Microsoft open sources Retina: A cloud-native container networking observability platform

The Microsoft Azure Container Networking team is excited to announce Retina, a cloud-native container networking observability platform that enables Kubernetes users, admins, and developers to visualize, observe, debug, and analyze Kubernetes’ workload traffic irrespective of Container Network Interface (CNI), operating system (OS), and cloud. We are excited to release Retina as an open-source repository that helps with DevOps and SecOps related networking cases for your Kubernetes clusters and we invite the open-source community to innovate along with us.

Embracing and advancing open-source software

Cloud native technologies like Kubernetes have made building applications that can run anywhere, easier. At the same time, many applications have become more complex, and managing them in the cloud is increasingly difficult. As companies build cloud-native applications composed of interconnected services and then deploy them to multiple public clouds as well as their private infrastructure, network related observability, troubleshooting, and debugging has become increasingly difficult.

With the power of extended Berkley Packet Filter (eBPF), it is now possible to offer actionable network insights including how containerized micro-services interact and do so in non-intrusive ways without any change in the applications itself—that’s exactly what Retina sets out to achieve. Retina will help democratize network observability and troubleshooting by bringing new focus to the experience of application developers. Retina provides developers with simple ways to observe and troubleshoot their applications for issues such as packet drops and latency without worrying about the complexities of the underlying network infrastructure and transformations.

Based on our positive experience in the community with eBPF and Cilium, we are excited to build on this relationship and engage both more closely and with more communities. We believe that by opening Retina to the community, we can benefit from informed feedback, innovative ideas, and collaborative efforts that will help enhance and expand Retina’s capabilities.

Retina solutions and capabilities

Drawing from our extensive experience managing multiple container networking services for the Azure Kubernetes Service (AKS), we identified critical gaps in network monitoring, the collection of network metrics and traces from Kubernetes clusters. Retina is a cutting-edge solution that closes these gaps and is designed to tackle the complex challenges of managing and supporting Kubernetes networks providing infrastructure- and site-reliability engineers comprehensive insights into cluster networking. Retina also provides deep traffic analysis with Kubernetes-specific context, translating metrics into either industry-standard Prometheus or network flow logs.

Existing open-source solutions are often tightly coupled with specific CNI’s, OS, or data planes, thereby limiting their versatility and use. For this reason, Retina has been designed and developed to be a highly versatile, adaptable, and extensible framework of plugins capable of working seamlessly with any CNI, OS, or cloud provider—making it a valuable addition to any existing toolset. Retina supports both Linux and Windows data planes, ensuring it meets the diverse needs of infrastructure- and site-reliability engineers, while maintaining a minimal memory and CPU footprint on the cluster—this remains true even at scale. Retina’s pluggability design ethos helps us easily extend and adapt to address new use cases without depending on any specific CNI, OS, or data plane.

Figure 1: Architecture overview of Retina

One of Retina’s key features provides deep network traffic insights that include Layer 4 (L4) metrics, Domain Name System (DNS) metrics, and distributed packet captures. It seamlessly integrates the Kubernetes app model offering pod-level metrics with detailed context. It emits actionable networking observability data into industry-standard Prometheus metrics providing node-level metrics (for example, forward, drop, Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Linux utility) and pod-level metrics (such as basic metrics, DNS, and API server latency.)

Retina’s distributed packet captures are label-driven—allowing users to specify what, where, and who to capture packets from. Additionally, it provides historical context of network flow logs and advanced debugging capabilities that enhance network troubleshooting and performance optimization.

Our vision for Retina

Many enterprises are multi-cloud and want solutions that work well not just on Microsoft Azure, but on other clouds as well as on-premises. Retina is open-source and multi-cloud from day one. By open-sourcing Retina, we aim to share our knowledge and vision for Kubernetes networking observability with the broader cloud-native ecosystem. Our hope is that Retina will evolve and grow through collaboration with other developers and organizations who share similar experiences and goals in this field.

