Understanding What product Does What To Protect My Workload On Azure

I have been working on several scenarios where normally one is not sure what exactly to choose for secure layout. Nowadays, with so many products to protect our systems and networks, we need to start understanding the reason of the designed product, what does it does or doesn't? Having this baseline, it would allow us to take proper decisions opportunely.

Part of the Cloud Adoption Framework at Microsoft, refers to the importance of adopt a right mindset and expectations that will reduce conflict within your organization and increase the effectiveness of security teams.

The Azure Security Benchmark contains recommendations that help you improve the security of your applications and data on Azure. As well as security best practices to use when you’re designing, deploying, and managing your cloud solutions by using Azure.

Today, I'm going to refer particularly to the Microsoft recommendations to build a front protection layer, known as Hub-and-Spoke model. Usually, there is a part that should be exposed to the public internet and the rest would remain private segments.

In the above architecture built based on the Microsoft best practices and recommendations we have:

• Inbound traffic, handled by the selected entry gateway, then the preferred service for inbound application level HTTP/S protection is the Application Gateway in WAF (web application firewall) mode and for Non-HTTP/S protocols (e.g. SSH, RDP, FTP) Azure Firewall is the one.
• Hybrid Links, recommendation is to have UDR on the spoke subnet pointing to Azure Firewall private IP as default gateway to get out and UDR on the hub gateway subnet pointing to Azure Firewall as next hop to spoke networks. The Azure Firewall is not a router so no support for traffic routing from on-premises to internet. 
• For Azure PaaS Services, MS recommends to use Service Endpoints for central logging for all traffic by enabling them in the Azure Firewall subnet and disabling them on the connected spoke VNETs.

Based on the documents mentioned above, I made the comparison table below of the Application and Workloads Protection Products, hopefully it gives you a better vision where they can be placed and used:

As you plan your network and the security of your network, we recommend that you centralize:

• Management of core network functions like ExpressRoute, virtual network and subnet provisioning, and IP addressing.
• Governance of network security elements, such as network virtual appliance functions like ExpressRoute, virtual network and subnet provisioning, and IP addressing.

If you use a common set of management tools to monitor your network such Network Watcher, Azure Monitor and the security of your network such as Security Center, you get clear visibility into both. A straightforward, unified security strategy reduces errors because it increases human understanding and the reliability of automation.