Last updated - February 19, 2025

 

In this blog post, we will walk you through basic to advanced scenarios for Azure network security. Ready to become an Azure NetSec ninja? Dive right in!

 

Check back here routinely, as we will keep updating this blog post with new content as it becomes available.

 

Anything in here that could be improved or may be missing? Let us know in the comments below, we’re looking forward to hearing from you.

 

Azure Network Security Ninja Training Sections

Knowledge Check

 

Take the Azure Network Security Ninja Knowledge Test to confirm your Azure Network Security Ninja Skills.

1. Once you have completed the training, take the knowledge check here.
2. If you score more than 80% in the knowledge check, request your certificate here. If you achieved less than 80%, please review the training material again and re-take the assessment.

 

1 The Basics

 

1.1 Introduction to network security concepts

 

This module introduces general concepts of network and web application security.

 

1.1.1 Network security in Azure

Be familiar with network security concepts and ways you can achieve a secure network deployment in the Azure cloud.

• Network security and containment in Azure
• Secure and govern workloads with network level segmentation
• Best practices for network security

 

1.1.2 Web application protection in Azure

Be familiar with web application protection concepts and ways you can achieve a secure web application deployment in the Azure cloud.

• Best practices for secure PaaS deployments
• N-tier architecture style

 

1.2 Introduction to Azure network security products

 

1.2.1 Azure DDoS Protection

 

1.2.1.1 Azure DDoS Protection - Network Protection

 

Azure DDoS Network Protection, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks.

 

       Azure DDoS Network Protection

For more information, check the Azure DDoS Protection documentation.

MS Learn Training Material: Azure DDoS Protection (34 minutes)

This MS Learn module will show you how to guard your Azure services from a denial-of-service attack using Azure DDoS Protection.

 

1.2.1.2 Azure DDoS Protection - IP Protection 

 

IP Protection is a new SKU for Azure DDoS Protection that is designed with SMBs in mind and delivers enterprise-grade, and cost-effective DDoS protection. You can defend against L3/L4 DDoS attacks with always-on monitoring and adaptive tuning that ensure your application is always protected. With IP Protection, you now have the flexibility to enable protection on a single public IP. Azure DDoS Protection integrates seamlessly with other Azure services for real-time alerts, metrics, and insights to strengthen your security posture.

 

• DDoS IP Protection

• QuickStart: Create and configure Azure DDoS IP Protection - Azure portal.

 

1.2.2 Azure Firewall and Azure Firewall Manager

 

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

 

For more information, check the Azure Firewall documentation.

Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.

 

For more information, check the Azure Firewall Manager documentation.

MS Learn Training Material: Azure Firewall and Azure Firewall Manager (48 minutes)

This MS Learn module will describe how Azure Firewall protects Azure Virtual Network resources, including the Azure Firewall features, rules, deployment options, and administration with Azure Firewall Manager.

 

1.2.3 Azure Web Application Firewall (WAF)

 

Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities. You can deploy WAF on Azure Application Gateway or WAF on Azure Front Door.

 

For more information, check the Azure Web Application Firewall (WAF) documentation.

MS Learn Training Material: Azure Web Application Firewall (WAF) (40 minutes)

This MS Learn module will show how Azure Web Application Firewall protects Azure web applications from common attacks, including its features, how it’s deployed, and its common use cases.

 

2 Architecture and Deployments

 

2.1 Standalone Deployments

 

2.1.1 Azure DDoS Protection

 

When deploying Azure DDoS Protection, keep in mind that public IPs in ARM-based VNETs are currently the only type of protected resource. Public IPs that are part of PaaS services (multitenant) are not supported for Azure DDoS Network Protection SKU at this time.

 

The main steps to deploy Azure DDoS Network Protection are:

• Create a DDoS protection plan
• Attach vNETs to the DDoS protection plan
• Configure DDoS logging
• Enable diagnostic settings on Public IP Address resources

Do you prefer videos? Check out the Getting started with Azure Distributed Denial of Service (DDoS) Protection (60 minutes) webinar. You can also quickly browse through the contents of the presentation deck.

