Azure Bastion Service

Microsoft recently announced a new service named Azure Bastion.

In a nutshell it’s a jump box as service. A jump box for those not familiar with the term is a VM that allows external users to access it and from there they can “jump” to internal VM’s . Now, in reality a regular jump box is really not that secure, as you are exposing a resource that has access to internal resources.

Azure Bastion however is sightly different and way more secure. Once deployed it allows either RDP or SSH access to Azure Vm’s in the same Vnet. However, you do not connect directly to the Jump Box, instead you first login to the Azure prtal, prefabbly using MFA (Multi Factor Authentication) you then choose the VM and click connect with Bastoin, the connectoin to that VM is then initiated over a secure HTML 5 with HTTPS channel via the browser.

So the connection is first secured with MFA via login to the Azure portal and then traffic is secured over HTTPS using HTML 5.

  • Security Wise:
  • Remote Session over SSL and firewall traversal for RDP/SSH: Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device, so that you get your RDP/SSH session over SSL on port 443 enabling you to traverse corporate firewalls securely.
  • No Public IP required on the Azure VM: Azure Bastion opens the RDP/SSH connection to your Azure virtual machine using private IP on your VM. You don’t need a public IP on your virtual machine.
  • No hassle of managing NSGs: Azure Bastion is a fully managed platform PaaS service from Azure that is hardened internally to provide you secure RDP/SSH connectivity. You don’t need to apply any NSGs on Azure Bastion subnet. Because Azure Bastion connects to your virtual machines over private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion only. This removes the hassle of managing NSGs each time you need to securely connect to your virtual machines.
  • Protection against port scanning: Because you do not need to expose your virtual machines to public Internet, your VMs are protected against port scanning by rogue and malicious users located outside your virtual network.
  • Protect against zero-day exploits. Hardening in one place only: Azure Bastion is a fully platform-managed PaaS service. Because it sits at the perimeter of your virtual network, you don’t need to worry about hardening each of the virtual machines in your virtual network. The Azure platform protects against zero-day exploits by keeping the Azure Bastion hardened and always up-to-date for you.

Making this the perfect solution to administrate your Azure VM’s without the hassle of VPN or other complex solution’s.

Azure Data Share

Microsoft just announced Azure Data Share preview, but what exactly is it?

Surely we’ve been sharing data using One Drive (and other similar solutions) for a good few years now. Well yes, and while that is true the Azure Data Share is aimed at giving us much more than that.

In it’s current form, Azure Data Share allows us to share Azure storage (Blob) with external parties. The idea here being to allow an external party to securely access your blob storage without exposing the whole blob to the public internet. The idea also being that I am able to share blob content such as Logs, web content… and not just pdf, office, jpeg files….that I would usually share using my OneDrive account.

The external party also needs to be an Azure “user” with his/her own tenant. Once shared the external party can access and sync blob content via the Azure portal.

The scenarios here are pretty compelling

  • setup a shared storage for partners with prices lists, information, results…
  • Retailer sharing point of sales information with vendors/suppliers
  • allow clients a secure way to access information processed by you
  • Create a Data Marketplace for research
  • Share log files with external developers

Data providers are always in control of the data that they have shared. Azure Data Share makes it simple to manage and monitor what data was shared, when and by whom.

Once shared the data is “snapshot-ed” to the external party either on a daily or hourly basis. Allowing you to choose the update frequenct of the share with the 3rd party.

At the time of writing this Azure Blob Storage and Data Lake Storage are supportd, in the coming months we are going to see additional data sources added to the support list

New capabilities in Azure Firewall

Azure Firewall has a new “Threat intelligence based filtering”

Microsoft has a rich signal of both internal threat intelligence data, as well as third party sourced data. Our vast team of data scientists and cybersecurity experts are constantly mining this data to create a high confidence list of known malicious IP addresses and domains. Azure firewall can now be configured to alert and deny traffic to and from known malicious IP addresses and domains in near real-time. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. The Microsoft Intelligent Security Graph powers Microsoft Threat Intelligence and provides security in multiple Microsoft products and services, including Azure Security Center and Azure Sentinel.

Threat intelligence-based filtering is default-enabled in alert mode for all Azure Firewall deployments, providing logging of all matching indicators. Customers can adjust behavior to alert and deny.

Managing your firewall

Logging analysis of threat data and actionable insights are all crucial and central themes to planning, building, and operating applications and infrastructure.

Azure Firewall provides full integration with Azure Monitor. Logs can be sent to Log Analytics, Storage, and Event Hubs.  Azure Log Analytics allows for the creation of rich dashboards and visualization. Along with custom data queries this powerful integration provides a common place for all your logging needs, with vast options to customize the way you consume your data. Customers can send data from Azure Monitor to SIEM systems such as Splunk, ArcSight and similar third party offerings.

Multi Resource Metric Alerts

Ignoring the slightly boring title this is actually quite an exiting new and welcomed feature.

