Lazy loaded image
Collections
Build DMZ in Azure Cloud | Blog by Raihan Al-Beruni
00 min
Dec 10, 2023
Dec 10, 2023
type
status
date
summary
tags
category
URL
password
slug
icon
Azure routes traffic between Azure, on-premises, and Internet resources. Azure automatically creates a route table for each subnet within an Azure virtual network and adds system default routes to the table. You can override some of Azure’s system routes with custom routes, and add additional custom routes to route tables. Azure routes outbound traffic from a subnet based on the routes in a subnet’s route table.
You can a DMZ in Azure Cloud within your subscription or tenant. The concept of a DMZ or perimeter network is not new; DMZ is a layered network security approach to minimize the attack footprint of an application.
A DMZ architecture is comprised with either two layers or three layers of security and protection concept with additional user-defined routes and firewall rules. Azure network traffic to and from resources in a virtual network using network security groups and network virtual appliances.
Workload Placement in simple DMZ:
  1. Untrusted Network (Layer 1- Frontend NSG) – WAP Server, Non-domain joined computer, Exchange Edge Server
  1. Trusted Network (Layer 2 – Backend NSG) – Domain Controller, File Server, Print Server, RDS, Database and ADFS Server.
notion image
Simple DMZ Example Source Microsoft
Workloads Placement in advanced DMZ:
  1. Extranet (Layer 1 – External Public Facing) A Firewall Appliance
  1. Untrusted Network (Layer 2- Frontend NSG) – WAP Server, Non-domain joined computer, Exchange Edge Server
  1. Trusted Network (Layer 3 – Backend NSG) – Domain Controller, File Server, Print Server, RDS, Database and ADFS Server.
notion image
Advanced DMZ Example Source Microsoft
Example Address Spacing
Location
vNET
Address Space
Connectivity to other region
Azure Australia East
vNET1
10.11.0.0/16 10.12.0.0/16
Azure Australia Southeast ExpressRoute or S2S VPN
Australia East On-premises
On-prem
10.41.0.0/16 10.41.0.0/16
S2S VPN to Azure Australia East
Azure Australia Southeast
vNET2
10.51.0.0/16 10.51.0.0/16
Azure Australia East ExpressRoute or S2S VPN
Australia Southeast On-premises
On-prem
10.100.0.0/16 10.101.0.0/16
S2S VPN to Azure Australia Southeast
Hybrid Network Workloads Placement
notion image
Hybrid Network Example Source Microsoft
Best Practices
Follow Azure Networking Best Practices. Follow three basic principal of Azure Networking- Segment, Control and Enforce.
  • Segment- Multiple Azure Networks within a single vNET with large IP Address space. The private IP address spaces available are in the Class A (10.0.0.0/8), Class B (172.16.0.0/12), and Class C (192.168.0.0/16) ranges. Use Trusted IP Address range (x.x.x.x/22), Untrusted IP Address Range (x.x.x.x/22).
  • Control- Create multiple NSGs, associate FrontEnd NSG and Backend NSG with untrusted and trusted network respectively to control to and from Azure. NSGs are simple, stateful packet inspection devices that use the 5-tuple (the source IP, source port, destination IP, destination port, and layer 4 protocol) approach to create allow/deny rules for network traffic.
  • Enforce – Enforce user-defined rules to allow only desired TCP & UDP traffic to the vNET, Use Virtual Network Appliance and Perimeter Networks at all times for Enterprise Azure deployment. Disable RDP at the VM level and allow RDP at the FrontEnd NSG. Use a jump box in the DMZ to access workloads.
上一篇
微软免费开发隧道(内网穿透),支持Linux/Windows/macOS - 如有乐享
下一篇
Best practices for network security - Microsoft Azure | Microsoft Learn