In terms of architecture, extensibility was key from the outset and will remain going forward. Retina offers extensibility in data collection—allowing users to easily add new metrics and insights. It also offers extensibility in exporters—enabling users to integrate with other monitoring systems and tools. This flexibility ensures that Retina can adapt to different use cases and environments, making it a versatile and powerful platform for Kubernetes networking observability. In conclusion, we envision Retina as a platform allowing anyone to contribute, extend, and innovate on ultimately creating a robust, purpose-built, and comprehensive solution for Kubernetes networking observability.

Source: microsoft.com

Continue reading

Unwrapping the 2023 holiday season: A deep dive into Azure’s DDoS attack landscape

As the holiday season of 2023 unfolded, it brought not only cheer and celebration but also a surge in Distributed Denial-of-Service (DDoS) attacks. This year’s trends in DDoS attacks reveal a complex and evolving threat landscape. From misconfigured Docker API endpoints enabling botnet delivery to the emergence of NKAbuse malware exploiting blockchain technology for DDoS attacks, the tactics and scale of these attacks have shown significant sophistication and diversification.

The 2023 holiday season attack landscape in Azure

In our monitoring of the attack landscape during the holiday season, we observed a notable shift in some of the attack patterns compared to the previous year. This change underscores the relentless efforts of malicious actors to refine their threat tactics and attempt to circumvent DDoS protection strategies.

Daily Attack Volume: Azure’s robust security infrastructure automatically mitigated a peak of 3,500 attacks daily. Notably, large-scale attacks, exceeding 1 million packets per second (pps), constituted 15%-20% of these incidents.*

Figure 1: Number of daily DDoS attacks towards resources in Azure.

Geographical origins: A shift in attack origins was observed, with the top two origin countries being China with 42% of the attacks and the USA with 18%. All other countries make up 40% of attacks.* This marks a change from the previous year, where both countries were equally represented as the top two regional sources.

Figure 2: Source countries for DDoS Attacks on Azure.

Attack protocols: The 2023 holiday season saw a predominant use of UDP-based attacks, targeting gaming workloads and web applications, accounting for 78% of the attacks. These include UDP reflected/amplified attacks, which predominantly leverage domain name system (DNS) and simple service discovery protocol (SSDP), as well as quick UDP internet connections (QUIC) for reflection purposes. Notably, QUIC is emerging as a more common attack vector, either by reflection or by DDoS stressors that utilize UDP port 443 randomly. This year’s holiday season attack patterns contrast sharply with the previous year, where TCP-based attacks dominated 65% of all attacks.*

Figure 3: Attacks protocols distribution.

Record-breaking attack: A staggering UDP attack, peaking at 1.5 terabits per second (Tbps), targeted a gaming customer in Asia. This attack, originating from China, Japan, the USA, and Brazil, was highly randomized, involving numerous source IPs and ports, yet was fully mitigated by Azure’s defenses.

Botnet evolution: In the past year, cybercriminals increasingly leveraged cloud resources, particularly virtual machines, for DDoS attacks. This trend continued to evolve during the holiday season, with attackers trying to exploit discounted Azure subscriptions globally. From mid-November 2023 and until end of year, we monitored compromised account attempts in 39 Azure regions, with Europe and the USA being the primary targets, accounting for about 67% of these incidents.* Azure’s defense mechanisms successfully neutralized these threats.

Figure 4: Azure regions where attempts to exploit resources for DDOS attacks occurred.

Contextualizing the threat

The 2023 DDoS attack trends in Azure mirror global patterns. Attacks are becoming politically motivated as we highlighted earlier last year, fueled by geopolitical tensions.

The emergence of DDoS-for-hire services, commonly known as “stressers” and “booters” remain popular amongst attackers. These platforms, readily available on cybercriminal forums, have democratized the ability to launch powerful DDoS attacks, making them accessible to less sophisticated criminals for minimal costs. Recent years have seen an uptick in the availability and use of these services, confirmed by international law enforcement agencies through operations like Operation PowerOFF, which last year in May targeted 13 domains associated with DDoS-for-hire platforms. Despite these efforts, stressers continue to thrive, offering a range of attack methods and power, with some capable of attacks up to 1.5 Tbps.

