‘9130721, 239 PM ho2.xntmi + Prevention mode As the name implies, this mode blocks traffic that matches the rules. Blocked requested generate a 403 Unauthorized Access message. At that point, the connection is closed, and a record is created in the WAF logs. When reviewing the WAF log for a request that was blocked, you will see a message that contains some fields that are similar to this example: Click here to view code image Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Inbound Score 5 - SQLT=0,xS5=0,RFI=9, LFI=0,RCE=0, PHPI=0,HTTP=0,SESS=@): Missing User Agent Header; individual paranoia level scores: 3, 2, @, ® The anomaly score comes from the OWASP 3.x rules, which have a specific severity: Critical, Error, Warning, or Notice. The previous message indicates that the total inbound score is 5, which translates to a severity equal to Critical. It is important to emphasize that the traffic will not be blocked until it reaches the threshold, which is 5. This means that if traffie matches the block rule but has an anomaly score of 3, it will not be blocked, though the message that you will see in the WAF log says that it is blocked, The severity levels are 5 (Critical), 4 Error), 3 (Warning), and 2 (Notice). Tip Application Gateway To create an application gateway with a Web Application Firewall using the Azure portal, use the steps from this article: htpps://aka.ms/azS00wafag. Configure Azure Bastion Azure Bastion deployment is done per virtual network, which means that you provision the Azure Bastion service in the VNet and at that point, the RDP/SSH access will be available to all virtual machines that belong to the same VNet. The general architecture looks similar to Figure 2-39. Bithis diagram shows the Azure Bastion deployed in a VNet and on its own subnet. Also shown are three servers that belong to another subnet and that are part of the same VNet Figure 2-39 Core architecture for Azure Bastion deployment Important Session iaiiation ‘A session should be initiated only from the Azure portal. Ifyou try to access the URL from another browser session or tab, you might receive the “Your session has expired” error, When analyzing the scenario definition, you will identify clues that will lead you to use Azure Bastion, For example, in a scenario where Contoso administrators don’t want to use a pubiic IP on the VMs but need to provide external RDP access to those VMs. That’s a typical scenario where Azure Bastion will be the best design choice. Another advantage of not exposing the public IP (v4 only) address is that your VM will not, receive port scanning attacks. Although Azure Bastion is going to receive external requests, you don’t need to worry about hardening the service, since Azure Bastion is a fully managed PaaS service, and the Azure platform keeps Azure Bastion hardened and up to date for you. This approach also helps to prevent against zero-day exploits. Azure Bastion allows up to 25 concurrent RDP sessions and 50 concurrent SHC connections. Although this is the official limit, high-usage sessions can affect how Azure Bastion will answer to other connections, which means that it can allow less than the maximum if the usage is high. fie: 1HC:/Users/SwamitDesktopleh02 xhtml 30068‘9130721, 239 PM ho2.xntmi To establish a connection to Azure Bastion, you need the Reader role on the virtual machine, Reader role on the NIC with private IP of the virtual machine, and Reader role on the Azure Bastion resource. To create an Azure Bastion host using the portal, follow these steps: 1. Navigate to the Azure portal at Attps.//portal.azure,com. 2. In the search bar, type bastion, and under Services, click Bastions. 3. On the Bastions page, click the Add button; the Create A Bastion page appears, as shown in Figure 2 40, [PiThis sereenshot shows the Create A Bastion page with the options that you need to configure. Figure 2-40 Create A Bastion 4, Select the subscription and the resource group that you want to host your Azure Bastion. 5. In the Instance Details section, type the name of this Bastion, and select the region where it will reside. 6. Under Configure Virtual Networks section, select the virtual network in which the Bastion will be created, or if you don’t have one available, you can click the Create New button and follow the steps to create a Bastion. 7. Select the Public IP address that will be used by the Bastion. You can either e1 or use an existing one that is available. fe one (default option) 8, Notice that the Public IP Address SKU option is prepopulated, and it doesn’t allow you to change. ‘That's because Azure Bastion only supports Standard Public IP SKU. 9. The Assignment option is prepopulated with Statie. If you select Use Existing IP Address, this option will not be available because the setting established during the public IP creation will be used. 10. Click the Review + Create button, 11. Click the Create button. At this point, the Bastion will be created, which usually takes five minutes to complete. After the Bastion is created, you will be able to connect to a VM using this Bastion. The option will appear when you click Conneet in the VM blade, as shown in Figure 2-41 Bithis screenshot shows the VM blade after clicking the Connect option and switching the tab to Bastion, where you can type your credentials. Figure 2-41 Accessing a VM using Azure Bastion Configure resource firewall In addition to Azure Firewall, you can also leverage the native firewall-related capabilities for different services. Azure Storage and SQL Database are examples of Azure services that have this functionality ‘When you leverage this built-in fimetionality to harden your resources, you are adding an extra layer of security to your workload and following the defense in depth strategy, as shown in Figure 2-42. BiiThis diagram shows a network topology with multiple layers of protection to access