Global Policy + Local Policy
• Azure Firewall Policy is a top-level resource with

independent access control and activity tracking.

Multi security provider support (secure hub only)
Combine best of breed security

Azure Firewall for east-west (virtual network to virtual VNet 1 Secured vHub
network/branch to virtual network) traffic filtering
3rd Party
Security partner of your choice for north-south (virtual network to Sec-aaS
Internet/branch to Internet) traffic filtering
IPSec
VNet 2
Tunnel
Use Azure for Edge security
Avoids routing internet traffic to on-premise Azure VPN
Internet
Firewall Gateway
Route internet traffic directly from Azure
Partners VNet 3
• Zscaler (currently runs on ZIA cloud, roadmap to run on Azure)

• Check Point (runs on Azure) Virtual WAN
/VPN
• iboss (runs on Azure) Express
Route
Simplifies connectivity and security Private traffic B2V +

V2V via Azure Firewall
Easily attract traffic to your secured virtual hub for filtering and Internet traffic via 3P
logging without manipulating User Defined Routes Branch 1 Branch 2

Deliver Secure and Scalable
Web Applications with
Azure Application Delivery Portfolio
Azure Load
Balancer
Application Azure Web Application Azure Traffic

Azure CDN Manager
Gateway Front Door Firewall
Together, application delivery services let you build mission-critical

dynamic, high-performance global applications

Build secure, scalable, and highly available web front ends in Azure
Scale out at load
Platform managed
Static VIP
Built in high availability, zone redundancy, scalability
Azure Key
Public or ILB Vault
Min capacity Max capacity
Public internet, internal, or both
Static VIP
Flexible backends
VMs, VMSS, AKS, Public IP, Cloud Services, ALB/ILB, On- AZ1 AZ2
Azure App Service
Premises
AKS VMSS
Security & SSL management On-Premises
WAF, SSL offload, SSL Re-encryption, SSL policy

Layer 7 load balancing

• URL path-based
• Host based/multiple site hosting with wildcard
support*
• Round robin
• Session affinity
• Redirection
• Header rewrite
• URL rewrite*
• Websocket & HTTP/2 traffic
• Connection draining
• Custom error pages

Static VIP
Autoscaling
Grows and shrinks based on application traffic requirements
No need to overprovision or guess instance size
Min capacity Scale out at load
Reduce operating cost
High performance SSL offloads Avail Zone

Avail Zone 2
500-50,000 connections/sec with RSA 2048 bit key Certs 1
30,000-3,000,000 persistent connections

2500-250,000 HTTP req/sec
VMSS VMSS
Autoscaling, improved performance and

faster provisioning
Azure Web Application Firewall
Cloud native Web Application Firewall OWASP rules
Bot management
WAF policy Custom rules
Unified WAF offering Uniform policy

Protect your apps at network edge or in region uniformly
Microsoft threat intelligence Azure Global WAF Azure Regional WAF

(Front Door) (Application Gateway)
Protect apps against automated attacks
Manage good/bad bots with Azure BotManager RuleSet
Site and URI path specific WAF policies

PaaS, IaaS and on-premise backends
Customize WAF policies at regional WAF for finer grained
protection at each host/listener or URI path level
Geo filtering on regional WAF

Enhanced custom rule matching criterion includes filtering by
country
Ingress Controller with AKS
Application Gateway Ingress Controller

Performance benefits over in-cluster ingress controllers
AKS add-on allows for one line deployment of:
• Cluster
• Add-on
• Application Gateway
Add-on is a fully managed way to integrate native L7 load
balancing with AKS
----------
----------
----------
Key Features
----------
----------
Latest features of Application Gateway
----------
----------
----------
Public Preview
----------
Wildcard Listener
----------
----------
• Use wildcard characters like asterisk (*) and question mark (?) in the
----------
host name
• Configure up to 5 host names per multi-site listener
----------
----------
----------
URL Rewrite
----------
• Rewrite the host name, path, and query string of the request URL
----------
----------
• Choose to rewrite URL of all requests on a listener
----------
• Route request based on either the original URL or the rewritten URL
----------
---------
+---------
----------
-------
=---------
Azure Front Door
Secure cloud CDN with intelligent threat protection
Securing your organization with Zero Trust
Data
Zero Trust
policy Apps
Identities
Infrastructure
Context Control
Devices Network
Visibility | Analytics | Automation

