Azure Network Security Modes
In this post, I challenge the traditional concept of network segmentation and suggest a model that is better suited for Azure: Network Security Modes.
Started as an effort to debunk outdated concepts, I ended up giving away my principles for designing network architecture, which I have been refining for the last 10+ years.
I keep it abstracted to only one step away from a complete LLD that you can reuse to build a modern Hub-and-Spoke network topology in Azure.
Network segmentation rationale
Ancient times
In the old days, when servers lived in on-premise datacenters, there was a concept of network segmentation.
Hubs and Switches
Servers were connected by hubs and switches.
Every server connected to the same network hub was receiving the same datagrams, including ones not addressed to them. These hubs were also called repeaters.
Network switches are helping to reduce the number of situations where datagrams are repeated on multiple ports when the switch “remembers” who is on the port. It is still not perfect at remembering everyone, especially in big networks.
Subnets
And networks were big. You remember subnet classes A/B/C? C means 256 addresses. It was normal to have hundreds and thousands of servers connected via hubs and switches, and they formed subnets or broadcast domains.
To reiterate: any traffic in the subnet is broadcast and can be overheard by any interface on that subnet.
Routers are used to interconnect and remove broadcast traffic between subnets, allowing only traffic destined for these subnets.
Limiting broadcast traffic is good, but routers are expensive. That’s why subnets were big and had many servers.
Traditional routers were not as smart as today’s, so they could not filter ports, protocols, and other attributes that security guys like.
Firewalls are used to filter traffic and are even rarer and more expensive than routers.
It was so expensive that it was only placed on critical network boundaries, like dividing internal networks from DMZ and internets.
The cost and rarity of firewalls forced companies to group their servers into network segments, where everyone trusts each other.
Network segmentation
At that time, network traffic was rarely encrypted – everyone in the subnet could potentially hear all network conversations.
Operating systems like Windows 2000 did not have a personal firewall, so all ports were open by default – making them vulnerable to any bad guy or a virus that is on the network
Authentication protocols and passwords were weak (and no MFA!) – to the pleasure of hackers.
These aspects led to the necessity of making sure that all neighbours in the networks are trusted.
Here comes the concept of a network segment – a part of a network that groups servers with a similar level of trust together, protected by a single firewall.
Typical network segments were Prod / Dev / Workplace / DMZ / Internet, and all devices within the same segment were treated equally.
Modern times
Nowadays, when you hear the term network hub, it does not mean repeater, but a central place connecting multiple virtual networks where routing and traffic filtering happen.
Virtual Networks in Azure run in a shared, multitenant environment of the cloud provider, and
- network virtualisation protocol ensures that traffic is not visible to other customers – no bad neighbours in the subnet can overhear your conversations
- traffic filtering platform is processing every datagram – firewall capabilities are available on every connected interface via NSG
More than that,
- modern operating systems have firewalls enabled by default (and it’s a shame if your company disable them as a standard)
- modern network protocols keep traffic properly authenticated (MFA/SSO/SAML/OAuth – all these beauties) and encrypted (TLS/AES/oh-yes) from end-to-end
This makes the concept of network segmentation mostly irrelevant for Azure virtual networks since the issues that segmentation was initially addressing no longer exist.
Henceforth, I declare the traditional network segmentation obsolete.
Azure Network Security Modes
New times are coming, security guys stay the same.
They still want to control and see the traffic on a firewall and don’t want to rely on zero-trust principles.
To please them, I want to introduce you to a modern way of organising network filtering, which I call Azure Network Security Modes.
Mode 1, aka Cloud Native
this is when you implement Virtual WAN in default configuration
- Traffic between VNets is routed and filtered by the Hub Firewall
- Firewal is managing only core security rules, like filtering connectivity between spokes, WAN, and internets, of course
- Traffic between subnets is routed directly by the virtual network and filtered on the NSG
- Only incoming rules are used in the NSG.
