Security Services
Azure provides layered security services that work together for defense in depth — from network perimeter to data encryption. This page covers the major security services beyond Identity and Access (RBAC, Entra ID) which has its own page.
Security Services Overview
Section titled “Security Services Overview”| Service | What It Does | AWS Equivalent |
|---|---|---|
| Microsoft Defender for Cloud | Security posture management + threat protection | Security Hub + GuardDuty |
| Azure Firewall | Managed network firewall (L3–L7) | AWS Network Firewall |
| Azure DDoS Protection | Volumetric attack mitigation | AWS Shield |
| Key Vault | Secrets, keys, and certificates | Secrets Manager + KMS |
| Azure WAF | Web application firewall | AWS WAF |
| Microsoft Sentinel | Cloud-native SIEM | (No direct equivalent; third-party SIEMs) |
| Azure Private Link | Private connectivity to PaaS services | AWS PrivateLink |
Microsoft Defender for Cloud
Section titled “Microsoft Defender for Cloud”Defender for Cloud is Azure’s central security dashboard — it assesses your security posture, identifies vulnerabilities, and provides threat protection.
Two Capabilities
Section titled “Two Capabilities”| Capability | What It Does | Cost |
|---|---|---|
| Cloud Security Posture Management (CSPM) | Secure score, recommendations, compliance | Free tier available |
| Cloud Workload Protection (CWP) | Threat detection for VMs, containers, SQL, storage, etc. | Per-resource pricing |
Secure Score
Section titled “Secure Score”Defender assigns a secure score (0–100%) based on how many recommendations you’ve implemented:
Secure Score: 72/100
Recommendations: ✔ Enable MFA for accounts with owner permissions (+8 points) ✔ Storage accounts should restrict network access (+5 points) ✗ Enable Defender for SQL servers (0/5 points) ✗ Machines should have vulnerability assessment enabled (0/3 points) ✗ Subnets should be associated with an NSG (0/4 points)Defender Plans
Section titled “Defender Plans”Enable threat protection per resource type:
| Plan | Protects | Key Features |
|---|---|---|
| Defender for Servers | VMs, Arc machines | Vulnerability scanning, file integrity monitoring, JIT access |
| Defender for Containers | AKS, container registries | Image scanning, runtime protection, Kubernetes alerts |
| Defender for SQL | Azure SQL, SQL on VMs | Vulnerability assessment, anomaly detection |
| Defender for Storage | Blob, Files | Malware scanning, sensitive data discovery |
| Defender for Key Vault | Key Vault | Unusual access patterns, credential theft detection |
| Defender for App Service | Web apps | Attack detection, dangling DNS |
| Defender for DNS | DNS queries | Detect communication with malicious domains |
# Enable Defender for Serversaz security pricing create \ --name VirtualMachines \ --tier Standard
# Enable Defender for Containersaz security pricing create \ --name Containers \ --tier StandardRegulatory Compliance
Section titled “Regulatory Compliance”Defender tracks compliance against standards:
- Azure Security Benchmark (ASB)
- CIS Microsoft Azure Foundations
- NIST SP 800-53
- PCI DSS
- ISO 27001
Each standard maps to specific recommendations. The compliance dashboard shows pass/fail status.
Azure Firewall
Section titled “Azure Firewall”Azure Firewall is a managed, cloud-native network firewall with built-in high availability.
How It Works
Section titled “How It Works”Internet Azure VNet │ │ ▼ │Azure Firewall ─── route ──► Subnet (spoke VNet) │ │ ├── Application rules ├── Web servers ├── Network rules ├── App servers └── DNAT rules └── Database serversTraffic from subnets is routed through the firewall via User Defined Routes (UDRs).
