Azure Virtual Network and PaaS Network Controls
ฝัง
- เผยแพร่เมื่อ 21 ส.ค. 2024
- In this video I walk through key network security controls related to virtual networks and PaaS service interaction including Network Security Groups, Service Tags, Service Endpoints, Service Endpoint Policies and Private Endpoints with Private Link. We'll even sneak a peek at the internal route table.
Files and whiteboard at github.com/joh...
Other links referenced:
IP download www.microsoft....
Service Tags - docs.microsoft...
Service Endpoints - docs.microsoft...
Sir John, I have seen hours and hours of your content by now and have also spent considerable amount of time on videos by other creators. Not to negate others' work but in my humble opinion, you have a special gift when it comes to explaining the concepts. For students and IT professionals looking for training in Azure, you are really doing God's work. Thank you
That is very kind of you to say, thank for the great complement 🤙🙏
I've never been happier in my life to have found someone, i felt stuck before, i dont know how you get it through so well but you do. Thanks alot John absolute life saver
Thank you very much for the video John. As I always say: You are saving us to google/discard/re-google/find/read/understand/re-read a lot of documents. The explanation is great all the times. Thanks for your videos. I lost the count on how many times I am grateful to find one of your materials when I am in a struggle. Keep the good work please !
Thank you, glad it’s useful
As always, so good. Just nicely summarizes the most important points rather than me trying to connect the many dots from the docs and being confused how it fits together. Thanks!
Finally, I understood the fundamental difference between Service Endpoint vs Private Endpoint. My goodness, the best explantion ever !
Thanks
Thanks John. I was under the impression that applying an NSG at Subnet level and also applying a NSG at VM level is going to offer double protection. thanks for the clarification 😃
Nope :)
It very quickly became my main source of knowledge for Azure. Wish I've known the channel before. Thanks for another great video. Really appreciated. It's not easy to organize and explain so much in so little time.
Thank you 🙏
You sir are so much better than every other Azure expert you need to pay for. Your videos help me a lot. ❤👍
Wow, thanks
You have really explained this complex topic well. Hats off Bud, Chat-GPT ain't no threat to you!
You are making it enjoyable to learn Azure, thanks!
You are Superman of Azure ...Your every video is just perfect and best available in youtube . Concepts explained are so crystal clear that you dont need to fetch anywhere else for doubts..
That’s very kind, thank you
Dude that was the best distilled explanation of all that verbose MSFT documentation. Thank you so much!!! I'm working on a project designing an Azure architecture with subnets. It's good to know that PaaS services don't require a protected subnet if we can use private links, if I'm understanding right.
Thanks so much for these clear and well explained videos. So many others and even the MS docs I find speak in riddles adding to confusion, watching your videos gives me clarity and peace of mind.
Glad I can help.
Awesome John! Indeed you completed my understanding of the Networking and cleared my doubt from the last video. You are one of my best Mentor in Azure, really appreciate.
Welcome
In-depth explanation. Awesome. Thank you John.
Welcome, thanks for watching
Mate you video deserves more views and likes. You are clear, concise and the most valuable source of Azure knowledge online. Keep up the excellent work!
Just takes time :) appreciate the kind feedback. Stay safe.
John your content == pure gold ! Thanks a lot !
Couldn't find a better explanation other than this. Thanks for the great content!
Very welcome
Loving that fact that you're now surfacing this sort of stuff on TH-cam - I've long followed your material on PluralSight and have found it very valuable in the past. Not sire if you're looking for suggestions on more things to cover, but here are a couple from me: (a) Could you shed a bit more light on the various ExpressRoute Peering options (Microsoft Peering vs Private Peering) as this also seems to come in to play when it comes to consumng PaaS services in a hybrid environment. (b) Some pices on Azure Firewall/Firewall Manager would also be helpful!
Thanks. I have an expressroute deep dive already. Not looking to do anything beyond that on expressroute.
Very good video John. I though I knew everything about Azure networking. I was wrong...
