Download as PDF, PPTX
More Related Content
Similar to Network security with Azure PaaS services by Erwin Staal from 4DotNet at Azure focused 87th Devclub.lv
Network security with Azure PaaS services by Erwin Staal from 4DotNet at Azure focused 87th Devclub.lv
- 1. @erwin_staal Networking on Azure PaaS ErwinStaal | @erwin_staal
- 2.
- 3.
- 4.
- 5. @erwin_staal VNetbasics • RFC1918 Subnets •10.0.0.0 – 10.255.255.255 (10/8 prefix) • 172.16.0.0 – 172.31.255.255 (172.16/12 prefix) • 192.168.0.0 – 192.168.255.255 (192.168/16 prefix) • Smallest: /29 -> 3 hosts • 5 IP-addresses are reserved by Azure • x.x.x.0: Network address • x.x.x.1: Reserved by Azure for the default gateway • x.x.x.2, x.x.x.3: Reserved by Azure to map the Azure DNS IPs to the VNet space • x.x.x.255: Network broadcast address
- 6. @erwin_staal • Access AzurePaaS Services over a private endpoint • No public IP anymore on PaaS service • Traffic remains on the Microsoft network • Integration with on-premises and peered networks PrivateLink
- 7. @erwin_staal PrivateLink Azure Storage Allpublic regions GA Azure Data Lake Storage Gen2 All public regions GA Azure SQL Database All public regions GA Azure Synapse Analytics All public regions GA Azure Cosmos DB All public regions GA Azure Database for PostgreSQL - Single server All public regions GA Azure Database for MySQL All public regions GA Azure Database for MariaDB All public regions GA Azure Key Vault All public regions GA Azure Kubernetes Service - Kubernetes API All public regions GA Azure Search All public regions GA Azure Container Registry All public regions GA Azure App Configuration All public regions Preview Azure Backup All public regions GA Azure Event Hub All public regions GA Azure Service Bus All public regions GA Azure Relay All public regions Preview Azure Event Grid All public regions GA Azure Web Apps All public regions Preview
- 8. @erwin_staal • Lets yourApp Service join a vnet(subnet) for egress • Allows you to access resources in your vnet in the same region • Require a Standard or PremiumV2 App Service Plan • You can block outbound traffic with an NSG • App Settings for additional config AppServiceVNetIntegration
- 9. @erwin_staal • Provides secureand direct connection to Azure services • Traffic from your VNet to the Azure service remains on the Microsoft network • Lock down access to e.g. a Web App to specific VNet • Public IP is still being used ServiceEndpoint
- 10. @erwin_staal • Azure Storage •Azure SQL Database • Azure SQL Data Warehouse • Azure Database for PostgreSQL server • Azure Database for MySQL server • Azure Database for MariaDB • Azure Cosmos DB • Azure Key Vault • Azure Service Bus • Azure Event Hubs • Azure Data Lake Store Gen 1 • Azure App Service • Public Preview: Azure Container Registry ServiceEndpoint
- 11. @erwin_staal • Define apriority ordered allow/deny list that controls network access to your app • IP addresses or Azure Virtual Network subnets AccessRetrictiononWebApps
- 12. @erwin_staal • Virtual networkgateway used to send encrypted traffic between • Azure virtual network and an on-premises location • Azure virtual networks over the Microsoft network • Site-to-Site and Multi-Site • VNet-to-VNet connections • ExpressRoute • Point-to-Site VPN • Certificate • Azure AD • RADIUS • OpenVPN VNetVPNGateway
- 13.
- 14.
- 15.