Blogs

Azure Firewall is a managed, cloud-based network security service that protects your Azure virtual network resources.

You can centrally create, enforce the network connectivity policies across subscriptions and virtual networks.

Firewall features

Built-in high availability: No additional load balancers are required because High availability is built-in so, you don’t need to configure anything.

Availability Zone:  Azure firewall can be configured during deployment to span multiple Availability Zones to increase the availability, availability Zones increases the availability up to 99.99% uptime.

There is no additional cost for a firewall deployed in the availability Zone, However, there are additional costs for inbound and outbound data transfer associated with availability Zones.

Unrestricted  Cloud Scalability:  Azure Firewall can scale up as much as you need to accommodate changing network traffic flows, so you don’t need to budget for your peak traffic.

Application FQDN  filtering rules:  you can limit outbound HTTP and HTTPS traffic or Azure  SQL traffic to a specified list of fully qualified Domain names (FQDN) including wild cards. This feature doesn’t require TLS terminations

Network traffic filtering rules: you can centrally create allow or deny network filtering rules by source and destination IP address, port, and protocol. The Azure Firewall is fully stateful, so it can distinguish legitimate packets for different types of connections.  Rules are enforced and logged across multiple subscriptions and virtual networks.

FQDN tags: make it easy for you to allow well–known Azure Service network traffic through your firewall. For example, say you want to allow windows to update the network through your firewall. You create an application rule and include the windows update tag. Now network traffic from windows update can flow through your firewall.

Service tags:  A service tag represents a group of IP address prefixes to help minimize complexity for security rule creation. You can’t create your own service tag, nor specify which IP address is included within a tag. Microsoft manages the address prefixes encompassed by the service tag, and automatically updates the service tag as addresses change.

Threat intelligence:  Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/known malicious IP addresses and domains. The IP Addresses and Domains are sourced from the Microsoft Threats intelligence feed.

Outbound SNAT support: All outbound virtual network traffic IP addresses are translated to the azure Firewall public IP (Source Network address translation). You can identify and allow traffic originating from your virtual network to remote internet destinations. Azure Firewalls doesn’t SNAT when the destination IP is a private IP range per IANA-RFC-1918. If your organization uses a public IP  address range of private network, Azure Firewall will SNAT  the traffic to one of the firewall private IP  addresses in AzureFirewallSubnet. You can configure Azure Firewall to not SNAT your public IP address range.

Inbound DNAT Support: Inbound internet network traffic to your firewall public IP address is translated (Destination Network address translation) and filtered to the private IP addresses on your virtual networks.

Multiple Public IP addresses:  You can associate multiple public Ip addresses (up to 250) with your firewall.

This enables the following scenarios:

DNAT – you can translate multiple standard port instances to your backend servers. For example, if you have two public IP addresses, you can translate TCP Port 3389 (RDP) for both IP Addresses

SNAT- Additional Ports are Available for outbound SNAT connections, reducing the potentials for SNAT port exhaustion. At this time, Azure Firewall randomly selects the source Public IP address associated with your firewall. Consider using a public IP address prefix.

Azure Monitor logging:  All events are integrated with Azure Monitor, allowing you to archive logs to a storage account, stream, events to your event hub, or send them to Azure Monitor logs.

Forced Tunnelling: you can Configure  Azure Firewall to route all internet–bound traffic to a designated next hop instead of going directly to the internet.

For more details, contact us!

The AWS Directory Service provides several ways to use the Microsoft Active Directory (AD) with other AWS utilities. Information regarding users, groups, & devices can be stored in directories, & the administrators use them to retrieve the information & resources. AWS Directory Service offers many directory alternatives for clients who wish to utilize the current Microsoft AD or Lightweight Directory Access Protocol (LDAP)–aware applications in the cloud. There is also a provision of the same alternatives to developers who seek a directory to manage users, groups, devices, & access.

What to select?

I want Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) for applications in my cloud: Choose AWS Directory Service for Microsoft Active Directory

I develop SaaS applications: The developers of upscale SaaS applications can use Amazon Cognito.

AWS Directory Service for Microsoft AD

Also known by the name AWS managed Microsoft AD, the AWS Directory Service for Microsoft AD is backed by a verified Microsoft Windows Server AD, overseen by AWS in the AWS Cloud. AWS managed AD permits a wide range of AD–aware applications to be migrated to the AWS Cloud. 

The AWS Managed Microsoft AD can be used with Microsoft SharePoint, Microsoft SQL Server, & several .NET applications. It is also compatible with AWS managed services such as Amazon WorkDocs, Amazon WorkSpaces, Amazon Connect, Amazon QuickSight, Amazon Chime, & Amazon Relational Database Service for Microsoft SQL Server (Amazon RDS for SQL Server, Amazon RDS for Oracle, & Amazon RDS for PostgreSQL).

AWS Managed Microsoft AD is present in 2 editions: Standard & Enterprise.

Standard Edition: AWS Managed Microsoft AD (Standard Edition) has been optimized to be a central directory for small-scale & midsize businesses with as many as 5,000 employees. Enough storage capacity is allotted to support up to 30,000 directory objects, like computers, users & groups.

Enterprise Edition: AWS Managed Microsoft AD (Enterprise Edition) has been created to back firms with up to 500,000* directory objects.

Security in AWS Directory Service

Cloud security at AWS is of the utmost priority. As a customer of AWS, you can avail several benefits from a data centre & network architecture that has been modelled to match the needs of organizations, for whom top-notch security of their data is a priority.

You and the AWS have to share the charge of security. This is described under the shared responsibility model as ‘the security of the cloud & security in the cloud’:

Security of the cloud – AWS is in charge of handling & protecting the fundamentals that run AWS services in the AWS Cloud. AWS also gives you services that are absolutely safe. Third-party auditors are regulated to continuously evaluate the level of our security as a part of the AWS compliance program.

Security in the cloud – The AWS service you use is your responsibility. The sensitivity of your data, your company’s needs, & applicable laws & regulations are also in your own hands.

Infrastructure Security in AWS Directory Service

Since it is a managed service, the AWS Directory Service is protected by the AWS global network security protocols.

Identity & Access Management for AWS Directory Service

Credentials are required to get access to the AWS Directory Service, which the AWS can use to authenticate your requests. Those credentials should have valid permission to gain access to the AWS resources, like an AWS Directory Service directory.

Contact us to know more!

Let’s see the steps to disable AD Sync, remove AAD connect and move to cloud-only administration.

1. Download Azure Active Directory PowerShell Module from the following location. Complete the installation.http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185

2. Click to open the PowerShell using the shortcut created by installation in the previous step.

3. Run the following command to connect to the Azure Active Directory of the tenant for which you are disabling AD Sync.

Connect-MsolService

4. Enter the Global Admin credentials for the Azure AD/Office 365 tenant.

5.Run the following command to disable the Directory Sync.

Set-MsolDirSyncEnabled –EnableDirSync $false

6. Run the following command to verify if Dir sync is disabled.

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

7. Go to your AAD connect server and uninstall Microsoft Azure AD Connect using Uninstall Program in the Control panel.

8. Additional clean-up steps (Optional).

a. Remove service account created by AAD connect from AD. Check Users container for an account like MSOL_GUID. The description of the service account has the name of the AAD connect server for identification.

b. Remove the local AAD groups created by AAD installation if you are not planning to install AAD connect again. If you have installed AAD connect on a DC, these will be AD groups. Keep them for other AAD connect installations or if you have or plan to have.

c. Remove the directory structure.

d. Remove the DB if you were using a remote DB server.

For more such informative blogs, click here.