2.1.2 Azure Firewall

You can choose to deploy Azure Firewall Basic SKU, Azure Firewall Standard SKU or Azure Firewall Premium SKU. Check the documentation below to get an understanding of their feature differences:

 

• Axure Firewall Basic - Features
• Azure Firewall Standard - Features
• Azure Firewall Premium - Features

 

It is also possible to upgrade or downgrade between the Azure Firewall Standard and Azure Firewall Premium SKUs. This upgrade/downgrade feature allows you to easily and efficiently move between these two SKUs without service downtime, with a single click of a button.

 

• Azure Firewall Single-Click Upgrade/Downgrade - Azure Firewall easy upgrade/downgrade.
• You can also check out this blogpost - Announcing Azure Firewall Upgrade/Downgrade General Availability

 

During your planning stages, it’s also a good idea to refer to the known issues for these products. Being aware of these known issues will save you time and stress when deploying your Azure Firewall.

• Azure Firewall Standard - Known Issues
• Azure Firewall Premium - Known Issues

 

Deploy and configure Azure Firewall using the Azure portal.

• Deploy and configure Azure Firewall using the Azure portal.

 

Azure Firewall logs and metrics

• Azure Firewall logs and metrics
  • New metric: Latency Probe Metric (Preview) - This metric measures the overall or average latency of Azure Firewall - Azure Firewall Metrics
• Monitor Azure Firewall logs and metrics.
• Overview of Azure Firewall logs and metrics
  • New Logs: Top Flow Logs (Preview) and Flow Trace Logs (Preview) - Enable Top flows and Flow trace logs in Azure Firewall
  • You can also check out this blogpost - Logging and Metrics Enhancements to Azure Firewall now in Preview.
• Structured Firewall Logs - This new Azure Firewall log type enables the use of resource-specific tables instead of the existing AzureDiagnostic table. The structured logs contain more detailed view of firewall events and provide more metadata such as time of the event and the name of the Azure Firewall instance.
  • Azure Structured Firewall Logs
  • You can also check out this blogpost - Exploring the New Resource Specific Structured Logging in Azure Firewall
• Azure Firewall Resource Health - This enables one to view the health status of Azure Firewall and address service problems that may affect the Azure Firewall resource. This will allow teams to receive proactive notifications regarding potential health degradations and recommended mitigation actions for each health event type.
  • Azure Resource Health overview - Azure Service Health
  • You can also check out this blogpost - Azure Firewall: New Monitoring and Logging Updates
• Built-in Firewall Workbook - The Azure Firewall Workbook provides a dynamic ability for Azure Firewall data analysis.  You can use it to create rich visual reports within the Azure portal. You can tap into multiple Firewalls deployed across Azure and combine them into unified interactive experiences. This workbook is now available within the Azure Firewall instance, providing an easy and convenient way to track your Azure Firewall statistics.
  • Monitor logs using Azure Firewall Workbook
  • You can also check out this blogpost - Azure Firewall: New Monitoring and Logging Updates

 

Integrate Azure Firewall with Azure Standard Load Balancer

• Integrate Azure Firewall with Azure Standard Load Balancer

 

Use Azure Firewall to protect Azure Kubernetes Service (AKS) Deployments

• Use Azure Firewall to protect Azure Kubernetes Service (AKS) Deployments
• Restrict egress traffic in Azure Kubernetes Service (AKS)

 

Azure Firewall DNS settings

• Azure Firewall DNS settings
• Enabling DNS proxy in your Azure Firewall will allow you to use FQDN filtering in network rules
• Enabling Central Visibility For DNS Using Azure Firewall Custom DNS and DNS Proxy

 

Azure Firewall in forced tunneling mode

• Azure Firewall in forced tunneling mode

     

Azure Firewall Explicit Proxy (Preview)

Azure Firewall can be configured in proxy mode to enable the sending application direct traffic to the firewall's private IP address without the use of a User Defined Route (UDR).

• Azure Firewall Explicit proxy (preview)
• You can also check out this blogpost - Demystifying Explicit proxy: Enhancing Security with Azure Firewall.

 

Azure Firewall Protection for O365

Azure Firewall integration with O365 enables the ability to secure and manage traffic destined to O365 endpoints in an efficient and simplified manner. This is achieved through the use of Azure Firewall built-in service tags and FQDN tags which group the required IPv4 addresses by Office365 service and category. The service tags and FQDN tags can be used in the Firewall Network rules or Application rules to secure traffic destined to the O365 endpoint or IP address.

 

•  Azure Firewall O365 FQDN and Service tags.
• You can also check out this blogpost - Protect Office365 and Windows365 with Azure Firewall.