- Outgoing traffic is not controlled in the NSG
- Traffic inside the subnet is routed directly by the virtual network and can be optionally filtered on the NSG
- FW and (optionally) NSG Flogs are streamed to Log Analytics
Mode 2, aka Traditional
this is when you mimic a traditional datacenter
- Traffic between VNets is routed and filtered by the Hub Firewall
- Firewall is still managing core security rules
- Traffic between subnets is routed and filtered by the Hub Firewall, too
- Firewall is additionally filtering traffic between subnets, becoming an additional point of failure, latency, and costs
- Traffic inside the subnet is routed directly by the virtual network and can be optionally filtered on the NSG
Mode 3, aka Micro-Segmented
this is where you go to please some insane regulations
- Traffic between VNets is routed and filtered by the Hub Firewall
- Traffic between subnets is routed and filtered by the Hub Firewall
- Traffic inside the subnet is routed and filtered by the Hub Firewall
- All work and no play makes Firewall a dull boy: a point of failure, latency, and costs for all traffic in the subnet
Comparison
Here is the comparison table:
Criteria / Mode | Mode 1.
Firewall between VNets "Inter-VNet FW" (Cloud Native) |
Mode 2.
Firewall between Subnets "Inter-Subnet FW" (Traditional) |
Mode 3.
Firewall between NICs "Intra-Subnet FW" (Micro-Segmented) |
---|---|---|---|
Traffic Filtering | |||
VNet to VNet | via FW | via FW | via FW |
Subnet to Subnet | via NSG | via FW | via FW |
Inside Subnet | via NSG | via NSG | via FW |
Cost Impact | Low/Med – NSGs are free; however, Flow Logs costs should be considered. | Medium – Costs to FW traffic and scaling | High – More costs to FW traffic and scaling |
Management Efforts | • High – if manual management of traffic filtering (both FW and NSG) is centralised to the Network team. • Med – if automated end-to-end via code • Low – if NSG management is delegated to applications team (but requires a level of trust) |
• Med/Low – centralisation of filtering management to FW reduces management efforts, provided inter-subnet filtering is managed by app teams | • Med/High – need to filter and monitor all traffic increases management efforts |
Routing | Simple, standardised UDR for all subnets | Unique UDR for each subnet with a few Routes | Simple, standardised UDR for all subnets |
Throughput and Latency | • Max throughput, minimum latency | • As platform-native for traffic inside Subnets • Limited by FW for traffic between subnets |
• Limited by FW performance and scale • May not be supported by some high demanding apps |
Log Management Costs and Efforts | Med – Fragmented log collection on NSG and FW, however, may stream to the same Log Analytics workspace | Low – Centralised log collection on FW, low volumes if NSG logs are not collected | Low – Centralised log collection on FW, but high volumes | Reliability | High – FW is only a point of failure for traffic between VNets | Medium – FW becomes a point of failure between subnets | Low – FW is PoF for any traffic |
Use cases | • VNets for shared platform components that can protect themselves with NSGs or personal firewalls • VNets dedicated to a single app or groups of mutually trusted apps (like SAP landscapes) • VNets with a decentralised management model (where apps are managing their own NSGs) |
• Shared VNets, hosting multiple apps with centralised security management (where a central team is managing communications between apps) | • Special zones requiring maximum security (should only be used where absolutely required by regulations) |
What model should you use?
The comparison table above provides the pros and cons; details are in the implementation sections below.
I could tell you to decide… consider… blah-blah… for yourself, but… I numbered the modes in the order of my personal preference:
- Use Mode 1 by default
- Use Mode 2 when you have to
- Try not to use Mode 3
- Mix the modes in the same VNet if you think that your life is too easy
Be creative in meeting regulatory requirements and responding to audit reports written by someone who does not care how you should live with this.
Implementation
Here is some example technical documentation for implementing the security modes described above.
Diagram
The diagram from the page cover was used to draw attention. It does not completely reflect the architecture described here (but it is still better than a generic AI-generated picture). Once I update it, I will post the diagram in a higher resolution here.
VNet Topology
Traditional “Regional Hub-and-Spokes”, wherein each region has a dedicated Hub VNet with a Firewall used for traffic routing and filtering, and several spoke VNets hosting workloads are attached via peerings.
Region | Address Spaces | Address Range | Remarks |
---|---|---|---|
West Europe | 10.0.0.0/10 | 10.0.0.0 – 10.63.255.255 | It is always recommended to pre-allocate simpler, reasonable chunks of IP space to specific regions… |
North Europe | 10.64.0.0/10 | 10.64.0.0 – 10.127.255.255 | … This makes routing tables simpler and helps to avoid unnecessary complexity and hitting limits for the number of routes… |
New region | 10.128.0.0/10 | 10.128.0.0 – 10.191.255.255 | … As you need to provision new spokes, you cut IP addresses from these pre-allocated ranges… |
Free | 10.192.0.0/10 | 10.192.0.0 – 10.255.255.255 | … But always keep free space for potential growth… |
I might write a separate article on efficient IP range allocation. However, special tools for IPAM exist, like Efficient IP and Azure IPAM.