Rule Types
Section titled “Rule Types”| Type | Layer | Example |
|---|---|---|
| DNAT rules | L3/L4 | Translate public IP:port → private IP:port (inbound) |
| Network rules | L3/L4 | Allow/deny by source IP, dest IP, port, protocol |
| Application rules | L7 | Allow/deny by FQDN (e.g. *.github.com) |
Firewall Policy Example
Section titled “Firewall Policy Example”# Create a firewall policyaz network firewall policy create \ --name myapp-fw-policy \ --resource-group myapp-rg \ --sku Standard
# Add an application rule: allow outbound to GitHub and Docker Hubaz network firewall policy rule-collection-group create \ --name app-rules \ --policy-name myapp-fw-policy \ --resource-group myapp-rg \ --priority 300
az network firewall policy rule-collection-group collection add-filter-collection \ --name allow-devops \ --policy-name myapp-fw-policy \ --resource-group myapp-rg \ --rule-collection-group-name app-rules \ --collection-priority 100 \ --action Allow \ --rule-name allow-github \ --rule-type ApplicationRule \ --source-addresses "10.0.0.0/16" \ --protocols Https=443 \ --target-fqdns "*.github.com" "*.docker.io" "*.docker.com"Azure Firewall Tiers
Section titled “Azure Firewall Tiers”| Tier | Key Features |
|---|---|
| Standard | L3–L7 filtering, FQDN, threat intelligence, IDPS (alerts) |
| Premium | Everything in Standard + TLS inspection, full IDPS (block), URL filtering, web categories |
| Basic | Simplified, lower cost, suitable for small environments |
Azure DDoS Protection
Section titled “Azure DDoS Protection”| Tier | What It Does | Cost |
|---|---|---|
| Infrastructure Protection (default) | Basic L3/L4 protection on all public IPs | Free (always on) |
| Network Protection | Adaptive tuning, real-time metrics, rapid response, cost protection | ~$2,944/month per plan |
# Create a DDoS protection planaz network ddos-protection create \ --name myapp-ddos \ --resource-group myapp-rg
# Associate with a VNetaz network vnet update \ --name myapp-vnet \ --resource-group myapp-rg \ --ddos-protection-plan myapp-ddosDDoS Network Protection provides:
- Adaptive tuning — Learns your traffic patterns, tunes thresholds automatically.
- Attack analytics — Real-time metrics and post-attack reports.
- Rapid Response — Access to the DDoS Rapid Response (DRR) team during active attacks.
- Cost protection — Credits for resources scaled out during an attack.
Key Vault
Section titled “Key Vault”Key Vault stores secrets, encryption keys, and certificates with hardware security module (HSM) backing.
For detailed usage, see Identity and Access which covers Key Vault integration with managed identities and RBAC.
What Key Vault Stores
Section titled “What Key Vault Stores”| Object Type | Examples | Use Case |
|---|---|---|
| Secrets | API keys, connection strings, passwords | Application configuration |
| Keys | RSA, EC keys | Encryption, signing (Disk Encryption, Storage) |
| Certificates | TLS/SSL certificates | App Service, Application Gateway |
Key Vault Operations
Section titled “Key Vault Operations”# Create a Key Vaultaz keyvault create \ --name myapp-vault \ --resource-group myapp-rg \ --location eastus \ --enable-rbac-authorization true
# Store a secretaz keyvault secret set \ --vault-name myapp-vault \ --name "DatabasePassword" \ --value "super-secret-password"
# Retrieve a secretaz keyvault secret show \ --vault-name myapp-vault \ --name "DatabasePassword" \ --query "value" -o tsv
# Create an encryption keyaz keyvault key create \ --vault-name myapp-vault \ --name "data-encryption-key" \ --kty RSA \ --size 2048Access Control
Section titled “Access Control”Key Vault supports two access models:
| Model | Recommendation |
|---|---|
| RBAC (recommended) | Azure RBAC roles (Key Vault Secrets User, Key Vault Crypto Officer) |
| Vault access policy | Legacy, per-vault permission sets |
Application Integration
Section titled “Application Integration”from azure.identity import DefaultAzureCredentialfrom azure.keyvault.secrets import SecretClient
credential = DefaultAzureCredential()client = SecretClient(vault_url="https://myapp-vault.vault.azure.net/", credential=credential)
db_password = client.get_secret("DatabasePassword").valueKey Vault Best Practices
Section titled “Key Vault Best Practices”- Use RBAC over vault access policies.