 

Do you prefer videos? Check out the Manage application and network connectivity with Azure Firewall (50 minutes) webinar. You can also quickly browse through the contents of the presentation deck.

 

You can also check out this Azure Firewall Deep Dive on YouTube (82 minutes). It covers almost everything you need to know!

 

Azure Firewall NAT

Network Address Translation (NAT) is a method used to map one IP address to another, helping with scenarios such as IP address translation between private and public networks. Azure Firewall supports two types of NAT: Source Network Address Translation (SNAT), which changes the source IP address of outbound traffic, and Destination Network Address Translation (DNAT), which maps inbound traffic to a specific destination IP address.

 

• Azure Firewall SNAT private IP address ranges | Microsoft Learn
• Filter inbound Internet or intranet traffic with Azure Firewall DNAT using the portal | Microsoft Learn
• You can also check out this blogpost - Azure Firewall NAT Behaviors - Microsoft Community Hub

Private IP DNAT support was recently introduced, allowing Azure Firewall to map inbound traffic to private IP addresses in your network. This feature enables secure and scalable connectivity to internal resources, even when those resources are hosted on private IPs within a virtual network, broadening Azure Firewall’s capability for handling traffic across both public and private endpoints.

• You can checkout this blogpost - Private IP DNAT Support and Scenarios with Azure Firewall - Microsoft Community Hub.

2.1.3 Azure Web Application Firewall (WAF)

 

Azure Web Application Firewall DRS and CRS Rules and Rule Groups

The Azure Web Application Firewall consists of the Core Rule Sets (CRS) or Default Rules Sets (DRS) which are rules that protect web applications from common vulnerabilities and exploits. These rulesets are managed by Azure making them easy to deploy to protect against a common set of security threats.

 

The Application Gateway WAF consists of rules based on the OWASP CRS 3.2, 3.1 or 3.0. Additionally, the Application Gateway WAF now supports the Default Ruleset (DRS) 2.1. The Default Ruleset (DRS) is an Azure managed ruleset that is baselined from the OWASP CRS rules and includes the Microsoft Threat Intelligence (MSTIC) rules that are written in partnership with the Microsoft Intelligence team.

 

For more information, check out: Web Application Firewall DRS and CRS rule groups and rules.

 

Azure Web Application Firewall Sensitive Data Protection 

The sensitive data protection for WAF is a feature that masks sensitive data (such as passwords, IP addresses) that can be read within the WAF logs. Normally, when a WAF rule is triggered, the WAF logs the details of the request in clear text. To protect against the exposure of sensitive data, the Web Application Firewall's (WAF's) Log Scrubbing tool (preview) assists to remove sensitive data from the WAF logs by using a rules engine that allows one to build custom rules to identify specific portions of a request that contain sensitive information. Once identified, the tool scrubs that information from your logs and replaces it with *******.

 

• For more information check out:
  •  Azure Web Application Firewall Sensitive Data Protection
  • How to mask sensitive data on Azure Web Application Firewall on Azure Front Door | Microsoft Learn
• You can also check out these blogposts:
  • Public Preview: Support for DRS and Mask sensitive data on Application Gateway WAF
  • A Closer Look at Azure WAF’s Data Masking Capabilities for Azure Front Door - Microsoft Community Hub

 

Azure Web Application Firewall Sensitive JavaScript Challenge (Preview)

The Azure WAF JavaScript Challenge is a powerful security feature designed to help protect web applications from automated bot attacks. When a client attempts to access a protected web application, the WAF injects a lightweight JavaScript challenge that must be executed by the client’s browser. Legitimate browsers can handle this challenge seamlessly, while malicious bots typically fail to execute the JavaScript, thus blocking their access. This proactive approach significantly reduces the risk of automated attacks such as scraping, credential stuffing, and other malicious activities, enhancing the overall security posture of web applications without disrupting the user experience.