VNet Structure
A spoke VNet should be used as a security boundary, and Security mode should be assigned to the VNet at its creation.
Because VNets cannot span across Azure subscriptions, the VNets structure should follow the subscription structure of the company.
This means separate VNets could exist for company business units, service lines, and environments.
VNet Name | Address Space | Region | Subscription | Comments |
---|---|---|---|---|
Hub-vnet | 10.0.0.0/24 | West Europe | Hub-sub | Regional Hub |
SAP-vnet | 10.1.0.0/16 | West Europe | SAP-sub | Mode 1: VNet is dedicated to SAP application landscapes that trust each other |
Shared-vnet | 10.2.0.0/16 | West Europe | Shared-sub | Mode 2: VNet is hosting multiple apps managed by different teams |
Secret-vnet | 10.3.0.0/16 | West Europe | Secret-sub | Mode 3: VNet is hosting apps that need to comply with insane regulations |
Once assigned, security mode sets the default level for the workload provisioned in the spoke. Since we are in the cloud with software-defined networks, the flexibility of changing this is possible for some subnets or even for the whole VNet, but it is not possible to change the VNet name. That’s why I don’t encourage “tattooing” the initial network security mode in the VNet name.
Subnets Structure
Separate subnets should be used only when necessary to simplify management or implement security requirements like different route tables and NSGs.
In Native and Traditional security modes,
- Separate subnets can be used to delegate NSG control to specific application owners
In MicroSeg security mode,
- Network security may not rely on subnets; big flat subnets can be used in conjunction with centrally managed NSGs and application-specific ASGs (details below)
VNet Name | Subnet Name | Address Space | Comments |
---|---|---|---|
SAP-vnet | 10.1.0.0/16 | Apps in this VNet are managed by the same team and use NSG/ASG | |
SPM | 10.1.0.0/24 | ||
GRC | 10.1.2.0/25 | ||
CRM | 10.1.3.0/25 | ||
Shared-vnet | 10.2.0.0/16 | Apps in this VNet are managed by different teams who do not trust each other | |
App1 | 10.2.0.0/24 | App 1 | |
App2 | 10.2.1.0/24 | App 2 | |
App3_FE | 10.2.2.0/24 | App 3 Front-end | |
App3_BE | 10.2.3.0/24 | App 3 Back-end | |
App4_FE | 10.2.4.0/24 | App 4 Front-end | |
App4_BE | 10.2.5.0/24 | App 4 Back-end | |
Secret-vnet | 10.3.0.0/16 | Apps in this VNet have to comply with strict industry regulations | |
PCIDSS | 10.3.0.0/24 | ||
HIPAA | 10.3.1.0/24 |
Traffic Routing
All traffic routing to and from any Spoke Vnet is traversing the regional Hub FW:
- Between Spokes in the same region connected via peerings
- Between Spoke in the region and Virtual Network Gateways (Express Route, VPN, Other Regions connected to the same ER circuits)
- Between Spoke and the Internet
- Between Spoke and Hubs in other regions connected via global peerings
This requires each spoke VNet to have an assignment of Route tables (UDR) containing:
- BGP route propagation = disabled
- Single route to 0.0.0.0/0 via Hub NVA
For filtering traffic on FW between subnets, the route table should also contain:
- Route to current VNet address space via Hub NVA
To enable direct traffic inside the subnet, the route table should also contain:
- Route to the current Subnet address space via Virtual Network
Here is the configuration example:
UDR Name | Assigned to | Routes | Comments |
---|---|---|---|
SAP-vnet-udr | SAP-vnet / *Subnets | 0.0.0.0/0 → NVA IP (Firewall) | To override system route pointing to Internet |
Shared-vnet-Subnet_App1-udr | App1 | 0.0.0.0/0 → NVA IP (Firewall) | To override system route pointing to Internet |
App1 | 10.2.0.0/16 → NVA IP (Firewall) | To override system route to VNet Address Space pointing to Virtual Network | |
App1 | 10.2.0.0/24 → Virtual Network | To override route above to enable direct communication for interfaces in App1 subnet | |
Shared-vnet-Subnet_App2-udr | App2 | 0.0.0.0/0 → NVA IP (Firewall) | To override system route pointing to Internet |
App2 | 10.2.0.0/16 → NVA IP (Firewall) | To override system route to VNet Address Space pointing to Virtual Network | |
App2 | 10.2.1.0/24 → Virtual Network | To override route above to enable direct communication for interfaces in App2 subnet | |
Secret-vnet-udr | Secret-vnet / *Subnets | 0.0.0.0/0 → NVA IP (Firewall) | To override system route pointing to Internet |
Secret-vnet / *Subnets | 10.3.0.0/16 → NVA IP (Firewall) | To override system route to VNet Address Space pointing to Virtual Network |
As you see, to implement Mode 2, you need a separate UDR resource for each subnet in the VNet, which complicates management unless it is fully automated.