2 New SKUs!
Azure Front Door

Fast, Reliable and Secure cloud CDN with intelligent threat protection
Intelligent Security Dynamic Application Fast Global Content Cloud Native and
Protection Acceleration Delivery Network Developer Friendly
Quick and easy to deploy | Direct private access to resources | Simple transparent billing
Azure Front Door Use Cases
Secure global Dynamic Modern Static object/ OTT and video

internet services content delivery microservices file delivery on-demand
Secure applications at Optimize application Enable fault-tolerant Deliver large or small Deliver low latency,
the edge to optimize performance and scale and agile application file assets to devices, high throughput video
app reliability, cost and without caching architectures through browsers with from cloud or on-prem
reputation content edge load balancing minimized cost and to global devices
max performance
 Commerce Platforms  Retail and Commerce  Mobile Applications  Manufacturing / Electronics  Media and Entertainment
 Financial Services  Mobile Apps and Services  Commerce Services  Retail and Commerce  Gaming
 Healthcare  SaaS API Platforms  Media Distribution Apps  Enterprise File Delivery  Telco
 Enterprise LOB Apps  IoT Services, Data  ISV / Solution Providers  Automotive and IoT  Enterprise Video

Azure Front Door enhances security, reliability and performance
for your apps and content on Azure and on-premises
Better Security Enhanced Reliability Greater Performance

Gain real-time protection with built-in Boost your app reliability and optimize Reduce latency and increase
intelligent security routing to origins throughput at the edge
Developer-Friendly APIs
Microsoft Global Network

Enterprise-grade global private network operated by Microsoft supporting
Azure, Office 365, Xbox, Bing and more
Better Security
Gain real-time protection with built-in

intelligent security
Web Application Firewall
Managed application protection, increase Azure secure
Custom rules
score
OWASP rules
Bot management
 Powered by Microsoft Threat Intelligence WAF policy
Incoming requests
logs
 Managed rulesets protect applications against
OWASP top 10 vulnerabilities
monitor
 Bot Manager protect against automated attacks Azure Global WAF
(Front Door and
CDN) Metrics
 Custom WAF rules for application specific protection
Sentinel
 Json/Xml parser for API content
 Built-in network DDoS protection
PaaS, IaaS, AKS, serverless, on-premises and
 Sentinel WAF connectors and workbooks other cloud backends
WAF + Bot + DDoS = built in security at scale
Use existing WAF policies or creating them for the first time to get protection against OWASP
top 10 vulnerabilities and malicious bots in a few clicks.
Quick Create Full Create

Leverage Microsoft Threat Intelligence to protect
applications
Azure Front Door Premium Origin Protection
Private origins in Azure via private link service Public origins via IP and header restriction
Incoming Incoming
requests requests
Azure Front Door Premium Azure Front Door Premium

Origin not routable
from internet Block if not
from AFD
AFD Private endpoints Customer Vnet

Public PaaS, IaaS, AKS, serverless,
ILB
PE/PL on-premises and other cloud backends
Web App
Azure regions
Storage Account
Enhanced Reliability
Boost your app reliability and optimize

routing to origins
What is dynamic app acceleration
Global application load balancing for better reliability
and disaster recovery
Application acceleration improves performance Active Region
PrivateLink
App Service Function
Reduce costs with SSL offload, static caching Plan App
SQL Cosmos
DB DB
Azure Active Redis
Directory Cache
Queue
Web App
Data Replication
Azure
Search
Cache Static Assets
Blob Static Media

Internet Content Services
Accelerate Dynamic Assets
Azure Front Door Path-based Load Balancing Active/Standby Region
PrivateLink
App Service Function
Plan App
SQL Cosmos
Azure DNS DB DB
Redis
Cache
Queue
Web App
Azure
©Microsoft Corporation Azure Search
Enhanced custom domain onboarding
• Eliminate dangling domains via DNS TXT record based validation; Add
multiple endpoints within Front Door to easily create staging, production
slots
Add multiple endpoints to manage origin groups,

domains, routes across multiple slots
Centralized CDN, Front Door, and DNS TXT record based validation
partner listings
Secure Origin management & load balancing
• Easily add, secure, and load balance your origins with one-click
integration with Azure Services like Private Link, Web Apps,
Storage, App Gateway, and more.
Secure your backends with Private

