Azure Central Point of Connectivity and Advanced Threat Mitigation

Introduction

In episode 270 of our SAP on Azure video podcast we talk about Azure Network Security.

In recent episodes we talked about securing your SAP systems using Entra ID, implementing MFA or using Sentinel to detect attacks. But what about the foundation, the Azure Network? So today I am glad to have Evren and Saleem with us to take a closer look at Azure Central Point of Connectivity and Advanced Threat Mitigation.

Find all the links mentioned here: https://www.saponazurepodcast.de/episode270

Reach out to us for any feedback / questions:

• Goran Condric: https://www.linkedin.com/in/gorancondric/
• Holger Bruchelt: https://www.linkedin.com/in/holger-bruchelt/

#Microsoft #SAP #Azure #SAPonAzure #Networking #Security #DDoS #ExpressRoute

Summary created by AI

• Azure Central Point of Connectivity and ExpressRoute Fundamentals:
• Evren provided a comprehensive overview of Azure’s central point of connectivity, focusing on ExpressRoute concepts, differences between Azure regions and ExpressRoute locations, peering types, and best practices for designing resilient connectivity for SAP and other mission-critical workloads, with Holger facilitating the discussion.
  • Azure Region vs ExpressRoute Location: Evren clarified the distinction between Azure regions, which are global data centers hosting compute, networking, and storage resources, and ExpressRoute locations, which are colocation facilities serving as entry points to Microsoft’s network. He emphasized that ExpressRoute locations do not need to match Azure regions, allowing customers flexibility in connecting their on-premises infrastructure to Azure.
  • ExpressRoute Circuit and Peering Types: Evren explained that an ExpressRoute circuit provides dedicated, private connectivity to Azure data centers, supporting both public and private peering. Public peering enables access to Microsoft public services, while private peering connects customer networks to Azure virtual networks, ensuring isolation and confidentiality for mission-critical workloads like SAP.
  • Resiliency and High Availability Design: Evren described resiliency options for ExpressRoute, including standard (single circuit with two connections), high resiliency (single circuit split across two sites), and maximum resiliency (two dedicated circuits across distinct locations). He stressed that true high availability (HA) requires customers to work with ExpressRoute partners to deploy multiple circuits, eliminating single points of failure.
  • Hub-and-Spoke Network Topology: Evren introduced the hub-and-spoke topology, where the hub VNet acts as the central point of connectivity hosting shared services, and spoke VNets represent tenant workloads or business units. He highlighted the importance of role-based access control (RBAC) for segmentation and security, and described how network transit, gateways, and firewalls are typically located in the hub.
• Advanced Threat Mitigation: Azure Firewall, Application Gateway, and DDoS Protection:
• Saleem and Evren discussed advanced threat mitigation strategies for Azure environments, detailing the roles of Azure Firewall, Application Gateway (WAF), and Azure DDoS Protection, including technical features, integration options, and cost considerations, with Holger prompting clarifications and best practices.
  • Azure Firewall and Application Gateway: Evren explained that Azure Firewall provides inspection and monitoring for layer 3-4 traffic, while Application Gateway (WAF) secures layer 7 traffic, offering options for mutual TLS, private/public IP assignment, and integration with user-defined routes (UDRs). He emphasized the need for these components in the hub-and-spoke topology to protect shared and tenant workloads.
  • Azure DDoS Protection Features and SKUs: Saleem described Azure DDoS Protection as a native cloud solution defending against layer 3 and 4 attacks. He outlined two SKUs: Network Protection (for large tenants, offering global coverage, rapid response, and cost protection) and IP Protection (for smaller customers, enabling protection on individual public IPs with lower cost). He compared their features, pricing, and use cases.
  • Adaptive Tuning and Attack Analytics: Saleem detailed adaptive tuning, where Azure DDoS Protection uses machine learning to profile normal traffic and set dynamic mitigation thresholds per public IP. He explained how attack analytics and metrics provide real-time visibility, with integration into Azure Monitor, Sentinel, and Defender for Cloud for comprehensive reporting and alerting.
  • Integration and Automation for Threat Response: Saleem highlighted integration options, including Network Security Hub (formerly Firewall Manager), Sentinel workbooks, and automated playbooks for remediation. He described scenarios where DDoS attack source IPs are automatically blocked in firewalls and WAFs, and how customers can leverage these solutions for streamlined incident response.
  • Cost Protection and SLA Guarantees: Saleem and Evren discussed cost protection features, such as 100% discount on WAF costs when DDoS Network Protection is enabled, and service credits for resource scaling due to attacks. They explained the 99.99% SLA guarantee for both service availability and attack mitigation, and the role of Rapid Response support for critical incidents.
• Enabling and Monitoring Azure DDoS Protection: Demo and Best Practices:
• Saleem conducted a live demonstration on enabling Azure DDoS Protection, configuring protected resources, setting up diagnostic logging, and using workbooks for attack investigation and reporting, with Evren and Holger contributing questions and recommendations for operational best practices.
  • Enabling DDoS Protection Plans: Saleem demonstrated how to create a DDoS Protection plan in the Azure portal, select resource groups and regions, and associate VNets to enable protection for all public IP addresses within those VNets. He clarified that the region selection is flexible and protection is tenant-wide.
  • Configuring Diagnostic Logging: Saleem showed how to set up diagnostic settings to stream DDoS logs and metrics to Log Analytics workspaces, storage accounts, or event hubs. He explained the three log categories: notifications (for alerting), flow logs (for packet-level analysis), and reports (for attack summaries), recommending at least notifications and reports for most customers.
  • Investigating Attacks and Using Workbooks: Saleem illustrated how to query logs for attack notifications, mitigation reports, and flow logs, and how to use Azure Workbooks to aggregate and visualize attack data across multiple public IPs. He demonstrated features for traffic overview, attack details, affected resources, and investigation of top attacking IPs and protocols.
  • Best Practices for Alerting and Reporting: Saleem advised customers to enable alerting based on DDoS notifications for automated incident response, and to use workbooks for centralized reporting and investigation. He recommended integrating with Sentinel and Defender for Cloud for regulatory compliance and security posture management.
• Azure Infrastructure-Level DDoS Protection vs Application-Level Protection:
• Saleem clarified the distinction between Azure’s built-in infrastructure-level DDoS protection, which safeguards the Azure platform itself, and application-level DDoS protection, which is necessary for customer workloads with specific thresholds and adaptive mitigation, responding to common customer questions.
  • Protection Scope and Thresholds: Saleem explained that infrastructure-level DDoS protection is designed to prevent large-scale attacks against Azure services, with fixed high thresholds, while application-level DDoS protection uses adaptive tuning to set thresholds based on individual workload requirements, ensuring tailored mitigation for customer applications.

