Cloud Architecture Pattern: Network & Perimeter Security for IaaS, Cloud Services and Service Fabric in Azure

Posted by Nilay Parikh and last modified on Tue Jun 12, 2018.

Networking and Security could be challenging in the Cloud but at any point that doesn’t make the Cloud Solutions less secure. The key is to understand the shift in the paradigm. As someone quoted to me “Rules are same but Methods changed” - and I could not agree more. In this article, I would like to discuss Network and Perimeter security for Azure IaaS, Cloud Services and Service Fabric.

Network and Perimeter is undoubtedly one of the important aspects that you would like to cover within your Cloud Cyber Security blueprint. Especially, public clouds (i.e. Azure, AWS) also increase the threat perception due to openness of accessibility. I am going to demonstrate the security pattern with Zero-Knowledge Virtual Appliance in Azure, securing Service Fabric and the topology of IaaS (Service Fabric Node).

Architecture Pattern

The security architecture pattern defined using two (or more) Azure Subnet, segmenting Network Virtual Appliance and Computing Cluster. Azure Routing Table ensures that all inbound network traffic is routed through Azure Network Virtual Appliance (Layer 3/Layer 4 Firewall or Web Application Firewall).

Azure Subnet

The pattern would recommend Class B addressing definition, so further classification is available for multi-NIC setup. Ideally, Class B or 10.0.0.0/16 enables almost every possible implementation pattern for Firewall and Network Virtual Appliances.

This pattern would recommend segmenting assets and cluster based on use case, threat modelling or business domain.

Azure Route Table

Azure VMs can communicate within VNet and the Internet over the network automatically; there is no specific need for a gateway. In absent of NSG (Network Security Group), assets can communicate with different subnets and sometimes that defeat the purpose of the secure network. We can control the flow of network traffic using Azure Route Table and Network Appliances.

Service Fabric cluster

For testing the security pattern, I have deployed 3 nodes Azure Service Fabric cluster. In my previous blog posts, I have extensively covered the Service Fabric in Azure.

Service Fabric or Any Secured Computing Cluster

You can secure any computing cluster behind the Network Virtual Appliances, I have only used Service Fabric for testing and proof of concept purposes. The network virtual appliance can be used for Sandwich Pattern between on-premise and cloud, L3/L4 + WAF to create DMZ in Cloud.

Network Virtual Appliance

Azure Network Virtual Appliances are dedicated Azure VM (or VM Scale Sets) on Microsoft Azure, they are purpose build VM images with preinstalled software to enable application delivery controls, WAN optimisation, Firewall, WAF. These NVA images allow third-party networking and security vendors to Azure.

This security pattern supports many third-party network virtual appliances including web application firewalls (WAF), firewalls, gateways/routers, application delivery controllers (ADC), and WAN optimizers.

Proof of Concept

For proof of concept purposes, I am going for the following setup to test as many as possible scenarios,

  • pfSense as the Network Virtual Appliance, enabling Firewall, NAT, and site-to-site VPN.
  • Computing Subnet (SF5-Subnet-1) and NVA Subnet (SF5-Subnet-Firewall).
  • Azure Route Table to define networking route configuration.
pfSense

I have used pfSense for proof of concept purposes only, the basis of selection is convenience and cost. If you are looking for an enterprise pattern than it is recommended to evaluate other network virtual appliances, too.

Step by Step Guide to Setup pfSense for Azure

Let us start with a quick proof of concept and implementation. Following step-by-step guide is self-explanatory.

1. Search pfSense for Azure in Marketplace, pfSense for Azure is published by Netgate.

2. Network Virtual Appliance - Create Virtual Machine

You must select appropriate VM SKU or VM Size to support multiple NIC.

VM Size (Standard SKUs) NICs (max allowed per VM)
Large (A3) and A62
Extra Large (A4) and A74
A92
D44
D134

3. Network Virtual Appliance - Settings

Select or create appropriate Virtual Network, Subnet, Public IP Address. You should skip the Network Security Group if virtual appliance itself going to offer firewall features.

4. pfSense - Setup Wizard and Dashboard

On successful provisioning of Virtual Appliance, you can access pfSense admin console by visiting https://yourpublicipaddress/. You may ask to go through pfSense Setup Wizard for the first visit.

Azure Resource Manager Template to setup pfSense

You can add following VM Image Reference to your preferred VM configuration, ideally with 2 or more network interfaces.

"properties": {
  ...
  "storageProfile": {
      "imageReference": {
          "publisher": "netgate",
          "offer": "netgate-pfsense-appliance",
          "sku": "pfsense-router-fw-vpn-225",
          "version": "latest"
      },
  ...
},
"plan": {
    "name": "pfsense-router-fw-vpn-225",
    "publisher": "netgate",
    "product": "netgate-pfsense-appliance"
}

Configure Azure Route Table

You can associate NVA Subnet and Service Fabric Subnet or any computing cluster Subnet. Setting up the routing is very simple, you can refer user-defined routes and IP forwarding . If you need furthermore assistance then feel free to ask in comments.

Create and Manage Firewall Rules

If you need any help regarding setting up pfSense, than you can follow pfSense Documentation .

Summary

It is very easy to setup Network Virtual Appliance. However some groundwork is necessary. I do not see any networking topology that can not be implemented using appropriate permutation and the combination of above mentioned Architecture Cloud Pattern.

You can extend the security pattern by adding more layers of dedicated NVA, i.e. Firewall Layer 3 and Layer 4, Networking Gateways, Web Application Firewall. The pattern would also help to improve Data Protection, Information Security and Compliance standing. Especially, PCI-DSS and Health Care, it would help to implement secure network topology and network control access.

Disclaimer

Any views or opinions expressed are solely those of the author and do not represent any other person or organisation. THE ARTICLE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND. IN NO EVENT SHALL THE AUTHOR(S) OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY.

References