Don't understand your statement for using Service Endpoint policies for data filtration (limit data export) though. When I have a Service Endpoint defined for storage in region A and a policy for account SA01 I can still connect through the Internet to storage in region B, C, D and to non Azure storage (dropbox, box, etc.). Can't I ?
So basically I think you should do data filtration / monitoring through UDR's to Azure Firewall and there log and control whatever goes out. Azure Firewall is currently very limited in this area though because you cannot specify tags like "block download sites", "block adult sites", "block etc." (category based). You either have to use an NVA for this (Fortigate, Checkpoint, Barracuda, etc.) or do this as part of your external DNS lookup system (OpenDNS for example). And then you still have PAAS platforms (webservices for, Azure Functions, etc.) that get data and communicate directly to the Internet without going through your Azure Firewall / NVA / datamonitoring solution and copy corporate data to wherever they like.
So I think the topic of datafiltration / monitoring, i.e. data leakage, is a far more complicated topic than just setting a Service Endpoint Policy....
Not saying it’s complete story but that is goal of policies to help there. Certainly for complete story there are more parts but my goal was to talk about what the native components in azure do.
Brilliant as always! Pity 95% of viewers can't be bothered to hit like!
Thanks! Appreciated.
thanks for one more indepth session
So good. Great clarity. I'm using service endpoints for an AKS subnet and an Azure MySQL dB but I didn't know about service endpoint policies, so that was really useful
Awesome, today the policies are focused on storage but who knows over time :-)
Thanks as always for such a useful video!!
Glad it was helpful!
This is a very good video John. Thanks for keeping us up-to-speed with Azure
My pleasure. Thanks for watching
Great content. Many thanks John.
Very welcome
Thank you for the explanation.
Awesome, thank you Sir John, very informative as usual, clears a lot of key networking concepts in Azure, a lot of info that falls into place and easy enough to digest with simple explanation. Cheers.
Glad was useful.
Extremely useful video! Thank you for sharing your knowledge and very clear explanations.
My pleasure.
Thanks John for this excellent video.
Glad it was useful.
Thanks John. Really useful overview
Glad you enjoyed it
Great video, clear and concise as always. Thanks!
Glad you liked it! Appreciate the feedback.
Very well explained 👍
Thanks
Another great video - thanks John.
Thanks, glad you liked it.
Another great video, John.
Glad you enjoyed it!
You are great again
Brilliant video as others! Thank you! Do you have separate video for NVA and Azure Firewall?
Glad you like the video, thanks! Any videos would be searchable on the site. Always adding new stuff.
Amasingggggggggggggggggg!!!!!
Great Video John!
Thanks!
Great video as always!
Glad you enjoyed!
AMAZING, as usual!
Thank you! Cheers!
Excellent
Fantastic
If you want to learn Azure, you go to John Savill!!! ;-)
Great content as always, thank you very much!
Very kind, thank you!
got it thanks
great
Outstanding. Helps to see to see how it all ties together. Question: is private link generally preferred as a default security choice?
If a company wants to eliminate public facing then definitely yes. It is the most locked down.
Awesome .. thanks
You bet!
As always, great video John. Regarding applying a Service Endpoint Policy to a subnet which stops VMs in that subnet from accessing Storage Account "02", surely you could do that without such a Policy simply by turning on the firewall on SA 02 and then not allowing access from that subnet?
Yes but the point is data exhilaration. That would only stop to sa02 but what if the user created sa03. Using policy you are saying that subnet can only get to specific storage accounts .
Another great video! may be one on DNS for hybrid environments with an on-prem AD Integrated DNS?
I did a video about AD in Azure previously which included DNS considerations. I think that would cover this topic pretty much. Open to any gaps you think is there. Thanks.
John Savill thank you, I’ll take look
Thank you.
You're welcome!
Really appreciate your way of explaining each things in detail..just one query what about communication between PaaS services..it won't use private endpoint..like if my SQL analysis service wants to communicate storage blob..and when I deny public access to one of my diagnostic storage account the vm stop sending diagnostic logs to storage..
