Augmented Network Security via Azure Firewall and Application Gateway for SAP/Non-SAP workloads

Introduction

In episode 289 of our SAP on Azure video podcast we talk about Augmented Network Security via Azure Firewall and Application Gateway for SAP/Non-SAP workloads

Goran Condric talks with Evren Buyruk, Sai Kishor, Rajesh Nautiyal, and Derick Davis about how to strengthen network security for SAP and non‑SAP workloads on Azure. They explore how Azure Firewall and Application Gateway work together in a layered, Zero Trust architecture to protect applications, control traffic, and help customers meet security and compliance requirements.

Find all the links mentioned here: https://www.saponazurepodcast.de/episode289

Reach out to us for any feedback / questions:

• Goran Condric: https://www.linkedin.com/in/gorancondric/
• Holger Bruchelt: https://www.linkedin.com/in/holger-bruchelt/

#Microsoft #SAP #Azure #SAPonAzure #Security #AzureFirewall #AppGateway #ZeroTrust

Summary created by AI

• Introduction to Augmented Network Security in Azure:
• Goran welcomed Evren, Sai, Rajesh, and Derick to discuss augmented network security in Azure, focusing on the integration of Azure Firewall and Application Gateway for SAP and non-SAP workloads, and set the stage for a comprehensive overview of Microsoft’s Zero Trust Security model and its practical application.
  • Participant Roles and Collaboration: Sai introduced herself as a product manager in the Network Security Customer Experience Team, Rajesh as a product manager for Azure Application Gateway, Derick as a Customer Success Account Manager, and Evren as an implementer working closely with Sai and Rajesh to ensure products fit customer environments, highlighting the collaborative approach between product development and customer success.
  • Zero Trust Security Model Overview: Evren explained Microsoft’s Zero Trust Security model, emphasizing that no user, device, or application is trusted by default, and that continuous verification, segmentation, and inspection are enforced even after identity validation, making network security a core pillar in preventing breaches from escalating.
  • Network Security as a Core Component: The team discussed how Azure Network Security enforces verification, segmentation, and containment at the traffic level, with Evren clarifying that Zero Trust is not limited to identity but includes end-to-end architecture, where network security prevents breaches from becoming widespread compromises.
  • Layered Security and Hub-and-Spoke Topology: Evren described the layered defense approach, including the use of network security groups, Azure Firewall, and Application Gateway, and detailed the hub-and-spoke topology commonly used by customers to centralize connectivity and security controls, ensuring segmentation and isolation of workloads.
• Azure Firewall: Features and Recent Enhancements:
• Sai provided an in-depth overview of Azure Firewall, detailing its core features, SKUs, and several recent enhancements, while Goran and Evren contributed with customer perspectives and practical implications for SAP and enterprise environments.
  • Core Features and SKUs: Sai outlined Azure Firewall’s stateful network traffic filtering, application inspection, built-in threat intelligence, and support for both inbound and outbound traffic, explaining the differences between Basic, Standard, and Premium SKUs, with Premium offering advanced capabilities like TLS inspection and IDPS.
  • Draft and Deploy Feature: Sai introduced the ‘draft and deploy’ feature, which allows collaborative editing and bulk updates of firewall policies without impacting live traffic, minimizing risk and downtime, and enabling atomic deployment of changes across multiple firewalls.
  • Packet Capture and Troubleshooting: Sai described the packet capture feature, which enables detailed inspection of inbound and outbound packets for troubleshooting, requiring configuration of a storage container for PCAP files, and noted its significant impact on customer troubleshooting efficiency.
  • DNAT for Private IPs and Pre-Scaling: Sai highlighted the new support for DNAT rules on private IP addresses, addressing overlapping IP scenarios, and the pre-scaling feature, which allows customers to pre-provision firewall capacity ahead of anticipated traffic spikes, a capability requested by large SAP customers.
  • Explicit Proxy and Customer-Controlled Updates: Sai explained the explicit proxy feature, which enables outbound web traffic to be sent directly to the firewall without UDR changes, and the customer-controlled maintenance window, allowing customers to schedule updates to minimize impact on active traffic.
  • DNS Flow Trace Logs and Security Copilot Integration: Sai discussed the introduction of DNS flow trace logs for enhanced DNS query visibility and troubleshooting, and the integration with Security Copilot, which leverages AI to analyze IDPS logs and provide actionable security insights, reducing manual analysis effort.
• Azure Application Gateway: Capabilities and Security Enhancements:
• Rajesh presented the capabilities of Azure Application Gateway, including its role as a managed, scalable layer 7 load balancer with advanced security features, and detailed recent enhancements such as private-only deployments, layer 4 proxying, mutual TLS, JWT validation, and integration with Azure Key Vault HSM.
  • Core Load Balancing and Security Features: Rajesh described Application Gateway as a managed, highly available, and scalable layer 7 load balancer supporting both IPv4 and IPv6, SSL offload, integrated web application firewall (WAF), and backend support for VMs, VMSS, AKS, and on-premises resources.
  • Private-Only Application Gateway: Rajesh explained the introduction of private-only Application Gateway, which allows customers, especially in banking and SAP, to deploy gateways without public IP exposure, addressing strict security requirements and enabling internal-only traffic routing.
  • Layer 4 Proxy and Domain Protection: Rajesh detailed the new layer 4 (TCP/TLS) proxy capabilities, allowing customers to use the same IP for multiple workloads, hide backend domains, and avoid deploying separate load balancers, with growing adoption among customers.
  • Mutual TLS and Pass-Through Mode: Rajesh and Evren discussed mutual TLS (mTLS) support, including a new pass-through mode that allows both certificate-based and token-based client authentication, forwarding encrypted traffic to backend applications for full TLS termination and validation.
  • JWT Validation and Key Vault HSM Integration: Rajesh described JWT validation for authentication with identity providers like Entra, offloading token validation from backend applications, and the integration with Azure Key Vault HSM, enabling customers to manage their own keys without sharing them with Azure, meeting compliance requirements.
  • Web Application Firewall Modes and Custom Rules: Rajesh and Evren explained WAF’s detection and prevention modes, custom rule engine, geo-filtering, rate limiting, and bot protection, emphasizing the need to account for CPU usage in prevention mode and the continuous updates provided by Azure Security.
• Customer Implementation and Audit Compliance:
• Evren and Derick shared a real-world example of implementing Azure Firewall and Application Gateway for an S500 customer, highlighting the streamlined transition, audit compliance, and the ability for customers to manage and troubleshoot their environments independently.
  • Implementation for S500 Customer: Evren and Derick described how they implemented the solution for an S500 customer to meet external audit requirements, emphasizing the ease of deployment and the importance of understanding customer-specific needs during the setup phase.
  • Customer Empowerment and Self-Service: The team noted that customers can now leverage integrated analytics and troubleshooting tools, such as log analytics and Security Copilot, to manage and secure their environments without relying on Azure support, increasing operational independence.