To implement modes 1 and 3, a single route table object per VNet is enough.
Route table content can be enforced or checked for compliance with Azure Policies.
Security Zones
In some complex situations where you need flexibility to bypass firewall filtering between endpoints in different subnets, but keep filtering for any other subnets, you might need to implement a concept of security zones.
A Security Zone consists of subnets with the same level of trust. A security zone can be represented by a single subnet, a set of subnets in the same VNet, or even a set of subnets from different VNets (in rare cases, where it is required to peer VNets directly).
- The traffic within the same security zone can travel directly between VMs, bypassing the firewall; however, it can still be controlled on NSGs
- The traffic between different security zones should pass through the firewall for inspection.
For this to work, route tables should be configured for a combination of the security modes described.
We might call it Mode 1.5, in which some subnets are routed directly, but other subnets are still routed through a firewall.
I don’t encourage using this mode, but I describe it here to demonstrate the beauty of SDWAN flexibility.
In a nutshell, a VNet with a single security zone (all subnets equal) becomes Mode 1, and a VNet with security zones equal to the number of subnets becomes Mode 2.
I recommend using either mode 1 or 2 and keeping the option for Security zones for special occasions that might never happen.
UDR Name | Assigned to | Routes | Comments |
---|---|---|---|
Shared-vnet_Zone_App3-udr | App3_FE App3_BE |
0.0.0.0/0 → NVA IP (Firewall) | To override system route pointing to Internet |
App3_FE App3_BE |
10.2.0.0/16 → NVA IP (Firewall) | To override system route to VNet Address Space pointing to Virtual Network | |
App3_FE App3_BE |
10.2.2.0/16 → Virtual Network 10.2.3.0/24 → Virtual Network |
To override route above to enable direct communication between App3_FE and App3_BE | |
Shared-vnet-Zone_App4-udr | App4_FE App4_BE |
0.0.0.0/0 → NVA IP (Firewall) | To override system route pointing to Internet |
App4_FE App4_BE |
10.2.0.0/16 → NVA IP (Firewall) | To override system route to VNet Address Space pointing to Virtual Network | |
App4_FE App4_BE |
10.2.4.0/16 → Virtual Network 10.2.5.0/24 → Virtual Network |
To override route above to enable direct communication between App1_FE and App1_BE |
Filtering principles
Core rules at Firewall approach
In all cases, the regional firewall should enforce core security rules, such as filtering traffic between spokes, WAN (other regions and on-prem), and internets.
Pay special attention to filtering inbound and outbound internet traffic.
Control at destination approach
Besides core / foundational rules, like internet outbound, I recommend an approach where
- apply general traffic filtering at the destination (on FW or NSG) as inbound rules (app owners should know better who they want to let in)
- avoid applying filtering at the source as outbound rules (unless you don’t trust the app owners)
Doing this will give you a single control point without opening flows twice: at sources and destinations.
