Azure DDoS protection
Azure DDoS protection is a cloud-based and Microsoft-managed network security service; it provides protection from network and application attacks that attempt to make a network or application (or any workload) unavailable by flooding it with requests and attempting to exhaust its resources. In addition, it provides attack analytics and attack metrics reporting.
A single DDoS protection plan is enabled at the tenant level and is used across multiple subscriptions for cost benefits; by default, the plan is set to Basic, which protects resources at no additional cost. This provides protection against common network layer attacks; it requires no application changes or configuration to start making use of this protection.
The DDoS protection plan can also be changed to the Standard pricing tier, which provides additional capabilities to protect from volumetric attacks, protocol attacks, and resource (application) layer attacks.
In this section, we looked at the Azure DDoS Protection service. The following sections look at other network and application protection solutions that are available in Azure.
The next section looks at the Azure Key Vault service as a secrets store within Azure.
Azure Key Vault
Azure Key Vault is a cloud-based centralized solution for storing and managing sensitive information used by an application, service, or resource in an encrypted format. It can store information using hardware security modules (HSMs) to meet Federal Information Processing Standard (FIPS) 140-2.
Azure Key Vault is used for the following:
- Secrets management: Used to store information such as passwords, tokens, application programming interface (API) keys, .pfx files, and so on
- Key management: Used to store cryptographic keys, both software- and hardware-protected.
- Certificate management: Used to store and manage public certification authority (CA) Secure Sockets Layer (SSL)/TLS certificates
These secrets, keys, or certificates are generally intended to be called programmatically by app or resource.
Similar to all other Azure resources we covered already, Azure Key Vault can be deployed using different approaches, from the Azure CLI/PowerShell, Azure templates, and the Azure portal. Later in this chapter, you will go through an exercise on deploying it from the Azure portal.
Two service tiers are available for Azure Key Vault: Standard and Premium; the core difference is that only Premium supports HSM-protected keys required to maintain FIPS 140-2 compliance.
All assets stored in the key vault are encrypted; resources must be in the same region and have the same subscription to store keys in the key vault. From a privacy perspective, Microsoft has no access to the information stored in the key vault or the encryption keys used to encrypt the information held in the key vault.
Access to the key vault is secured through authentication and authorization; security policies can be applied to control access and be monitored. The authentication verifies the identity of the caller of the asset stored in the key vault; this could be a user, a resource such as VM and server apps, a SQL database, an app service or a function, and so on. The authorization determines which actions they can perform on the requested asset in the key vault, such as read, update, delete, and so on.
This section looked at the Azure Key Vault. The following section looks at securing at the physical resource level through Azure Dedicated Host.