- Enable soft-delete and purge protection (on by default for new vaults).
- Use separate vaults per environment (dev, staging, prod).
- Access via managed identities — no passwords to manage.
- Enable diagnostic logging to monitor access.
Azure WAF
Section titled “Azure WAF”Azure WAF (Web Application Firewall) protects web applications against common exploits. It runs on Application Gateway or Azure Front Door.
OWASP Rule Sets
Section titled “OWASP Rule Sets”WAF includes managed rule sets that protect against the OWASP Top 10:
| Rule Set | Covers |
|---|---|
| OWASP 3.2 | SQL injection, XSS, LFI/RFI, command injection |
| Bot Manager | Bad bots, scrapers, crawlers |
| Rate limiting | Requests per IP per time window |
Custom Rules
Section titled “Custom Rules”# Block requests from a specific countryaz network application-gateway waf-policy custom-rule create \ --policy-name myapp-waf-policy \ --resource-group myapp-rg \ --name block-country \ --priority 10 \ --rule-type MatchRule \ --action Block \ --match-conditions '[{"matchVariables": [{"variableName": "RemoteAddr"}], "operator": "GeoMatch", "matchValues": ["XX"]}]'WAF Modes
Section titled “WAF Modes”| Mode | Behavior |
|---|---|
| Detection | Log matched rules but allow traffic (start here) |
| Prevention | Block matched requests |
Microsoft Sentinel
Section titled “Microsoft Sentinel”Sentinel is Azure’s cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration Automated Response).
Key Capabilities
Section titled “Key Capabilities”| Feature | What It Does |
|---|---|
| Data connectors | Ingest logs from Azure, Microsoft 365, AWS, third-party tools |
| Analytics rules | Detect threats using KQL queries, ML, and UEBA |
| Incidents | Group related alerts into incidents for investigation |
| Workbooks | Visualize security data |
| Playbooks | Automated response (Logic Apps) — block IP, disable user, notify team |
| Hunting | Proactive threat hunting with KQL queries |
Common Data Connectors
Section titled “Common Data Connectors”- Azure Activity Logs
- Microsoft Entra ID sign-in logs
- Azure Firewall logs
- Defender for Cloud alerts
- Microsoft 365 audit logs
- AWS CloudTrail
- Syslog / CEF from on-premises devices
Defense in Depth
Section titled “Defense in Depth”Layer security services for comprehensive protection:
Internet │ ▼Azure DDoS Protection ──── Volumetric attack mitigation │ ▼Azure Front Door + WAF ──── OWASP rules, bot protection, geo-blocking │ ▼Azure Firewall ──── L3-L7 filtering, FQDN, threat intelligence │ ▼NSG ──── Port/IP filtering at subnet/NIC level │ ▼Application ──── Authentication (Entra ID), authorization (RBAC) │ ▼Data ──── Encryption at rest (Key Vault keys), in transit (TLS) │ ▼Monitoring ──── Defender for Cloud + Sentinel for detection and responseKey Takeaways
Section titled “Key Takeaways”- Defender for Cloud provides security posture management (secure score, recommendations) and threat protection (per-resource plans).
- Azure Firewall is a managed L3–L7 firewall for controlling outbound and east-west traffic.
- DDoS Protection (Network tier) adds adaptive tuning and rapid response beyond the free infrastructure protection.
- Key Vault stores secrets, keys, and certificates — access via managed identities with RBAC.
- WAF protects web apps against OWASP Top 10 — start in Detection mode, then switch to Prevention.
- Sentinel is a cloud SIEM for threat detection, investigation, and automated response.
- Layer these services for defense in depth — no single service covers everything.