Cloud power: Combating the evolving DDoS threats

The rise of botnets at scale and DDoS-for-hire services poses a significant risk to online services and business operations. To fight these threats, more cloud computing power is needed to absorb the leading wave of the attack until patterns can be identified, spurious traffic diverted, and legitimate traffic preserved. When tens of thousands of devices constitute an attack, the cloud is our best defense, due to the scale needed to mitigate the largest attacks. In addition, due to the global distribution of the cloud, closer proximity helps to block attacks closest to the sources.

Ensuring robust protection

In an era where digital threats are constantly evolving, ensuring robust protection against DDoS attacks has never been more critical. Here’s how Azure’s comprehensive security solutions are designed to safeguard your digital infrastructure.

DDoS Protection Service: With the high risk of DDoS attacks, it’s essential to have a DDoS protection service like Azure DDoS Protection. This service provides always-on traffic monitoring, automatic attack mitigation upon detection, adaptive real-time tuning, and full visibility on DDoS attacks with real-time telemetry, monitoring, and alerts.

Multi-Layered Defense: For comprehensive protection, set up a multi-layered defense by deploying Azure DDoS Protection with Azure Web Application Firewall (WAF). Azure DDoS Protection secures the network layer (Layer 3 and 4), while Azure WAF safeguards the application layer (Layer 7). This combination provides protection against various types of DDoS attacks.

Alert Configuration: Azure DDoS Protection can identify and mitigate attacks without user intervention. Configuring alerts for active mitigations can keep you informed about the status of protected public IP resources.

2024: Rising against DDoS threats

The 2023 holiday season has underscored the relentless and evolving threat of DDoS attacks in the cyber landscape. As we transition into the new year, it becomes crucial for organizations to enhance and adapt their cybersecurity strategies. This period should be a learning curve, focusing on fortifying defenses against such DDoS attacks and staying vigilant against new tactics. The resilience of Azure against these sophisticated DDoS threats highlights the critical need for robust and adaptive security measures, not just in protecting digital assets but also in ensuring uninterrupted business operations.

* Based on internal data

Source: microsoft.com

Continue reading

Azure Virtual WAN introduces its first SaaS offering

Today we are excited to announce the preview of Palo Alto Networks Cloud Next Generation Firewall (NGFW) for Azure, available as a software as a service (SaaS) offering in Azure Virtual WAN. Azure Virtual WAN (vWAN), networking as a service brings networking, security, and routing functionalities together to simplify networking in Azure. With ease of use and simplicity built in, vWAN is a one-stop shop to connect, protect, route traffic, and monitor your wide area network.

Virtual WAN’s deep integration with the Palo Alto Networks managed firewall service allows you to enjoy the simplicity of a SaaS security offering without the hassles of managing provisioning, scaling, resiliency, software updates, or routing. A SaaS model enables a customer to deploy a solution by simply supplying necessary parameters and abstracting themselves from the management of network virtual appliances.

In this blog, we will focus on the Virtual WAN use case, followed by a brief overview of the behind-the-scenes secret sauce that makes it happen, and then understanding key Palo Alto Networks differentiating features.

The use case

Customers of Azure Virtual WAN can now use Palo Alto Networks Cloud NGFW for Azure to secure their traffic through their Virtual WAN deployments. 

The different traffic flows that are supported by a customer’s vWAN deployment are illustrated below. Flows are numbered in the table below with the following assumptions:

◉ ‘B’ stands for a Branch which is a customer’s on-premises network connected to Azure through ExpressRoute circuits, Branch/Site-to-site VPN, or Remote user/Point-to-site connections.

◉ ‘V’ stands for VNet—Azure Virtual networks hosting customer services and connected to a Virtual WAN hub. It may also be referred to as spoke VNet.

◉ ‘I’ stands for internet, which means the customer traffic that originates from or terminates in the internet and traverses through Azure Virtual WAN.

◉ ‘H’ stands for Azure Virtual hub.

