So, it’s been a little while since I last made an update, lack of time as a result of being so busy at work mostly. I’m still heavily involved in a cloud migration and up against some pretty tight deadlines on leaving our on prem data centers; we have been furiously moving our applications (around 70 of them!) to Azure.
There’s a whole heap of stuff happening out in Azure networking land, probably the biggest (and most interesting) change has been the introduction of User Defined Routes – Essentially your own routing table for a subnet. This creates the possibility of routing traffic to a gateway, such as a firewall – I have played with this using a linux box running iptables and it seems to work as advertised. With the introduction of this functionality, I see checkpoint were quick to get a virtual appliance in the marketplace. Barracuda who have offered their NG firewall in Azure for a long time no longer require you to run VPN software on each of the VM’s – Your malicious VM administrator can no longer simply disable the VPN software in order to circumvent your security policies (they’ll just use powershell instead to change the route – I joke, kind of). It’s routing, but different – your default gateway can be in a completely different subnet which boggles the mind somewhat. ARP? The only limitation with this is that the default gateway needs to be in the same VNET as the VM routing traffic to it – this could be inconvenient (and expensive) if you have lots of subscriptions. It would require you to deploy Firewall HA pairs in each VNET.
We’re using Network Security Groups extensively and have these applied to not only our DMZ subnets, but also our LAN ones. In order to prevent someone accidentally adding an internet endpoint, by default only RFC1918 addresses are permitted in and out of every subnet. Internet access is added by exception. I stumbled upon this awesome script which allows you to manage these NSG’s via a CSV file. It’s been an absolute life saver as NSG’s via powershell would be completely unmanageable. The CSV process makes this a whole lot more efficient and much easier – we can also wrap some change / version control around these CSV files to see what and when things are changing.
We’re still finding it hugely frustrating that there is no logging (or SIEM integration) with the NSG’s. Comments on the Azure forums suggest we could know more in July – it may be addressed by the Azure Resource Manager (ARM) stack. There have been plenty of scenarios where we’re attempting to troubleshoot access issues and are completely blind ‘out there’. It’s refreshing when these azure machines are accessing on-prem networks and we get this presented in our lovely ELK stack.
I’ve also started with the Azure Application Proxy as a potential replacement for our on-prem reverse proxies. First impressions are that it’s prettty good – very easy to setup. As you’d expect, it’s tightly integrated with ADFS and this makes authentication and authorization a breeze. Single sign on is easily achieved too.
That’s about it for now. More to come!