 

• For more information check out - Azure Web Application Firewall JavaScript challenge (preview) overview | Microsoft Learn
• You can also check out these blogposts:
  • Azure WAF Public Preview: JavaScript Challenge - Microsoft Community Hub
  • Azure WAF’s Bot Manager 1.1 and JavaScript Challenge: Navigating the Bot Threat Terrain - Microsoft Community Hub

 

Azure Web Application Firewall Inspection Limits and Size Limits

Azure WAF has introduced the capability to independently configure inspection limits and size limits, giving users more flexibility in managing traffic. Previously, the inspection limit and size limit were tied together, meaning that requests exceeding the defined size limit were not only rejected but also excluded from inspection. Now, with this separation, users can configure different thresholds: the size limit controls whether a request is allowed based on its size, while the inspection limit governs the maximum request size that will be inspected for threats. This separation allows large requests to pass without triggering rejections, while still inspecting smaller requests for security risks, providing a more balanced and customizable security posture.

 

• For more information check out - Web application firewall request size limits in Azure Application Gateway - Azure portal | Microsoft Learn
• You can also check out these blogpost - Independent Configuration of Size Enforcement and Inspection Limits in Application Gateway WAF - Microsoft Community Hub

 

Check out the below resources on how to create and use a WAF policy:

• Create a WAF Policy on Azure Application Gateway
• Create a WAF Policy on Azure Front Door
• Configure WAF logging for an Application Gateway deployment
• Configure WAF logging for a Front Door deployment
• Azure Web Application Firewall: WAF config versus WAF policy

 

 

2.2 Advanced Deployments

 

2.2.1 On-Prem Hybrid

• Deploy and configure Azure Firewall in a hybrid network via Azure Portal or via PowerShell
• Deploy network virtual appliances (NVAs) for high availability in Azure
• Implement a secure hybrid

2.2.2 vWAN (Secured Virtual Hub)

• Introduction to Azure Virtual WAN
• What are the Azure Firewall Manager architecture options?
• Azure Virtual WAN FAQs
• How does the virtual hub in a virtual WAN select the best path for a route from multiple hubs?
• Configure Azure Firewall in a VWAN hub
• Convert a VWAN to a Secure Hub
• Secure your VirtualHub with Azure Firewall Manager
• Migrate to Virtual WAN
• Customer provided public IP address support in secured hubs (preview) | Microsoft Learn

2.2.3 vWAN (Secured Virtual Hub) with 3^rd party SECCaaS

• VWAN hub partners
• Deploy a security partner provider
• Deploy Check Point CloudGuard Connect as a trusted Azure security partner

2.2.4 Hub and Spoke

• Hub and spoke network topology
• Hub-spoke network topology in with Azure Firewall
• Using Azure Firewall as a Network Virtual Appliance (NVA)

2.2.5 Forced Tunneling with 3^rd party NVAs

• Forced tunneling configuration
• Validated VPN devices

2.2.6 Multi-product combination in Azure

• Combine Azure Firewall with other Network security products.
• Determine how best to combine App Gateway and Azure FrontDoor
• Zero-trust network for web applications with Azure Firewall and Application Gateway - Azure Architecture Center | Microsoft Learn

2.2.7 TLS Inspection on Azure Firewall

• Enable TLS inspection in Azure firewall
• Learn about URL filtering and Web Categories
• Certificate Management Overview for Azure Firewall Premium TLS Inspection

Do you prefer videos? Check out the Content Inspection Using TLS Termination with Azure Firewall Premium (50 minutes) webinar. You can also quickly browse through the contents of the presentation deck.

2.2.8 Per-Site or Per-URI WAF policies on Azure Application Gateway

• Configure Per-Site WAF policies
• Apply Per-URI policy

Do you prefer videos? Check out the Using Azure WAF Policies to Protect Your Web Application at Different Association Levels (50 minutes) webinar. You can also quickly browse through the contents of the presentation deck.

 

3 Operations

 

3.1 Centralized Management

 

3.1.1 Azure Firewall Manager and Firewall Policy

• Use Azure Firewall policy to define a rule hierarchy

Do you prefer videos? Check out the Getting started with Azure Firewall Manager (35 minutes) webinar. You can also quickly browse through the contents of the Azure Firewall Manager presentation deck.

• Azure Firewall Manager now also manages WAF Policy and DDoS Protection plans. This will assist organizations to easily manage and control their network security policy deployments. Check out What is Azure Firewall Manager? | Microsoft Learn for more information on this.

3.1.2 Web Application Firewall (WAF) Policy

 

• Migrate from WAF Config to WAF Policy

 

3.2 Optimizing

 

3.2.1 Azure Firewall Policy Analytics

 

Azure Firewall Policy Analytics provides deeper insights, centralized visibility and greater granular control to Azure Firewall rules and policies. Policy Analytics enables one to easily and efficiently fine-tune Azure Firewall rules and policies ensuring enhanced security and compliance.