Paas don’t live in vnets so won’t generally use private endpoints of others unless it has its own specific functionality like a managed vnet etc
Great video. I'm at around 27:52.
What is not clear to me yet is how do I then lock the sql database down from any access from the internet or bad actors within azure? What are my options? I might have some different rules in mind between the service inside the subnet with the nsg assigned to it and the sql database. Consider peering and on-premise to be N/A.
One other thing, I think the answer is yes to this question but i'll ask it anyway (be my rubber ducky). If I apply service endpoint policies does that also prevent me from connecting to anything that is not specified? Think the app is using a connection string to storage that is not inside the subscription or the policies. So if we want to connect to that we would need to specify it but that could mean possible data exfiltration?
to lock down the database you use things like the service endpoints or private endpoints as I talked about. if you want to stop exfiltration for storage thats storage endpoint policies.
great video. Although I understood previously that public IP ( not private as you stated in the video ) was used in Service Endpoints to allow traffic and not Private. For making use of Virtual Ntwork Private IP we use Private endpoint? Can you please help clarify.. thanks
No I said the public service now sees the source as a private ip not that you access the service AS a private IP. You are still using public ip of target but it now is routed differently using magic in the switch :)
@@NTFAQGuy Clear thank you!
@John Savill So Service Endpoint you said that it is at a Subnet level and you get a direct connection to the Storage Account using a Service Endpoint. So i guess Service Endpoint can act as a security boundary. So what about Private Link, can i use Service Endpoint with Private Link? I mean how they are both different then?
Service endpoint provides an optimized path and knowledge of the subnet so you can then on the PaaS service restrict to just that subnet. Private link is an alternate approach where the service has an actual IP in the subnet which goes to the service. You would use one or the other. The difference is private link removes the need for the PaaS service to have any public facing endpoint and instead is an interface in the subnet. Private link you can restrict to just subnet with a private endpoint and subnet could be locked down via NSG to block anything without private endpoint.
@@NTFAQGuy Private Link is the better option then as there is no question of Public IP and every traffic is within the Azure Backbone itself. No wonder Private Link is gaining so much popularity with Enterprises because of this huge security boost
also if we have a service end point, does it lock the PASS service to the given Vnet and we dont need Firewall setting to be changed? in Private End point its evident we dont require the Firewall rule as it attains a private IP from the Vnet but not clear on the service end point... thank you!
makes it known to the firewall so you can then lock it down. you have to make that config.
thanks John, quick one....does the Service End point overrides the NSG outbound rule?
ues service tags to allow with NSGs if limit outbound.
@@NTFAQGuy : Suppose I have set my NSG rule to block my access to PASS SQL from a Vnet, however I have added a Service End point access. In such a case would my Service End Point make the access possible or NSG would have the final say?
@@sid0000009 NSG would block
Why do you say (on 0:08) that Storage Account is PaaS. Doesn't it falls under IaaS?
No since you’re not responsible for any os etc. it provides the file service for you to leverage
Hi John,
Do you have any links or info surrounding DHCP on Azure. When key production service of networking is DHCP and if you are a business of multi on-prem offices, how would you move DHCP to serve PC and Data from an Azure hosted Domain Controller?
you can't. azure has to be DHCP service for vnet.
John Savill thanks for replying John. New to channel. Content so far has been super.
Hello, If I enable a service end point from the Subnet to example a SQL Server ( Azure Paas), do I still have to add NSG rule in outbound 443 in Subnet to allow me to connect....or that is no longer required as I enabled a Service End point already. Thank you
By default nsg outbound allows to internet and azure services so no change required. If you lock down then yes you would need outbound rule using service tag of the service you have endpoint for.
@@NTFAQGuy Thanks..so Service End Points are more an alternate routing paths on Azure backbone. So NSGs would be anyways required to filter traffic ( unless allowed by default ).
@@sid0000009 and make them known to the PaaS firewall as I talk about in the video
Has anyone seen the blockbuster movie "Legend of the Savill", ya'll should check it out