3 Ways to Securely Connect to Your Azure Resources
There are many scenarios for connecting securely to your Azure resources that can be considered as part of your security posture in Azure. Before provisioning, you should consider how users will connect to the resource and how you will allow traffic to flow to the resource. Here are a few options to have handy:
Private IPs - Deploying resources that use private IP's, such as virtual machines, are common in Azure. With this option you will be able to use a couple of Azure native resources in order to monitor and secure access to your resource. Using Network security groups are a way to allow/disallow traffic to your Azure resource. Even if your resource has a public IP (usually not recommended, however, some resources have these as a requirement) and NSG will work during the NAT process between the Public IP and the private IP to disallow unwanted traffic. Once you have only the traffic that you want, you can use Route Tables in combination with User Defined Routes to direct traffic to a Network Virtual Appliance (usually in the peered hub network of a hub and spoke model) for monitoring and then back to the destination resource. This is a common and reliable way to secure traffic to most resources. There are some Azure PaaS resources which communicate with the Azure backplane. APIM, App Service Environment, HDInsight, to name a few. NSGs can also be used to allow communication with these services published control plane public IPs which you can find in the Azure documentation for that resource. This will allow you services to operate correctly and keep your environment secure.
Service Endpoints - There are some Azure resources, such as storage and Azure database service, which allow you to control access to the public endpoints of the service through the use of a firewall services on the resource. What this setting does is allow you to specify a virtual network and subnet from which traffic will originate to the resource. You can also allow/disallow trusted platform services communication to the resource. It's important to note that this method will only work with traffic originating from Azure as you are only able to select Azure virtual networks/subnets as options for your firewall filter.
Azure Private Link - Particularly for Azure PaaS resources that do not have Virtual Network integration, Azure Private Link is a relatively new service from Azure that will allow you to securely communicate to your Azure services. This option addresses the on-premises scenario in which users or services need to connect from on-premises rather than, say, a jump box on an Azure virtual network. Since the traffic will originate from on-premises, Service Endpoints will not work here as the traffic must originate from an Azure virtual network. Azure Private Link has two parts: the Private Endpoint and the Private Link service. The Private Link service is your Azure service that you want to securely connect to (e.g. Storage, MySQL Database or another Azure PaaS service). The private endpoint is a NIC deployed within a subnet on your virtual network. The subnet must have the "PrivateEndpointNetworkPolicies" property disabled. This can be done via ARM template and PowerShell. This will allow the Private Endpoint to ignore NSG/UDR rules. At the time of this writing, custom UDR and NSGs are not compatible with Private Endpoints. You can place the Private Endpoint in any subnet, even side-by-side with other resources. The other resources in the subnet will abide by any NSG/UDRs you have associated with the subnet. The private endpoint can be in a different subscription/region from the private link service (your Azure PaaS resource). The private endpoint is essentially a read only network interface deployed into your virtual network that will connect to the service of your choosing. There are several different scenarios for connecting securely to your Azure PaaS resources from On-Premises. Please review the following documentation: https://github.com/dmauser/PrivateLink/tree/master/DNS-Integration-Scenarios
Commentaires