Network Security: Advanced Patterns
Beyond NSGs โ Azure Firewall, DDoS Protection, WAF, and Network Watcher for defense-in-depth
๐ด Advanced
โฑ 20 Minutes
๐ AZ-104 ยท Module 04
Why This Matters
NSGs and routing control which traffic is allowed, but they work at Layer 3 (network). Modern attacks happen at Layer 7 (application) โ SQL injection, DDoS, bot attacks. This doc covers the advanced tools that protect above NSGs: Azure Firewall (stateful inspection), DDoS Protection (volumetric attacks), Web Application Firewall (app-level threats), and Network Watcher (diagnostics).
The Simple Idea: Layers of Network Security
Earlier docs covered Layers 2-3 (NSGs, routing). This doc covers Layers 4-7 (advanced security).
- Layer 7 (Application): WAF blocks SQL injection, XSS
- Layer 4 (Transport): DDoS Protection blocks volumetric attacks
- Layer 3 (Network): Azure Firewall allows/denies by IP/port/protocol
- Layer 2 (Data Link): NSGs filter by subnet/NIC
Layer 7 (Application) โ WAF blocks SQL injection, XSS
โ
Layer 4 (Transport) โ DDoS Protection blocks volumetric attacks
โ
Layer 3 (Network) โ Azure Firewall allows/denies by IP/port/protocol
โ
Layer 2 (Data Link) โ NSGs filter by subnet/NIC
When NSGs Aren't Enough
NSG Example
Rule: Allow port 443 from 0.0.0.0/0
โโ Result: Any traffic on port 443 is allowed
โโ Includes: Legitimate HTTPS traffic โ
โโ Includes: DDoS attack on port 443 โ
โโ Includes: SQL injection via HTTPS โ
โโ NSG can't see inside the traffic, only the port
Advanced Security Needed
Azure Firewall:
โโ Can see the application data
โโ Can block SQL injection patterns โ
โโ Can block malicious URLs โ
โโ But adds latency (inspection takes time)
DDoS Protection:
โโ Detects flood attacks (millions of requests/sec)
โโ Automatically rate-limits offenders โ
โโ Protects infrastructure from being overwhelmed
WAF (Web Application Firewall):
โโ Sits in front of web apps
โโ Blocks OWASP Top 10 attacks (XSS, SQLi, etc.)
โโ Can identify legitimate traffic vs. malicious
โโ Works with Application Gateway or Front Door
Layer 4: DDoS Protection
What Is a DDoS Attack?
DDoS (Distributed Denial of Service) = Overwhelming a service with traffic so legitimate users can't reach it.
Real-World Analogy: Crowded Restaurant
Normal traffic: a customer goes through the waiter to the kitchen and gets food. A DDoS attack is like 1000 fake customers overwhelming the waiter so real customers can't be served. Protection is a bouncer at the door who questions suspicious groups, blocks obvious fakes, and lets real customers through.
Normal Traffic:
Customer โ Waiter โ Kitchen โ Food โ
DDoS Attack:
1000 fake customers โ Waiter โ Can't serve real customers โ
Protection:
โโ Bouncer at door: "These 1000 people look fake"
โโ Asks questions: "Where are you from? Why here?"
โโ Blocks obvious fakes โ
โโ Real customers still get served โ
Azure DDoS Protection Tiers
| Tier | Cost | Detection | Mitigation | Best For |
|---|
| Basic | Free | Azure automated | Automatic | All subscriptions (always on) |
| Standard | ~$3K/month | 24/7 monitoring | Automatic + manual | Mission-critical apps |
DDoS Basic vs. DDoS Standard
DDoS Basic (Always On, Free)
Included with every Azure subscription:
โโ Always monitoring incoming traffic
โโ Auto-blocks obvious DDoS attacks (SYN floods, UDP floods)
โโ No configuration needed
โโ Works at network edge (before traffic reaches your VNet)
Limitations:
โโ Doesn't monitor application-level attacks
โโ Limited visibility (you don't see metrics)
โโ No custom policies
DDoS Standard (Paid, Enterprise-Grade)
Enable on public IP or VNet:
โโ 24/7 dedicated support team
โโ Real-time attack analytics
โโ Custom mitigation policies
โโ Attack simulation (test your defenses)
โโ Cost: ~$3000/month (expensive but justified for critical apps)
Example Policy:
โโ If traffic exceeds 100 Gbps โ Rate-limit to 50 Gbps
โโ If SYN flood detected โ Block source IPs
โโ If UDP flood detected โ Drop UDP packets
โโ Legitimate traffic passes through โ
When to Use DDoS Standard
Use DDoS Standard if:
โโ App is internet-facing (has public IP)
โโ App is mission-critical (downtime = lost revenue)
โโ Traffic patterns are predictable (can set thresholds)
โโ Example: E-commerce site, financial API, public website
Don't use if:
โโ Internal-only app (not exposed to internet)
โโ Testing/development environment
โโ Traffic highly variable
โโ Example: Dev VMs, internal apps, test systems
Layer 3: Azure Firewall (Stateful Inspection)
Stateless vs. Stateful Firewalls
NSG (Stateless)
Rule: Allow port 443
โโ Sees: Source IP, Dest IP, Port, Protocol
โโ Decision: Port 443? YES โ Allow
โโ Doesn't understand: Is this a legitimate HTTPS connection?