the resource, which includes the Azure Firewall, NSG, and the resource firewall. fe 116 UsersSwanwDeskop/ch02. xh 08‘9130721, 239 PM ho2.xntmi Figure 2-42 Multiple layers of protection to access the resource Azure storage firewall When you enable this feature in Azure Storage, you can better control the level of access to your storage accounts based on the type and subset of networks used. When network rules are configured, only applications requesting data over the specified set of networks can access a storage account. ‘You can create granular controls to limit access to your storage account to requests coming from specific IP addresses, IP ranges, or from a list of subnets in an Azure VNet. The firewall rules created on your Azure Storage are enforced on all network protocols that can be used to access your storage account, including REST and SMB. Because the default storage accounts configuration allows jons from clients on any other network (including the Internet), i is a recommended that you configure this feature to limit access to selected networks. Follow these steps to configure Azure Storage firewal 1. Navigate to the Azure portal at Attps.//portal.azure,com. 2. In the search bar, type storage, and under Serviees, click Storage Accounts. 3. Click the storage account for which you want to modify the firewall settings. 4. On the storage account page, under the Settings section in the left navigation pane, click the Firewalls And Virtual Networks option; the page shown in Figure 2-43 appears. BPithis screenshot shows the Azure storage firewall and virtual network settings with the default selection enabled. Figure 2-43 Azure storage firewall and virtual network settings 5. Under Allow Access From, click Selected Networks; the options shown in Figure 2-44 will become available, BEithis screenshot shows the Azure storage firewall and virtual network settings with the option to customize the access. Figure 2-44 Azure storage firewall settings 6. Under the Virtual networks section, you could either add a new VNet or assign this storage account to a specific VNet. 7. Under the Firewall section, you can harden the address range that can have access to this storage account. For that, you need to type the IP addresses or the range using CIDR format. Keep in mind that services deployed in the same region as the storage account use private Azure IP addresses for communication. Therefore, you cannot restrict access to specific Azure services based on their public outbound IP address range. 8. Under the Exceptions section, you can enable or disable the following options: © Allow Trusted Microsoft Services To Access This Storage Account Enabling this option will grant access o your storage account from Azure Backup, Azure Event Grid, Azure Site Recovery, Azure DevTest Labs, Azure Event Hubs, Azure Networking, Azure Monitor, and Azure SQL Data Warehouse fie: 1HC:/Users/SwamitDesktopleh02 xhtml 321689130121, 239 PM cho2 xt © Allow Read Access To Storage Logging From Any Network Enable this point if you want to allow this level of access. © Allow Read Access To Storage Metrics From Any Network Enable this option if you need the storage metrics to be accessible from all networks 9. Once you finish configuring, click the Save button. If you want to quickly deny network access to the storage account, you can use the Update- auStoragesccountNetworkRuleset cmdlet, as shown here: slick here io view eode image Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "MyRG" -Name “mystorage” -Defaultaction Deny Azure SQL database firewall When configuring your Azure SQL database, you can restrict access to a specific network by using the server level firewall rules or database-level firewall rules. These rules can enable or disable access from clients to all the databases within the same SQL Database server. These rules are stored in the master database. If your database is accessible from the Internet and a computer tries to connect to it, the firewall first checks the originating IP address of the request against the database-level IP firewall rules for the database that the connection requests. If the address isn’t within a range in the database-level IP firewall rules, the firewall checks the server-level IP firewall rules, The server-level firewall rules can be configured via the Azure portal, whereas the database-level firewall needs to be configured on the database itself by using the sp_set_database_firewall_rule SQL command. To configure the server-level firewall, follow these steps: 1. Navigate to the Azure portal at tips://portal azure.com. 2. In the search bar, type database, and under Services, click SQL Databases. 3. Click the database for which you want to modify the server-level firewall settings. 4. In the Overview page, click the Set Server Rule button, as shown in Figure 2 [Eithis screenshot shows the database overview page with the option to configure the server firewall. Figure 2-45 Selecting the option to configure the server-level firewall 5. The Firewall settings page appears, as shown in Eigure 2-46. BBihis screenshot shows the Azure database server-level firewall page with the different options available to harden the traffic. Figure 2-46 Server-level Firewall Settings options 6. Under Deny Public Network Access option, select Yes if you want to prohibit access from the Internet, o No if you want to allow Intemet access to this database. 7. The Connection Poli available options are tion allows you to configure how clients can connect to Azure SQL. The fie: 1HC:/Users/SwamitDesktopleh02 xhtml 34689130121, 239 PM cho2 xt © Default The default policy is basically a redirect for all client connections originating inside of Azure and proxy for all client connections originating outside. © Policy By selecting this option, all connections are proxied via the Azure SQL. Database gateways (which varies according to the Azure region). This setting will increase latency and reduce throughput. © Redirect By selecting this option, all clients will establish connections directly to the node hosting the database, which reduces latency and improves throughput. 