• What is Azure ExpressRoute?
• Designing for high availability with Azure ExpressRoute
• Azure DDoS Protection documentation
• What is Azure DDoS Protection?

• 0:00 Intro
• 1:15 Introducing Evren and Saleem
• 3:05 Azure Central Point of Connectivity and Advanced Threat Mitigation
• 3:40 ExpressRoute location vs. Region location
• 8:10 ExpressRoute overview
• 14:45 ExpressRoute Connectivity Models
• 17:55 ExpressRoute peering types
• 21:55 Standard, High and Maxium Resiliency
• 26:05 Hub and Spoke Topology - Azure DDoS is to secure Hub and Spoke V
• 30:50 Saleem - Azure DDos Network Protection
• 32:50 Azure DDoS IP Protection
• 33:00 SKU comparison
• 33:15 Microsoft DDoS Protection Scale
• 34:45 Adaptive tuning
• 36:15 Attack analysis and metrics
• 36:40 DDoS integration with Network Security Hub
• 37:30 Azure DDoS Network Protection
• 38:10 Microsoft Defender for Cloud Integration
• 38:30 DDoS Solution for Microsoft Sentinel
• 42:50 DDoS Rapid Response
• 43:50 DDoS SLA Guarantee and Cost Protection
• 44:40 Azure DDoS Network Protection - Pricing
• 45:50 Azure provides built-in infrastructure level DDoS protection
• 48:10 Demo - Enable DDoS protection plan
• 51:30 Demo - Diagnostic setting
• 54:20 Demo - Log analytics workspace
• 57:30 Demo - Azure Workbooks