โโ Can't see: Application data, conversation context
Azure Firewall (Stateful)
Connection: Client โ Server on port 443
โโ Sees: TLS handshake, certificate, domain
โโ Understands: "This is HTTPS to example.com"
โโ Knows: "Example.com is on the allowed list"
โโ Allows: Traffic โ
โโ Understands: "This is a complete HTTPS connection"
โโ Can inspect: Application layer (if configured)
Azure Firewall Capabilities
Network Rules (Layer 4):
โโ Allow/deny by IP, Port, Protocol
โโ Similar to NSG, but stateful
โโ Example: Allow 10.0.0.0/16 to reach 192.168.0.0/16 on port 443 โ
Application Rules (Layer 7):
โโ Allow/deny by domain name (not just IP)
โโ Understands FQDN (fully qualified domain name)
โโ Example: Allow outbound to *.microsoft.com (any Microsoft domain)
โโ Example: Block *.twitter.com (block all Twitter domains)
โโ Much more flexible than IP-based filtering โ
NAT Rules (Network Address Translation):
โโ Redirect inbound traffic
โโ Example: Public IP:443 โ Internal VM:8443
โโ Allows internal VMs to receive internet traffic
โโ Hides internal IPs from internet
Azure Firewall Architecture
Azure Firewall lives in the Hub VNet's AzureFirewallSubnet with its own public IP. The hub routes all internet and on-prem traffic through the firewall, and spoke VNets route their outbound traffic to the hub firewall too โ eliminating the need for a firewall per spoke.
Hub VNet (with Firewall)
โโโ AzureFirewallSubnet (10.0.2.0/24)
โ โโ Azure Firewall instance
โ โโ Assigned public IP
โ
โโโ Routes to Firewall:
โ โโ 0.0.0.0/0 (internet) โ Firewall
โ โโ 192.168.0.0/16 (on-prem) โ Firewall
โ
โโ All internet/on-prem traffic passes through firewall โ
Spoke VNet:
โโโ Route: 0.0.0.0/0 โ Hub Firewall (10.0.2.4)
โโโ Route: 192.168.0.0/16 โ Hub Firewall
โโโ Outbound traffic: Automatically inspected โ
โโ No need for firewall per spoke (cost-effective) โ
Firewall Rule Evaluation Order
Traffic arrives at Firewall:
โ
Check NAT Rules (highest priority)
โโ If match โ Translate and continue
โ
Check Network Rules
โโ If match (allow) โ Forward โ
โโ If match (deny) โ Drop โ
โ
Check Application Rules
โโ If match (allow) โ Forward โ
โโ If match (deny) โ Drop โ
โ
Default: Deny (implicit deny)
Layer 7: Web Application Firewall (WAF)
What Is a WAF?
WAF = Protects web applications from Layer 7 attacks (not network attacks, but web app attacks).
Attacks WAF Protects Against
SQL Injection
Attacker sends: ' OR '1'='1
WAF detects: SQL injection pattern
WAF blocks: Request โ
Cross-Site Scripting (XSS)
Attacker sends: <script>alert('hacked')</script>
WAF detects: JavaScript in form field
WAF blocks: Request โ
Cross-Site Request Forgery (CSRF)
Attacker sends: Malicious form from external site
WAF detects: Request from unexpected origin
WAF blocks: Request โ
Path Traversal
Attacker sends: ../../../etc/passwd
WAF detects: Directory traversal pattern
WAF blocks: Request โ
WAF Deployment Models
Azure WAF can attach to:
| Service | How | Cost |
|---|
| Application Gateway | Sits in front of web servers | Charged for gateway + WAF rules |
| Azure Front Door | Global load balancer + WAF | Higher cost, global coverage |
| CDN (Content Delivery) | Via Azure CDN + WAF rules | Cheaper, good for static content |
WAF Rule Sets (OWASP)
Azure WAF comes with default rule sets covering standard protection (OWASP 3.0: SQL Injection, XSS, Remote Code Execution rules, etc.), plus custom rules you create yourself โ such as blocking IPs by geography or behavior pattern, requiring specific headers, or rate-limiting by source IP.