Firewall configuration
For spokes in Native security mode:
- Any undefined inbound and outbound traffic is allowed for this spoke VNet (but still managed on NSG)
- The traffic between the subnets of this spoke VNet is not passing through the firewall
For spokes in Traditional security mode:
- Any undefined inbound traffic is denied for this spoke VNet
- Outbound traffic from this spoke VNet is allowed by default
- Explicitly defined Inbound traffic is allowed
- The traffic between the subnets of Spoke VNet is passing through the firewall and should be explicitly opened
- Any traffic within the same subnet of this spoke VNet is not passing through the firewall (but still can be managed on NSG)
For spokes in MicroSeg security mode:
- Any undefined inbound and outbound traffic is denied for this spoke VNet
- Any traffic in the subnets of this spoke VNet is passing through the firewall and should be explicitly opened (no point to manage on NSG, unless required)
Here is an example of a firewall policy configuration to enable this model:
Rule Collection Group | From | To | Settings |
---|---|---|---|
Core outbound - Local | {All connected spokes} | {Local ranges} | Permitted core services, like AD, DSN, NTP, etc |
Core outbound - Internet | {All connected spokes} | {Internet} | Safe Internet destinations, like Azure Portal, Windows Update, etc |
Mode 1 - inbound | * | {All spokes in Mode 1} | Any traffic – not filtered on firewall, managed on NSG |
Mode 1 - outbound | {All spokes in Mode 1} | * | Any traffic – not filtered on firewall, managed on NSG |
Mode 2 - App1 - outbound | App1 Subnet | {Internet} | Rules for outbound traffic from App1 |
Mode 2 - App1 - inbound | * | App1 Subnet | Rules for inbound traffic from App1 |
Mode 2 - App1_to_App2 | App1 Subnet | App2 Subnet | Rules between App1 and App2 |
Mode 3 - NIC1 - inbound | NIC1 IP | {Internet} | Rules for outbound traffic from NIC1 in Secret Vnet |
Mode 3 - NIC1 - outbound | * | NIC1 IP | Rules publishing specific services on NIC1 in VNetVNet |
The rules above are for example only. You need to carefully consider the rules’ order to ensure that rules opening from Mode 1 do not affect traffic in Modes 2 and 3, since the same firewall is used for all networks.
This also shows the benefits of using NSG when you cannot fully trust the firewall configuration.
Network Security Groups
In Traditional and Native security modes,
- NSG management can be delegated to application owners so they can control their applications’ traffic independently
- NSGs are attached at the Subnet level. Attaching NSGs to individual NICs is not encouraged due to overkill management complexity and overlapping functionality with personal firewalls.
- If required, NSGs can be managed centrally via code or 3rd party solutions like AlgoSec
- Use of ASG is encouraged to simplify and organise NSGs, where possible (several services like load balancer IPs are not able to use ASG)
In MicroSeg Security Mode,
- Use of NSGs does not make a lot of sense, since the Firewall already filters all traffic, unless you need additional protection and logging on top of the Firewall
Here is an example of NSGs’ configuration to enable this model:
NSG | Source | Destination | Settings | Remarks |
---|---|---|---|---|
SAP-vnet-nsg | {Local ranges} | * | Allow In TCP_3389 | Opening flow to all destination in the VNet |
* | 10.1.2.0/24 | Allow In TCP_443 | Opening flow to GRC subnet | |
{Some Trusted Source} | {SAP_DB-asg} | Allow In TCP_1433 | Opening flow to specific ASG | |
* | * | Deny In * | Deny all not explicitly open inbound traffic | |
Shared-vnet_Subnet_App1-nsg | {Local ranges} | 10.2.0.0/24 | Allow In TCP_3389 | Opening flow to App1 subnet |
Shared-vnet_Subnet_App2-nsg | {Local ranges} | 10.2.1.0/24 | Allow In TCP_22 | Opening flow to App2 subnet |
Secret-vnet-nsg | {empty} | No point managing NSG for Mode 3 as everything is controlled on FW |
Application Security Groups
In Traditional and Native security modes:
- Use of ASG is encouraged to simplify and organise NSGs, where possible (several services like load balancer IPs are not able to use ASG)
- ASG may also be used to delegate some freedom to application teams, while NSG management is centralised and not in their control
In MicroSeg security mode:
- ASG may enable some flexibility when NSGs are still used in addition to the firewall
Here is an example of ASGs’ configuration of this model:
Network Interface Config | Member of ASG |
---|---|
SAP-GRC-DB01-nic SAP-GRC-DB02-nic SAP-CRM-DB01-nic SAP-CRM-DB02-nic |
SAP_DB-asg |
SAP-GRC-FE01-nic SAP-GRC-FE02-nic SAP-CRM-FE01-nic SAP-CRM-FE02-nic |
SAP_FE-asg |
Discussion
This page ended up much bigger than I initially expected, and might need polishing.
As usual, I’m happy to discuss this topic with you in LinkedIn comments. If you want to support this post to get more exposure, please use this link to react, comment, or repost.