This updated white paper provides information on how customers can use Azure’s native network security features to help protect their information assets.
You can download the full whitepaper from Microsoft Azure Network Security Whitepaper V3
. This update describes capabilities available as of January 2015 and the below highlights are just some of what you'll see in this recent version.
The logical isolation of customer infrastructure on a public cloud is fundamental to maintaining security. Azure accomplishes this primarily through a distributed virtual firewall. A customer may deploy multiple logically isolated private networks. These sub-divided networks generally fall into one of two categories:
- Deployment network: Each deployment can be isolated from the other deployments at the network level. Multiple VMs within a deployment can communicate with each other through private IP addresses.
- Virtual network: Each virtual network is isolated from the other virtual networks. Multiple deployments inside the same subscription can be placed on the same virtual network, and then communicate with each other through private IP addresses.
This illustrates an example of a virtual network topology and shows an example of isolated multi-tier IaaS applications hosted within Azure.
Network administrators can manage these isolated private networks in a way similar to the management of on-premises private networks.
The mechanisms for administrators to manage network security on their Azure private networks are in the Azure Cloud Access Layer, which is comparable to the edge of a corporate network that faces the Internet. The Cloud Access Layer includes a firewall, load-balancer, and network address translation (NAT) functionality managed by the customer administrator.