Azure WAF comes with default rule sets:
โโโ OWASP 3.0 (standard protection)
โ โโ SQL Injection rules
โ โโ XSS rules
โ โโ Remote Code Execution rules
โ โโ etc.
โ
โโโ Custom Rules (create your own)
โโ Block IPs by geography
โโ Block IPs by behavior pattern
โโ Require specific headers
โโ Rate-limit by source IP
WAF Example: E-Commerce Site
Architecture:
Internet โ Azure Front Door (global) โ WAF (block attacks)
โ Application Gateway โ Web servers โ SQL DB
Traffic Flow:
1. Attacker sends: SELECT * FROM users; DROP TABLE users;
2. Front Door receives (near attacker's region)
3. WAF rule: SQL Injection pattern detected
4. WAF blocks: Request rejected, attacker gets 403 Forbidden
5. Legitimate customer: Normal shopping request
6. WAF rule: No attack patterns
7. WAF allows: Request passes through to App Gateway
8. App Gateway: Load balances to web servers
9. Web servers: Process legitimate request
10. Result: Site protected from attacks โ
Layer 2: Network Watcher (Diagnostics)
What Is Network Watcher?
Network Watcher = Diagnostic tools to monitor, diagnose, and visualize network issues.
Network Watcher Tools
IP Flow Verify
Question: "Can this VM reach that VM?"
Input: Source IP, Dest IP, Port, Protocol
Output: "YES (allowed by NSG)" or "NO (blocked by NSG)"
Use: Debug connectivity issues โ
Example: Is the database reachable on port 1433?
Connection Troubleshoot
Question: "Why can't I reach that endpoint?"
Input: Source VM, Destination IP/host
Output: Detailed hops and where connection fails
Use: Diagnose routing and firewall issues โ
Example: Find where connection breaks (routing loop? firewall?)
NSG Flow Logs
Records: All traffic allowed/denied by NSG
Captures: Source, Dest, Port, Protocol, Allow/Deny
Use: Compliance, security audits, understanding traffic โ
Storage: Log Analytics, Storage Account, Event Hub
Example: "Which IPs are trying to attack my database?"
Packet Capture
Records: Actual packet data (headers and payload)
Use: Deep troubleshooting, malware analysis
Warning: Can capture sensitive data (passwords, keys)
Example: "What data is being sent on this connection?"
Connection Monitor
Monitors: Connectivity from VM to destination
Tracks: Latency, packet loss, hop information
Use: Continuous health monitoring โ
Example: "Is my connection to the database stable?"
NSG Flow Logs Example
Flow Log Entry:
{
"time": "2024-06-14T10:30:45Z",
"systemId": "nic-abc123",
"category": "NetworkSecurityGroupFlowEvent",
"resourceId": "/subscriptions/.../subnets/web",
"operationName": "NetworkSecurityGroupFlowEvents",
"properties": {
"Version": 2,
"flows": [
{
"rule": "AllowHTTPSInternet",
"flows": [
{
"mac": "00:0D:3A:12:34:56",
"flowTuples": [
"1623667845,40.88.45.120,10.0.1.5,443,52413,T,O,A,B,,"
โ โ โ โ โ โ โ โ
time src-IP dst-IP port port T O A
(internet) (vm) C (TCP) (Out)(Allow)
]
}
]
}
]
}
}
Interpretation:
โโ 40.88.45.120 (Internet IP) sent traffic
โโ To 10.0.1.5 (Your VM) on port 443
โโ From port 52413 (ephemeral)
โโ Protocol: TCP
โโ Direction: Outbound (from your perspective)
โโ Action: Allowed
โโ Used by: NSG rule "AllowHTTPSInternet"
Worked Example: Real Scenario
The Scenario
E-Commerce Site (TechCorp):
- Public website: example.com (handles customer traffic)
- Backend databases: Sensitive customer data
- Global users: Need fast access from anywhere
- Under attack: Getting DDoS attacks (competitors?)
