Continuing our blog series on Azure Secure Cloud Migration, we will discuss Azure’s take on network control and how scalability and manageability play a role in designing a secure and functional environment. See our previous post on Talking to the Cloud for insights on architecting an Azure network.
Network Access Control
Network Security Groups (NSGs) are a native Azure feature to apply firewall rules to Azure hosted systems. These grouped access controls can then be applied to a virtual machine network interface card (NIC) or a subnet within a Virtual Network (VNET). In application, an NSG can be attached to a subnet of webservers and can allow internet traffic to only reach public facing services on those servers. The servers within that group can also have individual NSGs attached to their NICs which further filter network traffic. To achieve a PCI compliant environment that meets rule one of PCI DSS: “Install and maintain a firewall configuration to protect cardholder data” and be able to report on it, management and control are key. For additional discussion of the network segmentation requirements of PCI DSS, see “Isolating the Cardholder Data Environment with Network Segmentation“, the latest post in WMP’s blog series on PCI.
In conjunction with strict network access control via NSGs, segmentation by means of VNETs provides a way to limit network access to resources. In the case of our recent implementation, a jump host VNET allowed workstations in that VNET to access NSG whitelisted production resources without bringing physical user workstations into PCI scope and provided a delegation of role based workstation access.
Managing the Environment
We found the best way to manage and plan the NSG deployment was to categorize servers into discrete roles. This pulls double duty by meeting PCI DSS requirements, and helps put a layer of abstraction between the server and the rulesets. However, managing these rulesets becomes cumbersome at best through the use of PowerShell, or altogether unmanageable via the Azure portal. While Microsoft provides some ways to configure NSGs within their systems, it is not a scalable solution for environments with 100+ NSGs containing 50-400 rules each. In the case of our client, one environment alone contained over 10,000 individual rules, changing constantly as new servers and services were deployed.
To manage such a rule set requires a tool capable of managing many individual NSGs in a controlled and easy to manage fashion. While there are a few tools available which provide a way to create and deploy new NSGs, none provide the means necessary to manage and maintain rules in a production environment of a reasonable scale. West Monroe Partners has created a management tool of our own, which gave us and our client control over the following:
- Templating security groups and access rules to provide an easy-to-manage abstraction layer for creating many rules from a handful of definitions
- Creating groups of server roles and network ports to reference in rule templates
- Easily adding or changing source and destination hosts and rolling those changes out to templates which referenced them
- Allowing rules to be created by the use of server name, instead of IP
- A deployment process which allows rules to be previewed and validated prior to deployment, with administrative controls and functionality tied back to Azure permissions
Traditional firewall vendors have had management tools like this for their physical and virtual appliances, but by blending the additional metadata provided by Azure, we created something with even fewer administrative touch points. Rule templates that reference groups allow for a single source of truth when it comes to what servers are defined as a source or destination, meaning changes to a single server group can cascade to any rule template that references it. Required reporting for PCI DSS or even for peace of mind becomes a simple task, because unlike traditional firewalls, Azure has information on every configured virtual machine. If you’d like more information, or are interested in using the NSG management tool in your environment, please contact us.
Beyond network security, making sure you have reliable, manageable, and secure data encryption in the cloud is the next step to laying a secure foundation. Stay tuned for our post on using Azure specific tools to store and protect keys and secrets for data encryption.