Microsoft Azure Security and Protection against DDoS

When peoples are talking about Cloud Computing and Cloud Computing Service Providers (e.g. Microsoft Azure – Cloud Computing Platform by Microsoft) first thing they are asking and talking about Security of Cloud. Various layers of security provided by Azure to customers by Azure Platforms itself and by using customer defined features also. When Internet traffic enters in to Azure Virtual Networks, there are multi layer security inherited by Azure Platforms:

DDOS Protection – Distributed Denial of Service Protection against DDOS Attacks. Azure physical layer having DDOS protection layer which protects massive scale and large scale of malicious requests and attacks by attacked using bot nodes. DDoS Protection layer does not have any user defined ACLs or rules and also not accessible by cloud user. It automatically monitor all out bound traffic and azure cross region traffic also. The limitation with Azure DDoS protection service only takes care of large amount of attack not small scale of attack. In DDoS attack malicious actor compromise system and fire multiple massive scale of unnecessary requests from different source on target to affect the availability of that target service. Microsoft Azure using SYN cookies and rate limiting and connection limits in DDoS defence technology so that customer environment does not affect by such attacks.

Public IP Addresses and Ports are also safe because the endpoint uses NAT – Network Address Translation to route user request to the internal port and IP address. NAT Service also comes with Load Balancer where you can Map you Front End Public IP address with Source Port and Target Port so that you can hide your internal target Port using NAT Mapping and Port Mapping with Source Port in Azure Load Balancer Service. So using Public IP also you can determine which traffic you want to pass where and how.

In Azure Traffic Isolation is also there for example if we are creating Azure VNET in Same Data Center also they cant communicate with each other until you configure some hybrid Network Connectivity like Site to Site connectivity or VNET Peering between 2 Virtual Networks you created in Azure VNET because Azure Site to Site connectivity is using IPSec Protocol also like for Connectivity between on premises to Azure VNET also safe.

In Azure NSG – Network Security Rules you can associate with VNET / Subnet or NICs of you Virtual Networks, NSGs are collection of ACLs, Where you can create In bound and Out Bound Rules which you want to allow or deny in one NSG you can create 200 Rules and in normal Azure Subscription you can create 100 NSGs to inbound and outbound your traffic. In Azure also user can define User Defined Routes UDR, to define your own traffic using Firewall etc which you are using from Market Place for some policy enforcement or some auditing or inspection purpose. Using Routing Tables in Azure you can force traffic in your Subnet to pass through you Firewall, IDS or IPS devices, by default your subnet have Internet connectivity but using NIC and NSG and Routing Table you can route them via secure way to come in to your subnet.

Along with that Microsoft Azure having Security Appliance Functionality like Firewall, Threat Detection and prevention, Auditing an Logging, Reverse Proxy and Forward Proxy, VPN Devices.