• Azure Firewall Policy Analytics.
  • Do you prefer videos? Check out Azure Firewall Policy Analytics (50 minutes) webinar video.
  • You can also check out this blog - Exploring Azure Firewall Policy Analytics.

 

3.2.2 Web Application Firewall (WAF) tuning

 

• Troubleshooting and tuning for Azure WAF for Application Gateway
• Troubleshooting and tuning for Azure WAF for Front Door

Do you prefer videos? Check out the Boosting your Azure Web Application (WAF) deployment (45 minutes) webinar and Azure WAF Tuning for Web Applications (webinar). You can also quickly browse through the contents of the presentation deck.

3.3 Governance

 

3.3.1 Built-in Azure Policies for Azure DDoS Network Protection

 

• Azure DDoS Network Protection should be enabled.
• Public IP addresses should have resource logs enabled for Azure DDoS Network Protection
• Virtual networks should be protected by Azure DDoS Network Protection

3.3.2 Built-in Azure Policies for Azure Web Application Firewall (WAF)

 

• Web Application Firewall (WAF) should be enabled for Application Gateway
• Web Application Firewall (WAF) should be enabled for Azure Front Door Service.
• Web Application Firewall (WAF) should use the specified mode for Application Gateway
• Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service

3.3.3 Restrict creation of Azure DDoS Network Protection plans with Azure Policy

 

If you are looking to prevent unplanned or unapproved costs associated with the creation of multiple DDoS plans within the same tenant, check out this Azure Policy template. This policy denies the creation of Azure DDoS Network Protection plans on any subscriptions, except for the ones defined as allowed.

 

3.4 Responding

 

3.4.1 Azure Web Application Firewall (WAF)

This Logic App Playbook for Sentinel will add the source IP address passed from the Sentinel Incident to a custom WAF rule blocking the IP. For a more comprehensive description of this use case, check our blog post Integrating Azure Web Application Firewall with Azure Sentinel.

 

3.4.2 Azure DDoS Network Protection

During an active access, Azure DDoS Network Protection customers have access to the DDoS Rapid Response (DRR) team, who can help with attack investigation during an attack and post-attack analysis.

 

This DDoS Mitigation Alert Enrichment template will alert administrators of a DDoS event, while adding essential information in the body of the email for a more detailed notification.

 

4 Integrations

 

Using Azure Sentinel with Azure Web Application Firewall

 

You can integrate Azure WAF with Azure Sentinel for security information event management (SIEM). By doing this, you can use Azure Sentinel’s security analytics, playbooks and workbooks with your WAF’s log data.

In this blog post, we cover in further detail how to configure the log connector, query logs, generate incidents, and automate responses to incidents.

 

Using Azure Sentinel Solutions for Azure Firewall

 

The Azure Firewall Solution provides new threat detections, hunting queries, a new firewall workbook and response automation as packaged content. This enables you to find the appropriate solution easily and then deploy all the components in the solution in a single step from the Solutions blade in Azure Sentinel.

 

In this blog post, we cover in further detail how automate detections and response for Azure Firewall events using Azure Sentinel.

 

5 Hands-on Labs

 

Network Security Demo lab: Azure pre-configured test deployment kit for POC is available in this repository. You can use this lab to validate Proof of Concepts for the different Network security products. You can find more information on set up and demo in the NetSec POC blogpost

WAF Attack test lab: Set up a Web Application Firewall lab environment to verify how you can identify, detect and protect against suspicious activities in your environment. This blogpost provides steps to protect against potential attacks and you can deploy the template from GitHub.

 

Interactive Guide: If you cannot set up a lab environment, you can still get a hands-on experience with our Azure network security interactive guide. In this guide, we will show you how you can protect your cloud infrastructure with Azure network security tools.

 

6 Resource References

 

Register for upcoming webinars or watch recordings of past webinars in our Microsoft Security Community!

• https://aka.ms/SecurityWebinars

Check out and be sure to contribute with our Azure Network Security samples in GitHub!

• http://aka.ms/aznetsec

Check out our Azure Network Security blog posts in our Tech Community!

• http://aka.ms/aznetsecblog

Provide feedback and ideas about Azure products and features in our Azure Feedback portal!

• http://aka.ms/azurefeedback