8. Under Allow Azure Services And Resources To Access This Server, you have the option to Enable or Disable this type of access, 9. Next are three fields, Rule Name, Start IP, and End IP, which allow you to create filters for client connections. 10. The last option that you can configure is the Virtual Networks setting, which allows you to either create or add an existing VNet 11. Once you finish configuring, click the Save button. Azure Key Vault Firewall Just like the previous resources, Azure Key Vault also allows you to create network access restrictions by using Key Vault firewall, which applies to Key Vault’s data plane. This means that operations such as creating anew vault or deleting or modify the settings won’t be affected by the firewall rules. Below are two use-case scenarios for Azure Key Vault Firewall: + Contoso needs to implement Azure Key Vault to store encryption keys for it wants to block access to its keys for requests coming from the Internet. applications, Contoso + Fabrikam implemented Azure Key Vault, and now it needs to lock down access to it and enable access only to Fabrikam’s applications and a short list of specific hosts. key: To configure Azure Key Vault Firewall, you should first enable the Key Vault Logging using the following sequence of PowerShell commands: Slick here to view code image Sstoragea = New-AzStorageAccount -ResourceGroupName ContosoResourceGroup -Name fabrikamkeyvaultlogs -Type Standard_LRS -Location ‘East US’ Skvault = Get-AzKeyVault -VaultName ‘ContosokeyVault* Set-AzDiagnosticSetting -Resourceld $kvault.Resourceld -StorageAccountId $storagea.1d Enabled $true -Category AuditEvent In this sequence, you will create a new storage account to store the logs, obtain the Key Vault information, and finally, configure the diagnostic setting for your Key Vault. ‘Afler finishing this part under the Settings section, click Networking > Pi Figure 2-47. ‘ou can go to Azure portal, open your Key Vault, and in the left navigation pane ate Endpoint And Selected Networks, as shown in Bisthis screenshot shows the Azure Key Vault Networking blade with the option to configure a Firewall to restrict traffic. Figure 2-47 Azure Key Vault Firewall configuration fie: 1HC:/Users/SwamitDesktopleh02 xhtml 3al68‘9130721, 239 PM ho2.xntmi On this page, you can click the Add Existing Virtual Networks or Add New Virtual Networks options to start building your list of allowed virtual networks to access your Key Vault. Keep in mind that once you configure those rules, users can only perform Key Vault data plane operations when their requests originate from this list of allowed virtual networks. The same applies when users are trying to perform data plane operations from the portal, such as listing the keys. Important WP Network Rules If you are creating IP network rules, you can only use public IP addresses. Reserved IP address ranges are not allowed in IP rules. Private networks include addresses defined with RFC 1918. 7, notice the Allow Trusted Microsoft Services To Bypass This Firewall option, which is set to Yes by default. This will allow the following services to have access to your Key Vault regardless of the firewall configuration: Azure Virtual Machines deployment service, Azure Resource Manager template deployment service, Azure Application Gateway v2 SKU, Azure Disk Encryption volume eneryption service, Azure Backup, Exchange Online, SharePoint Online, Azure Information Protection, Azure App Service, Azure SQL Database, Azure Storage Service, Azure Data Lake Store, Azure Databricks, Azure API Management, Azure Data Factory, Azure Event Hubs, Azure Service Bus, Azure Import/Export, and Azure Container Registry. Azure App Service Firewall You might also want to harden the network access for your apps that are deployed via Azure App Service. ‘Although the terminology used in this section refers to “Azure App Service Firewall,” what you are really implementing is a network-level access-control list. The access restrictions capability in Azure App Service is implemented in the App Service front-end roles. These front-end roles are upstream of the worker hosts where your code runs. A common exam scenatio for the implementation of this capability is when you need to restrict access to your app from certain VNets or the Internet. On the AZ-500 exam, make sure to carefully read the scenario because, in this case, you are adding restrictions to access the app itself, not the host. To configure access restrictions on your Azure App Services, open the Azure portal, open the App Services dashboard, click your app service or Azure function, and in the Settings section, click Networking. The Access Restrictions option is shown at the right (see Eigure 2-48), BiThis screenshot shows the of Azure App Service with an Azure function selected and the Configure Access Restrictions option under Access Restrictions. Figure 2-48 Azure App Services access restriction To start the configuration, click Configure Access Restrictions in the Access Restriction section. You will see the Access Restriction page, as shown in Figure 2-49. The initial table is blank (no rules), and you can click Add Rule to start configuring your restrictions. Bithis screenshot shows the access restrictions page, with the option to allow you to add a new rule, Figure 2-49 Adding Access Restrictions It is recommended that you schedule a maintenance window to configure these restrictions because any operation (add, edit, or remove) in those rules will restart your app for changes to take effect. Implement service endpoint fie: 1HC:/Users/SwamitDesktopleh02 xhtml 36168