Security Architecture
Internet (users + attackers)
โ
Azure DDoS Standard (Layer 4)
โโ Rate-limits volumetric attacks
โโ Cost: ~$3000/month but necessary for e-commerce
โ
Azure Front Door (global)
โโ Distributes traffic across regions
โโ Caches static content
โโ Reduces load on backend
โ
WAF Rules (Layer 7)
โโ OWASP rules: Block SQL injection, XSS, CSRF
โโ Custom rules: Block suspicious IPs, geo-blocking
โโ Action: Deny malicious requests
โ
Azure Firewall (Layer 3-4)
โโ Network rules: Allow only known sources
โโ Application rules: Allow only example.com domain traffic
โโ Action: Inspect and allow legitimate traffic
โ
Application Gateway (Layer 7)
โโ Web application firewall (additional layer)
โโ SSL/TLS termination
โโ Load balancing
โโ Action: Distribute to backend pools
โ
Backend Servers (VMs)
โโ NSG: Allow only from Application Gateway
โโ NSG: Block all unknown sources
โโ Protected by multiple layers โ
Attack Scenarios
Scenario 1: Volumetric DDoS
Attack: 100 Gbps traffic from 50K compromised IoT devices
Protection Flow:
1. DDoS Standard detects: Traffic exceeds normal pattern
2. DDoS Standard rate-limits: Drops excess packets
3. Legitimate users: Still able to access โ
4. Attacker: Can't overwhelm the service
5. Result: Service stays online โ
Cost: Justifies the $3000/month DDoS Standard subscription
Scenario 2: SQL Injection
Attack: Attacker sends: GET /product?id=1' OR '1'='1--
Protection Flow:
1. Request hits Azure Front Door (Layer 4)
2. Front Door forwards to WAF
3. WAF checks: OWASP SQL Injection rule
4. WAF detects: SQL injection pattern
5. WAF blocks: 403 Forbidden
6. Attacker gets: Error page (not access to data)
7. Backend: Never sees the malicious request โ
8. Result: Database protected โ
Scenario 3: DDoS + Application Attack
Attack: 10 Gbps flood of requests from 1000 IPs
+ SQL injection payloads
Protection Layers:
Layer 4 (DDoS): Rate-limits volumetric flood โ
Layer 7 (WAF): Blocks SQL injection payloads โ
Layer 3 (Azure Firewall): Network rules as fallback โ
Layer 2 (NSG): Final protection at subnet level โ
Result:
โโ DDoS attack: Mitigated by rate-limiting
โโ SQL injection: Blocked by WAF
โโ Legitimate traffic: Passes through all layers
โโ Site remains available and secure โ
Monitoring Attack Flow with Network Watcher
Use Network Watcher:
1. NSG Flow Logs enabled:
โโ Captures all traffic (allowed + denied)
โโ Shows which IPs are attacking
โโ Stored in Log Analytics for analysis
2. Query Attack Pattern:
โโ KQL: NSGFlowLogCommonFields
| where FlowStatus == "Deny"
| summarize DeniedCount = count() by SourcePublicIP
| sort by DeniedCount desc
3. Result:
โโ Top attacking IPs identified
โโ Patterns visible (which ports, protocols)
โโ Can create firewall rules to pre-block โ
4. Connection Monitor:
โโ Monitors legitimate user access
โโ Tracks latency (is site fast enough?)
โโ Alerts on degradation
โโ Ensures customer experience โ
Common Mistakes (What NOT to Do)
โ Mistake 1: Thinking Firewall Replaces NSGs
Wrong
"We have Azure Firewall, we don't need NSGs"
โโ Remove NSG rules
โโ Rely only on Firewall
โโ Problem: NSGs are still needed at subnet level
โโ Result: Defense-in-depth is gone โ
Fix
Use both:
โโ NSG: Blocks at subnet level (quick, lightweight)
โโ Firewall: Inspects at hub level (stateful, deep inspection)
โโ Result: Multiple layers of defense โ
Why it fails: Firewall and NSGs serve different purposes (stateful inspection vs. subnet isolation).
โ Mistake 2: Not Enabling NSG Flow Logs
Wrong
"NSG Flow Logs are expensive, let's skip them"
โโ No visibility into denied traffic
โโ Can't debug connectivity issues
โโ Can't investigate security incidents
โโ Result: Blind to attacks โ
Fix
Enable NSG Flow Logs:
โโ Store in Log Analytics (cheap, queryable)
โโ Set retention to 90 days minimum
โโ Query for:
โ โโ Denied traffic patterns
โ โโ Unusual port access
โ โโ Potential attacks
โโ Cost: ~$10/month (cheap insurance) โ
Why it fails: Flow logs are the audit trail for network security.