◉ Traffic flows across a single hub are traffic flows originating and terminating on endpoints connected to the same virtual hub. These may also be referred to as Intra-hub flows.

◉ Inter-hub flows are traffic flows that traverse across 2 virtual hubs to get to the destination.

Figure 1: Supported use case and traffic flows in Azure Virtual WAN with Palo Alto Networks Cloud NGFW.

User experience

Customers can add Palo Alto Networks Cloud NGFW to an Azure Virtual WAN Hub in the Azure portal. After a hub is created, click on the hub name and navigate to Third-party Providers -> SaaS solutions –> Create SaaS and choose the Palo Alto Networks Cloud NGFW option.

Figure 2: Discover Palo Alto Networks Cloud NGFW.

After clicking “Create”, you’ll be taken to a wizard experience where you can configure and customize your Cloud NGFW SaaS deployment. You can customize key networking and security attributes of your SaaS such as selecting public Ips, DNS proxy settings, security policies, and security settings.

Figure 3: Create and set up security settings in Palo Alto Networks Cloud NGFW.

After the Cloud NGFW has been successfully provisioned, you can manage your SaaS Firewall by navigating to your Virtual Hub -> Third-party providers -> SaaS solutions -> Manage SaaS. Explore here for more information on available options.

How does this all work within Virtual WAN

As mentioned in the prior section, Virtual WAN supports multiple flows. To illustrate the behind-the-scenes workings in Virtual WAN, we will use East-West (V2V) traffic flows.

Figure 4: Traffic flows within Virtual WAN for East-West (V2V) traffic to-fro Palo Alto Networks Cloud NGFW.

As you can see, the complexities of traffic engineering, and infrastructure management are completely removed and the user gets to just focus on securing the right security policies for their network traffic.

Key highlights of the Palo Alto Networks Cloud NGFW for Azure integration with Virtual WAN

Palo Alto Networks Cloud NGFW for Azure integrates with Azure Virtual WAN deployments, enabling customers to protect traffic across their entire network. While there are several cool and turn-key features built into the integration, a few that are worth calling out are below:

◉ Machine learning powered NGFW: Cloud NGFW for Azure uses AI and machine learning to detect and stop known, unknown, and zero-day threats, enabling customers to stay ahead of sophisticated adversaries.

◉ Consistent Security and Management from On-Premises to Azure: Cloud NGFW for Azure is integrated with Panorama, Palo Alto Networks policy management solution. The integration of Panorama with Cloud NGFW for Azure offers a host of benefits to customers. Firstly, it enables seamless security policy extension from on-prem to Azure, simplifying operations and reducing administrative workload and total cost of ownership. More importantly, this integration enforces the same high standards of security in the cloud, ensuring that customers’ cloud environments are secure and protected against cyber threats. Additionally, the integration provides centralized visibility, providing valuable insights into the threats on their network enabling customers to manage their security policies through their existing Panorama console, streamlining management, allowing their cloud teams to focus on application migration and new application development.

◉ Ease of use: Palo Alto Networks Cloud NGFW is designed to be incredibly easy to use. Similar to Virtual WAN product principles for simplicity and ease of use, this Palo Alto Networks integrated solution allows customers to procure and deploy the solution directly from the Azure portal in just a few minutes, providing instant protection against cyber threats. The solution is also painless to operate as Palo Alto Networks takes care of scaling, resilience, and software updates. This integration gives customers the agility and flexibility they need to manage their cloud security while focusing on their core business objectives.

Source: microsoft.com

Continue reading

Connect, secure, and simplify your network resources with Azure Virtual Network Manager

Enterprise-scale management and configuration of your network resources in Azure are key to keeping costs down, reducing operational overhead, and properly connecting and securing your network presence in the cloud. We are happy to announce Azure Virtual Network Manager (AVNM), your one-stop shop for managing the connectivity and security of your network resources at scale, is generally available.

What is Azure Virtual Network Manager?

AVNM works through a main process of group, configure, and deploy. You’ll group your network resources across subscriptions, regions, and even tenants; configure the kind of connectivity and security you want among your grouped network resources; and finally, deploy those configurations onto those network groups in whichever and however many regions you’d like.

