![]() ![]() However, attacks, such as Denial-Of-Service (DDoS), data intrusion, and others, can target the system's overall reliability and eventually cause unavailability. ![]() You might notice some impact on performance, operational agility, and even reliability. There are significant trade-offs when security features are added to a workload architecture. Firewall can filter traffic granularly using fully qualified domain name (FQDN). Restrict outbound traffic to the internet using Azure Firewall. Lack of controls might lead to data exfiltration attacks by malicious third-party services. This level of control also helps in granular logging.Įgress traffic from a virtual network to entities outside that network must be restricted. Network security groups (NSGs) on subnets help filter traffic by allowing or denying flow to the configured IP addresses and ports. Inspect traffic before it enters the network. One approach is to use private endpoints. ![]() Ingress or inbound communication into the virtual network must be restricted to prevent malicious attacks.Īpply Web Application Firewall (WAF) capabilities at the global level to stop attacks at the network edge closer to the attack source.Įliminate public connectivity to Azure services. Here are the additional networking considerations for this architecture: ![]() The design strategies for mission-critical baseline still apply in this use case. It's recommended that you become familiar with the baseline before proceeding with this article. This architecture adds features to restrict ingress and egress paths using the appropriate cloud-native capabilities, such as Azure Virtual Network(VNet) and private endpoints, Azure Private Link, Azure Private DNS Zone, and others. It builds on the mission-critical baseline architecture, which is focused on maximizing reliability and operational effectiveness without network controls. For example, a Distributed Denial of Service (DDoS) attack, if left unchecked, can cause a resource to become unavailable by overwhelming it with illegitimate traffic. The intent is to stop attack vectors at the networking layer so that the overall reliability of the system isn't impacted. This architecture provides guidance for designing a mission critical workload that has strict network controls in place to prevent unauthorized public access from the internet to any of the workload resources. ![]()
0 Comments
Leave a Reply. |