Easily add your existing origins
Link
Traffic
•
rules, overrides, header actions & more
The custom logic you need to deliver content how and where you need.
Utilize the existing logic you enjoy today in Classic AFD and CDN, plus the Apply and prioritize multiple rule sets to a
addition of Server variables & Regex capabilities. . path-based route.
Greater Performance
Reduce latency and increase throughput

at the edge
Global scale private dedicated CDN network
60+ Azure
regions
130k+ miles of fiber +

subsea cables
170+ Network
Edge sites
500+ network
partners
20k+ peering
connections
Cloud-Native and
Developer Friendly API
Automate processes and workflows

using API interfaces
Azure Front Door native integrations with Azure Services
Iaas/PaaS Security
Azure Storage Azure Sentinel
Azure App Service Azure Defender / Security Center
Azure Private Link Azure Key Vault
AKS (via App Gateway)
Azure Front Door

API-Driven and
Supports CL, PS, ARM
And Terraform
Data Cost
Azure Log Analytics Azure Cost Management
Azure Monitor Azure Policy

Advanced Analytics • A single pane of glass for real-time & granular data – understand everything from
your security policies to how customers are experiencing your service.
Azure Sentinel
Modernize your security operations with Azure Sentinel
Security
Operations Team
Cloud + Artificial Intelligence

Azure Sentinel
SIEM
Multi-cloud Cloud native, any data, any entity Partnerships
Cloud native Any data AI Automation

Modernize your SOC with Azure Sentinel
T H E I N T E L L I G E N T, C L O U D - N AT I V E S I E M
Scales to support your Offers improved threat Uses AI and automation to

growing digital estate detection increase efficiency

End-to-end solution for security operations
Collect Detect Investigate Respond
Visibility Analytics Hunting Incidents Automation
©Microsoft Corporation
Powered by community + backed by Microsoft’s security experts
Azure
Visibility
Collect security data at cloud scale from any source
AZURE + MICROSOFT 365

Security Alerts, Activity Data
COLLECTORS AZURE SENTINEL

CEF, Syslog, Windows, Linux
TAXII + MS Graph
Threat Indicators
AZURE MONITOR LOG ANALYTICS

APIs
Custom Logs

Get interactive dashboards for powerful insights
Choose from a gallery of workbooks
Customize or create your own

workbooks using queries
Take advantage of rich visualization options
Gain insight into one or more data sources

Analytics
Leverage extensive library of detections or build your own
Choose from more than 100 built-in

analytics rules
Customize and create your own rules

using KQL queries
Correlate events with your threat

intelligence and now with Microsoft
URL intelligence + network data
Trigger automated playbooks

Improve insider and unknown threat detection
with User and Entity Behavior Analytics
Use behavioral insights to detect anomalies,

understand the relative sensitivity of
entities, and evaluate potential impact
Get baseline behavioral profiles of entities

across time and peer group horizons

Powered by the proven Microsoft User and Entity Behavior Analytics (UEBA) engine
Tap into the power of ML, increase your
catch rate without increasing noise
Use built–in models – no ML

experience required
 Detects anomalies using transferred learning
 Fuses data sources to detect threats that span the
kill chain
 Simply connect your data and learning begins
Bring your own ML models

 Build ML for your unique needs, leveraging
Microsoft’s algorithms and best practices

Hunting
Start hunting over security data with fast, flexible queries
Run built-in threat hunting queries -

no prior query experience required
Customize and create your own

hunting queries using KQL
Integrate hunting and investigations

Use bookmarks and live stream to manage your hunts
Bookmark notable data
Start an investigation from a

bookmark or add to an existing
incident
Monitor a live stream of new threat

related activity

Use Jupyter notebooks for advanced hunting
Run in Azure Machine Learning
Use sample templates to help you

get started
Save as sharable HTML/JSON
Query Azure Sentinel data and bring

in external data sources
Use your language of choice –

Python, SQL, KQL, R, …

Intelligence
Monitor and manage threat intelligence
• Create, view, search, filter, sort, and tag

all your threat indicators in a single
pane
• Use alert metrics to help understand

top threats targeting your organization
• Use automation playbooks for leading

threat intelligence providers to enrich
alerts
Use Watchlists to integrate business insights
• Create collections of data for threat

hunting and detection (e.g.
restricted IPs, trusted systems,
critical assets, risky users,
vulnerable hosts)
• Incorporate watchlists into analytic

rules, hunting queries, workbooks,
and more - create allow/deny lists,
add context, and add enrichments
• Upload a CSV file, create

automation playbooks upload
Access unified insights with entity profiles
• Get a complete view of a host or user
by bringing together data from
multiple sources, including UEBA
• View timeline information across the

most relevant data sources
• Use Insights to quickly identify activities

of interest
• Customize timeline to tune results and

add other data sources
• Link directly to M365 and Azure

Defender where relevant for more
information
Incidents
Start and track investigations from prioritized,
actionable security incidents
Use incident to collect related alerts,

events, and bookmarks
Manage assignments and track status
Add tags and comments
Trigger automated playbooks

