Enhancing network security by using Microsoft Azure Virtual Network Manager

From my experiences over the years, the conventional methods of managing network security were and still are dependent on manual interventions, intricate setups, and structures, which are prone to causing mistakes, discrepancies, and delays. Additionally, these traditional frameworks fall short when it comes to adapting to the ever-changing and diverse landscape of contemporary networks that are characterized by frequent and unforeseen changes in devices, users, and applications.

Implementing network security policies across a large organization can be a challenging task. Especially, if you are faced with threats that are lurking at every doorstep and the ever-growing diversities of users and their habits that impact how we secure our infrastructures.

In my journey through the changing landscapes of network security, I’ve encountered numerous tools and technologies. Yet, it was not until I came across some of Microsoft’s new and improved tools. One of them being Microsoft Azure Virtual Network Manager.

What models worked for us? Network Security Groups (NSGs) form an integral part of the security framework within Microsoft Azure, providing the capability to establish detailed regulations for both incoming and outgoing network traffic. Nonetheless, the task of administering NSGs can become complex when spanning numerous applications and collaborative groups, particularly when there’s an organizational requirement to implement uniform security protocols throughout.

Let’s look at some of these models:

• Hybrid model: Each application team is responsible for their respective NSG’s, operating under the advisory and supervisory role of the central governance team. The central authorities utilize Microsoft Azure Policy to establish baseline rules for NSGs and keep track of modifications implemented by the application teams. This approach merges the advantages of both centralized and decentralized frameworks, though it’s not without its challenges. For instance, the enforcement of security policies is not strictly imposed, and the volume of alerts can become excessive and difficult to handle.
• Centralized model: A centralized governance group oversees the administration of all NSG’s and their corresponding security regulations. While this structure guarantees uniformity and efficacy in security implementation, it also introduces additional administrative burdens and may diminish the system’s agility.
• Decentralized model: Distinct application groups are tasked with the control of their NSG’s and the security measures that accompany them. This arrangement affords them a degree of independence and adaptability, yet it also carries the potential for security vulnerabilities, given that the overarching governance team lacks the authority to mandate crucial security directives or to verify the NSGs’ adherence to compliance standards.

What improvements can we expect from Azure Virtual Network Manager? Previously, Microsoft employed a mixed approach to network security, with the governance team overseeing certain NSG’s and application teams handling others. This method presented several issues, including unevenness, intricacy, and a shortfall in rule enforcement. Addressing these issues, Microsoft has transitioned to a novel framework utilizing Azure Virtual Network Manager. This solution permits the governance team to establish and enforce administrative guidelines over various NSGs, while also granting application teams the autonomy to regulate their specific NSG policies.

To simplify the governance of security protocols, Azure Virtual Network Manager has implemented a feature known as a network group. This is essentially an aggregation of network resources that are categorized based on logical criteria. Leveraging Azure Policy, one can conditionally specify the criteria for network group membership. Azure Virtual Network Manager works in conjunction with Azure Policy to seamlessly enforce administrative security rules on virtual networks that are part of these network groups. For instance, users have the option to configure Azure to automatically include virtual networks tagged with the attribute ‘environment=production’ into a network group, upon which the predefined security admin rules will be consistently applied to these networks.

This way, we can ensure that security policies are consistently enforced across your network groups and resources, without manual intervention. Azure Virtual Network Manager, in conjunction with Azure Policy, enables Microsoft to delineate and uniformly manage security protocols across various divisions. This integrated approach ensures that both Microsoft and its partner’s customers are inherently protected by default.

What use cases are there? A key use case of Azure Virtual Network Manager lies in establishing network standards, specifically for the purpose of obstructing ports that pose a high security risk and for the adoption of zero-trust security models.

- High-risk ports refer to the commonly used Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports associated with network applications, identified as posing significant security threats to Microsoft and its users. Typically linked with malicious software, ransomware, or illicit entry attempts, these ports are recommended to be universally obstructed across all Network Security Groups (NSGs) as a precautionary measure.

- The zero-trust baseline policy operates on the principle that all network interactions could potentially be risky, thus it permits only the essential traffic necessary for a given service, embodying the ‘least privilege’ approach to network security. Historically, the introduction of new services into the physical network necessitated a security audit to ascertain the indispensable ports, protocols, and target addresses. Subsequently, the routers serving the physical servers were programmed to enable solely the traffic sanctioned by the security assessment. The advent of Azure Virtual Network Manager has revolutionized this procedure, allowing for its automation and organization-wide implementation.

Through Azure Virtual Network Manager, the governance team has the capability to devise and refine network benchmarks directly within the network manager, and then deploy them to numerous NSGs simultaneously. This process guarantees the organization-wide enforcement of essential security policies. Concurrently, application teams retain the ability to govern their specific NSG regulations, provided they align with the overarching administrative rules. This autonomy enables them to tailor their security settings to their unique requirements and contexts, bypassing the need for clearance or involvement from the central governance team.

Thus, Azure Virtual Network Manager plays a pivotal role in bolstering security for both your customer’s cloud infrastructure. We are focusing on migrating more and more on-prem infrastructure to Azure and you as our partners are key to this process. Let us help you in moving their existing workloads and modernize their estates by including Microsoft Azure Virtual Network

Manager when architecting their Azure network by contact your Surestep Ambassador team at This email address is being protected from spambots. You need JavaScript enabled to view it..