Perimeter Protection
Overview
Network Perimeter Protection is an enterprise-driven effort aimed at introducing an extra layer of safeguarding and reinforcing the implementation of corporate security policies. It enhances the overall security stance of cloud workloads. It is designed to provide defense, logical segmentation, and swift automated scalability for workloads all while minimizing disruptions.
The existing cloud controls falls short in detecting and preventing malicious network traffic; furthermore, best practices and standards are not uniformly followed while implementing.
Network perimeter protection ensures compliance with enterprise security policies including, but not limited to the security standard requiring “All network services must pass through WAF rules, using only the defined protocols and services required to provide functionality"
Detailed Description
Perimeter protection high level diagram is:
Ingress Traffic
- The client starts the connection to custom domain of Azure Front Door i.e., client1.optum.com.The request goes through the WAF (Web Application Firewall) first & The WAF rules are checked against the client request. The request is forwarded to Azure Front Door . Custom domain is resolved to Front Door’s associated endpoint and route. Based on the route details, the request is forwarded to backend client application gateway’s public IP (App GW client1) which is in Hub VNET of connectivity subscription.
- As the request approaches to Application Gateway, it needs to pass first through the NSG (Network Security Group) to make sure that it is coming via Front Door. All requests from Internet trying to hit App GW’s public IP will be blocked by NSG and will pass the request to the associated listener of the application gateway based on the host name value.
- The application gateway’s listener resolves the request to the corresponding backend pool located in Client’s VNET which is peered to the Hub VNET in a Hub and Spoke architecture for a private connection. The backend serves the client request, and the response is sent back to client using the same path which completes the flow.
- Front Door Azure Front Door is Microsoft’s modern cloud Content Delivery Network (CDN) that provides fast, reliable, and secure access between users and applications’ static and dynamic web content across the globe. Azure Front Door delivers content using Microsoft’s global edge network with hundreds of global and local points of presence (PoPs) distributed around the world close to both the enterprise and consumer end users.
- Application Gateway Azure Application Gateway is a web traffic load balancer that enables the user to manage traffic to web applications.
- Azure Firewall Azure Firewall is a cloud-native and intelligent network firewall security service that provides the best of breed threat protection for cloud workloads running in Azure. It's a fully stateful, firewall as a service with built-in high availability and unrestricted cloud scalability. It provides both east-west and north-south traffic inspection.
Egress Traffic
- Connection is initiated in the Client VNET to access an external website/Azure PAAS services for e.g., Azure Keyvault, Azure Container Registry etc.
- By default, Traffic is egressed via public IP. We have capability to add rules to the firewall to manage egress.
- Traffic gets initiated in the client Virtual Network. If client tries to connect to any external internet facing website/ip address, then it has to pass first through Azure Firewall.
- A route table is placed in front of client's virtual network that will direct all internet outgoing traffic to Azure Firewall.
- A NAT Gateway is placed in front of Azure Firewall to overcome SNAT limits.
- Azure Firewall by default blocks all internet outgoing traffic.
Log Alerts
- Alert is triggered based on log data. Log data has information about Front door traffic. When WAF blocks traffic based on the rule set an email is triggered in frequent intervals for information to the operations team.
Custom Rule
- Custom rule is made up of one or more conditions followed by an action. This is defined on WAF. Any traffic that doesn’t originate from US gets blocked at the WAF level due to custom rule.
Benefits and Business Case
- Global delivery scale using Microsoft's network - Scale out and improve performance of the applications and content using Microsoft’s global Cloud CDN and WAN. There are 118 edge locations across 100 metro cities connected to Azure using a private enterprise-grade WAN so that latency for apps can be improved up to 3 times.
- Accelerated application performance - By using Front Door’s anycast network and split TCP connections.
- Simple and Cost effective - As a single infrastructure (Hub) supports multiple clients(VNet),the cost is saved significantly.
Responsibilities
Ingress
Initial Setup Client has to download the Ingress Intake form and fill the required details. Client has to raise a service now ticket and attach the form in Service Now ticket. After the client application is onboarded, client has to validate the ingress flow. Tier0 Services and infrastructure should be up and running at all times. Certificate maintenance - Rotation of certificates before expiry. Client Only in case of Error 403, raise a service now ticket to Tier0 team. AKS should have proper ingress as per onboarding form. Egress
Initial Setup Client has to download the Egress Intake form and fill the required details. Client has to raise a service now ticket and attach the form in Service Now ticket. After the whitelisting, client has to validate the egress flow. Tier0 Tier0 team will add whitelisted rules in the firewall Client If a certain website or IP address needs to be whitelisted then client has to fill up onboarding form specifying the hostname and the source of the traffic. All whitelisted hostnames and IP address will require proper justification and approval from related stakeholders. Operations & Maintenance
Front Door
- Front Door