Visualize the entire attack to determine
scope and impact
Navigate the relationships between

related alerts, bookmarks, and entities
Expand the scope using exploration

queries
View a timeline of related alerts, events,

and bookmarks
Gain deep insights into related entities –

users, domains, and more

Gain deeper insight with built-in automated detonation
Configure URL Entities in analytics rules
Automatically trigger URL detonation
Enrich alerts with Verdicts, Final URLs

and Screen Shots (e.g. for phishing sites)

Automation
Automate and orchestrate security operations
using integrated Azure Logic Apps
Build automated and scalable

playbooks that integrate across tools
Choose from a library of samples
Create your own playbooks using 200+

built-in connectors
Trigger a playbook from an alert or

incident investigation

Example playbooks
Incident Management Enrichment + Investigation Remediation
Assign an Incident to an Analyst Lookup Geo for an IP Block an IP Address

Open a Ticket (ServiceNow/Jira) Trigger Defender ATP Investigation Block User Access
Keep Incident Status in Sync Send Validation Email to User Trigger Conditional Access
Post in a Teams or Slack Channel Isolate Machine

Thank You
© Copyright Microsoft Corporation. All rights reserved.

Bitscape - Azure Networking and Security Services

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bitscape - Azure Networking and Security Services

Uploaded by

Copyright:

Available Formats

ISO 9001:2015, ISO 20000-1:2018 and ISO 27001:2015 Certified

Azure Networking and Security Services

©Microsoft Corporation Azure

Application protection Segmentation

•Filter Outbound, Inbound, Spoke-Spoke and Hybrid Connections

•Archive logs to a storage account, stream events to

•Best for Azure

• Default infrastructure rule Azure monitor logging

• Multiple public IPs – up to 250

• Including all standard firewall capabilities

©Microsoft Corporation Azure

Cost Azure Firewall NVAs

Compute Two plus VMs to meet peak requirements

Licensing $1.25 $1.75 Per NVA vendor billing model

Standard Public Load Balancer

First five rules: $0.025/hour

Ongoing/Maintenance Included Customer responsibility

©Microsoft Corporation Azure

Azure region 1 Azure region N

Hub Virtual Networks

Secure Virtual Hub Secured vHub Hub VNET

HQ/ End-user Datacenter

• Deploy and configure multiple Azure Firewall instances

• Enforce consistent configuration across Azure Firewall Local

VNet VNet VNet

VNet VNet VNet

• Manage Azure Firewall Policy independent of Azure

• Azure Firewall Policy is a top-level resource with

©Microsoft Corporation Azure

Combine best of breed security

• Zscaler (currently runs on ZIA cloud, roadmap to run on Azure)

Simplifies connectivity and security Private traffic B2V +

©Microsoft Corporation Azure

Application Azure Web Application Azure Traffic

Together, application delivery services let you build mission-critical

©Microsoft Corporation Azure

©Microsoft Corporation Azure

Layer 7 load balancing

©Microsoft Corporation Azure

High performance SSL offloads Avail Zone

30,000-3,000,000 persistent connections

Autoscaling, improved performance and

Unified WAF offering Uniform policy

Microsoft threat intelligence Azure Global WAF Azure Regional WAF

Site and URI path specific WAF policies

Geo filtering on regional WAF

Application Gateway Ingress Controller

Visibility | Analytics | Automation

Azure Front Door

Secure global Dynamic Modern Static object/ OTT and video

©Microsoft Corporation Azure

Better Security Enhanced Reliability Greater Performance

Microsoft Global Network

Gain real-time protection with built-in

Quick Create Full Create

Azure Front Door Premium Azure Front Door Premium

AFD Private endpoints Customer Vnet

Boost your app reliability and optimize

Blob Static Media

Add multiple endpoints to manage origin groups,

Secure your backends with Private

Reduce latency and increase throughput

130k+ miles of fiber +