What’s new in Azure network security at Microsoft Ignite 2022
Written in collaboration with @henryyan
Welcome to Microsoft Ignite 2022! Check out our recent blog for the network security related sessions at Ignite.
We’re excited to share the latest innovations in Azure network security that can help you protect against evolving threats, strengthen your security and compliance posture, and increase your agility and efficiency. This blog post gives you an overview of new capabilities for securing your network infrastructure and applications.
Azure Firewall Basic (Preview)
Azure Firewall is our cloud-native firewall that offers built-in high availability and cloud scalability to protect your resources within your virtual network. The Basic SKU for Azure Firewall delivers enterprise-grade network firewall to SMBs at an affordable price point. You get essential network firewall capabilities, like L3-L7 filtering of East-West and North-South traffic with built-in threat intelligence to block malicious traffic. As a cloud-native service, Azure Firewall is easy to setup, configure, and manage, and requires zero maintenance. Azure Firewall integrates seamlessly with other Azure services like Microsoft Sentinel and Microsoft Defender for Cloud so you can gain more visibility into your environment and identify and respond quicker to threats.
Policy Analytics (Preview)
IT teams are challenged with managing and keeping up to date their Firewall policies and rules. For large, geographically dispersed organizations, the process can be complex leading to errors and increasing the risk of a security breach.
To help simplify the management and update of Azure Firewall policies and rules, we are introducing Policy Analytics for Azure Firewall, in preview. Policy Analytics provide insights and centralized visibility, and control of your Azure Firewall rules and policies. With policy insights, analytics, and recommendations, IT and security teams can improve their security posture and ensure compliance.
IP Protection (Preview)
DDoS attacks are becoming more frequent and advanced with attack bandwidth growing and new attack vectors emerging. Azure DDoS Protection offers cloud scale DDoS protection to defend against the largest and most sophisticated DDoS attacks.
IP Protection is a new SKU for Azure DDoS Protection that is designed with SMBs in mind and delivers enterprise-grade, cost-effective DDoS protection. You can defend against L3/L4 DDoS attacks with always-on monitoring and adaptive tuning that ensure your application is always protected. With IP Protection, you now have the flexibility to enable protection on a single public IP. Azure DDoS Protection integrates seamlessly with other Azure services so you can get real-time alerts, metrics, and insights to strengthen your security posture.
With IP Protection, you only pay for the public IP resources protected. The cost is a fixed $199/month for each public IP resource protected with no additional variable costs. Prices may vary by region. Billing for IP Protection will be effective starting on February 1, 2023.
For more details on pricing, visit the Azure DDoS Protection pricing page.
The existing Standard SKU will now be known as Network Protection.
Azure Web Application Firewall
Azure Web Application Firewall provides intelligent protection of your applications and APIs running in Azure or at the edge. Azure WAF attaches to Azure Front Door, our modern cloud CDN, to provide secure application delivery and stop security attacks at the network edge closer to the source of the attack with over hundreds of edge locations around the world. Azure WAF also attaches to Azure Application Gateway, a highly scalable, regional load balancer to protect your applications within Azure.
Global WAF
- DRS 2.1 ruleset (coming soon)
- Bot Manager 1.0 ruleset (GA)
DRS 2.1, which will be available soon, includes the latest Microsoft proprietary rules powered by Microsoft Threat Intelligence to protect against new attack signatures, increase the coverage and patches for specific vulnerabilities, and reduces the number of false positives.
Bot Manager 1.0 ruleset, which we released a few months ago, is also powered by Microsoft Threat Intelligence and supports classification for good, bad, and unknown bots to defend against malicious bot attacks more effectively.
Regional WAF
- Bot Manager 1.0 ruleset (coming soon)
- CRS 3.2 ruleset (GA)
- Per rule exclusions (GA)
For regional WAF with Azure Application Gateway, we have several recent updates that offer improved security, improved scalability, and better management of your web applications.
Bot Manager 1.0 ruleset will be generally available soon for WAF with Application Gateway.
Our new next-generation WAF engine delivers improved performance and scalability along with updated Core Rule Set 3.2, which provides comprehensive protection of the OWASP Top 10 security risks and protection against specific vulnerabilities like Log4J and SpringShell.
On WAF with Application Gateway, you now have the flexibility to exclude certain rules to reduce false positives and meet application-specific requirements
Learn More – WAF on Azure Application Gateway.
Learn More – WAF on Azure Front Door.
- Native client support (GA)
- IP-based connection (GA)
The more public IP addresses a customer has attached to VMs in their virtual network, the larger their attack surface becomes and the more vulnerable they are to security threats. Azure Bastion provides secure and seamless RDP/SSH access to your VMs in local or peered virtual networks without the need for a public IP address.
We’ve expanded the options for connecting to your VMs using Azure Bastion, providing you with more flexibility to securely connect to VMs across Azure, on-premises, and other cloud platforms.
With native client support, you can now connect to your Azure VMs with familiar processes and tools using Azure CLI and a native client on your local machine. With IP-based connection, you can connect to your VMs in Azure, on-premises, or in other clouds with Azure Bastion over ExpressRoute and Site-to-Site VPN using a specified IP address. Both are now generally available.
Resources:
- Resources collection - Azure network security resources collection
- Azure Network Security Ninja Training - Azure Network Security Ninja Training - Microsoft Tech Community
- Security Community Webinars - Recordings | Security Community Webinars - Microsoft Tech Community
- Azure Network Security Blogs - Azure Network Security Blog - Microsoft Community Hub
Published on:
Learn moreRelated posts
Announcing Azure Cosmos DB Integration with LangChain.js!
Announcing Azure Cosmos DB Vector Store Integration with LangChain.js! We’re simplifying AI app development by integrating Azure Cosmos ...
Scale Your Database Workloads with Multishard Clusters in vCore-based Azure Cosmos DB for MongoDB
We’re excited to introduce significant enhancements to vCore-based Azure Cosmos DB for MongoDB with the release of multishard clusters preview...
What is Azure Business Continuity Center?
Transform Your Azure Container Apps with Bulletproof Security
In this post, we explore how to transform your Azure Container Apps with unshakable security. Learn how to master secrets management, optimize...
Optimize Azure Landing Zone with Azure Virtual Network Manager IP Address Management
Optimize Azure Landing Zone with Azure Virtual Network Manager IP Address Management What you will learn from this blog This blog explores how...
Announcing UNLIMITED Public Preview of Metadata Caching for Azure Premium SMB/REST File Shares
Azure Files is excited to announce the Unlimited public preview of Metadata Caching for the premium SMB/REST file share tier. Unlimited ...
Dominate your industry and boost performance using Azure AI tools and skilling
As AI technologies continue to rapidly evolve, developers have the exciting opportunity to stay ahead by continually learning and adapting. Wi...
Azure DevOps – EPICS vs FEATURES vs USER STORIES vs Tasks vs Bugs
Today, we’re diving into Epics, Features, User Stories, Tasks and Bugs and the main differences between them. You will learn when to use...
Discover the New Azure Cosmos DB Samples Gallery!
We are thrilled to introduce the Azure Cosmos DB Samples Gallery —your ultimate destination for top-tier Azure Cosmos DB samples, technical gu...