• 0:00 Intro
• 6:00 Augmented Network Security via Azure Firewall and Application Gateway for SAP/Non-SAP workloads
• 8:05 Why Azure Network Security is a Core Part of the Azure Zero Trust Security Model
• 13:18 Azure Network Security
• 17:40 Hub and Spoke Topology
• 21:30 Azure Virtual Network Encryption - Intra DC-
• 26:20 Virtual Network Encryption
• 29:40 Azure Firewall - Intelligent Defense for Azure Workload
• 31:35 Azure Firewall
• 33:40 Draft and Deploy
• 36:10 Packet Capture
• 38:00 DNAT on Azure Firewall Private IP Address
• 38:10 Prescaling
• 39:50 Explicit Proxy (Preview)
• 40:30 Customer-controlled updates
• 41:40 BYOIP for Secured Virtual Hub (GA)
• 42:10 Security Copilot
• 44:10 Application Gateway
• 45:00 Regional Application Load Balancer
• 52:30 Secure All Private Deployment
• 55:20 Unified Load Balancer for HTTP and non-HTTP with TLS
• 57:40 AppGw for Conatiners - Ingress Controller to AKS
• 58:40 Secure - Mutual Authentication
• 1:02:50 Mutual TLS (mTLS)
• 1:04:25 Application Gateway JWT Validation
• 1:07:10 Network Security Group (NSG)
• 1:07:40 Web Appliation Firewall (WAF)
• 1:12:10 Keyless TLS & Azure Key Vault HSM