Up until now unless you were using complex queries and Azure log analytics you would have to setup alerts (Metrics, locks…) On a per resource base.

This was both a long and tedious job and not very useful in dynamic environments where new resources are constantly being deployed.

The new Multi Resource alerts allow you to now configure a single metric rule that monitors:

  • A list of virtual machines in one Azure region
  • All virtual machines in one or more resource groups in one Azure region
  • All virtual machines in a subscription in one Azure region

All this allowing you to manage fewer rules and automatically monitor newly deployed resources.

The Benefits of this our outstanding.

  • Get alerting coverage faster: With a small number of rules, you can monitor all the virtual machines in your subscription. Multi-resource rules set at subscription or resource group level can automatically monitor new virtual machines deployed to the same resource group/subscription (in the same Azure region). Once you have such a rule created, you can deploy hundreds of virtual machines all monitored from day one without any additional effort.
  • Much smaller number of rules to manage: You no longer need to have a metric alert for every resource that you want to monitor.
  • You still get resource level notifications: You still get granular notifications per impacted resource, so you always have the information you need to diagnose issues.
  • Even simpler at scale experience: Using Dynamic Thresholds along with multi-resource metric alerts, you can monitor each virtual machine without the need to manually identify and set thresholds that fit all the selected resources. Dynamic condition type applies tailored thresholds based on advanced machine learning (ML) capabilities that learn metrics’ historical behavior, as well as identifies patterns and anomalies.

You can read the official blog here

Azure, AWS & GCP Global Networking Performance Compared

Just came across this very interesting article comparing the three big clouds on global network performance. 

Some of the main points being

  • AWS relies mostly on public internet
  • GCP lack connectivity between Europe & India
  • Within Asia, AWS network performance was 56 percent less stable than Azure
  • When connecting Europe to Singapore, Azure was 1.5 times faster than AWS and GCP

These are some pretty strong points for Azure, when dealing with global customers who require a multi-region cloud based approach. But read the full article, it makes for an interesting read. 

DDoS Attack Analytics and rapid response

Another new announcement during Microsoft Ignite (2018) was additional features being added to the DDoS standard tier (the paid tier).

Azure offers two levels of DDoS protection.

  1. DDoS Basic protection built in at no cost.
  2. DDoS standard protection, a paid tier with AI and fine tuning to your environment. 

The newly added features to DDoS Standard are DDoS Attack Analytics & DDoS rapid response.

  • DDos Attack Analytics
    provides attack insights that can be used for compliance, security audits and post attack analysis to optimize defense strategies and security operations
  • DDoS rapid response
    enables customers to engage DDoS experts during an active attack for specialized support.

As part of the Attack Analytics customers will have Attack Mitigation reports. Once enabled the logs can be analyzed using Log Analytics or integrated with a SIEM such as Splunk & Stream Analytics. When under attack data will generated every 5 minutes and when the attack is over a post-mitigation report will be generated for the entire duration of the DDoS attack. 

Both the incremental and post-attack Mitigation Reports include the following fields:

  • Attack vectors
  • Traffic statistics
  • Reason for dropped packets
  • Protocols involved
  • Top 10 source countries or regions
  • Top 10 source ASNs

The second feature of Attack Analytics is Attack Mitigation Flow Logs. The flow logs allow you to review dropped traffic and forwarded traffic in near real-time during a DDoS attack. Again this data can be ingested into SIEM systems.

Flow logs will have the following fields:

  • Source IP
  • Destination IP
  • Source Port
  • Destination port
  • Protocol type
  • Action taken during mitigation

New High Performance Storage in Azure

Well it’s that time of the year again – That’s right Microsoft Ignite!

And the Azure announcements are coming out fast and thick.

One of them being the new Storage options. The fist thing to note is that current existing Standard HDD, Standard SSD and Premium SSD are being upgraded to 32TB capacity, the previous limit being 4TB.

As is the norm the larger SSD disks are also faster, in this case the 32TB disk providing 20,000 IOPS and 750 MB/s of throughput. However for the first time standard HDD disks are also receiving faster speeds with all previous sizes having 500 IOPS and 60 MB/s throughput the new 32TB HDD offers up to 2000 IOPS and up to 500 MB/s throughput.

Another announcement is a new disk type labeled Ultra SSD. This new disk type offers Sub-Millisecond Latency for your most intensive workloads, disk sizes will be up to 64TB with a single 64TB disk providing 160,000 IOPS & 20,000 MB/s throughput. You can of course chain disks together for faster speeds via the OS (software RAID, storage spaces…).

The last new offering is Azure Premium Files, an upgrade to the existing Azure files now based on premium SSD disks.

Also regarding Azure files is the new announcements that Azure file share can now support identity based access using Azure AD domain services, allowing you to have Windows servers joined to Azure AD and user Azure files with full access control and identity management. You can read the full announcement over here.