โ Mistake 3: WAF Too Strict
Wrong
WAF Rule: Block all requests with special characters
โโ Legitimate request: "What's the price?"
โโ Contains apostrophe (special character)
โโ WAF blocks: Legitimate user can't search
โโ Result: False positives, broken site โ
Fix
WAF Tuning:
โโ Start with default OWASP rules
โโ Monitor for false positives
โโ Exclude specific paths (e.g., file uploads)
โโ Adjust sensitivity: "Detection" vs. "Prevention" mode
โโ Result: Security without breaking functionality โ
Why it fails: Over-blocking legitimate traffic hurts user experience.
โ Mistake 4: DDoS Protection Only, Ignoring Application Attacks
Wrong
"We have DDoS Standard, we're protected"
โโ DDoS protects Layer 4 (volumetric)
โโ Doesn't protect Layer 7 (SQL injection, XSS)
โโ Attacker uses targeted SQL injection
โโ Database hacked
โโ Result: False sense of security โ
Fix
Use layered defense:
โโ DDoS Standard: Handles volumetric attacks
โโ WAF: Handles application-level attacks
โโ Azure Firewall: Network-level inspection
โโ NSGs: Subnet-level filtering
โโ Result: Protected at all layers โ
Why it fails: DDoS and WAF protect different layers.
Advanced Security Checklist
DDoS Protection
โก DDoS Basic: Always enabled (free)
โก DDoS Standard: Enable for public-facing apps
โโ Cost-benefit: $3000/month vs. downtime cost
โก DDoS alerts: Configure to notify SOC
Azure Firewall
โก Deployed in Hub VNet
โก Application rules: Define allowed domains
โก Network rules: Define allowed IPs/ports
โก Routes: All spoke traffic through firewall
โก Logging: Enable firewall logs
โก Tuning: Monitor allowed vs. denied traffic
WAF (Application Gateway or Front Door)
โก OWASP rules enabled
โก Mode: Detection (first), then Prevention (after tuning)
โก Custom rules: Add for your app-specific threats
โก Exclusions: Configure for file uploads, legitimate patterns
โก Logging: Send to Log Analytics for analysis
Network Watcher
โก NSG Flow Logs: Enabled on all NSGs
โก Storage: Log Analytics (for querying)
โก Retention: 90 days minimum
โก Alerts: Set for unusual patterns
โก Connection Monitor: Monitor critical connections
โก IP Flow Verify: Used for troubleshooting
Incident Response
โก Process: What to do when NSG Flow Logs show attack
โก Ownership: Who investigates security incidents?
โก Playbook: Steps to block, isolate, remediate
โก Communication: How to notify customers/stakeholders
How This Connects to Other Topics
Related to Module 01 (Identity & Governance)
- RBAC: Only network admins can modify firewall rules
- Policy: Enforce firewall + WAF for all public-facing apps
Related to Module 02 (Storage)
- Storage Firewall: Combined with WAF for secure access
Related to Module 05 (Monitor)
- Log Analytics: Analyze NSG Flow Logs and Firewall logs
- Alerts: Trigger on suspicious patterns
See It In Action
Associated labs:
Suggested learning sequence:
- โ
Read Hub-Spoke Topology
- โ
Read this doc (Network Security Advanced)
- โก๏ธ Hands-on: Set up Azure Firewall in hub
- โก๏ธ Hands-on: Enable NSG Flow Logs
- โก๏ธ Hands-on: Deploy WAF on Application Gateway
Key Takeaways
๐ก Summary
- Defense-in-depth: Use multiple security layers (DDoS, Firewall, WAF, NSG)
- DDoS Standard: Essential for internet-facing critical apps (~$3K/month)
- Azure Firewall: Stateful inspection, application rules, centralized policy
- WAF: Protects against Layer 7 attacks (SQL injection, XSS, CSRF)
- NSG Flow Logs: Visibility into allowed/denied traffic (essential for auditing)
- Network Watcher: Diagnostic tools for troubleshooting and monitoring
- Layered approach: Each layer catches different attack types
- Tuning required: Monitor for false positives, adjust rules as needed
Next Steps
- Learn: Read this doc (you're here)
- Understand: Which advanced security tools apply to your workloads
- Implement: Deploy in order: DDoS โ Firewall โ WAF
- Monitor: Enable NSG Flow Logs and set up alerts
- Practice: Use Network Watcher to diagnose connectivity
- Secure: Test security with network watcher and flow logs