Common use cases

Common use cases for AVNM include the following and can be addressed by deploying AVNM’s connectivity and security admin configurations onto your defined network groups:

• Interconnected virtual networks (VNets) that communicate directly with each other.
• Central infrastructure services in a hub VNet that are shared by other VNets.
• Establishing direct connectivity between spoke VNets to reduce latency.
• Automatic maintenance of connectivity at scale, even with the addition of new network resources.
• Enforced standard security rules on all existing and new VNets without risk of change.
• Keeping flexibility for VNet owners to configure network security groups (NSGs) as needed for more specific traffic dictation.
• Application of default security rules across an entire organization to mitigate the risk of misconfiguration and security holes.
• Force-allowance of services’ traffic, such as monitoring services and program updates, to prevent accidental blocking through security rules.

Connectivity configuration

Hub and spoke topology

When you have some services in a hub VNet, such as an Azure Firewall or ExpressRoute, and you need to connect several other VNets to that hub to share those services, that means you’ll have to establish connectivity between each of those spoke VNets and the hub. In the future, if you provision new VNets, you’ll also need to make sure those new VNets are correctly connected to the hub VNet.

With AVNM, you can create groups of VNets and select those groups to be connected to your desired hub VNet, and AVNM will establish all the necessary connectivity between your hub VNet and each VNet in your selected groups behind the scenes. On top of the simplicity of creating a hub and spoke topology, new VNets that match your desired conditions can be automatically added to this topology, reducing manual interference from your part.

For the time being, establishing direct connectivity between the VNets within a spoke network group is still in preview and will become generally available (GA) at a later date.

Mesh

If you want all of your VNets to be able to communicate with each other regionally or globally, you can build a mesh topology with AVNM’s connectivity configuration. You’ll select your desired network groups and AVNM will establish connectivity between every VNet that is a part of your selected network groups. The mesh connectivity configuration feature is still in preview and will become generally available at a later date.

How to implement connectivity configurations with existing environments

Let’s say you have a cross-region hub and spoke topology in Azure that you’ve set up through manual peerings. Your hub VNet has an ExpressRoute gateway and your dozens of spoke VNets are owned by various application teams.

Here are the steps you would take to implement and automate this topology using AVNM:

1. Create your network manager.

2. Create a network group for each application team’s respective VNets using Azure Policy definitions that can be conditionally based on parameters including (but not limited to) subscription, VNet tag, and VNet name.

3. Create a connectivity configuration with hub and spoke selected. Select your desired hub VNet and your network groups as the spokes.

4. By default, all connectivity established with AVNM is additive after the connectivity configuration’s deployment. If you’d like AVNM to clean up existing peerings for you, this is an option you can select; otherwise, existing connectivity can be manually cleaned up later if desired.

5. Deploy your hub and spoke connectivity configuration to your desired regions.

In just a few clicks, you’ve set up a hub and spoke topology among dozens of VNets from all application teams globally through AVNM. By defining the conditions of VNet membership for your network groups representing each application team, you’ve ensured that any newly created VNet matching those conditions will automatically be added to the corresponding network group and receive the same connectivity configuration applied onto it. Whether you choose to have AVNM delete existing peerings or not, there is no downtime to connectivity between your spoke VNets and hub VNet.

Security feature

AVNM currently provides you with the ability to protect your VNets at scale with security admin configurations. This type of configuration consists of security admin rules, which are high-priority security rules defined similarly to, but with precedence over NSG rules.

The security admin configuration feature is still in preview and will GA at a later date.

Enforcement and flexibility

With NSGs alone, widespread enforcement on VNets across several applications, teams, or even entire organizations can be tricky. Often there’s a balancing act between attempts at centralized enforcement across an organization and handing over granular, flexible control to teams. The cost of hard enforcement is higher operational overhead as admins need to manage an increasing number of NSGs. The cost of individual teams tailoring their own security rules is the risk of vulnerability as misconfiguration or opened unsafe ports is possible. Security admin rules aim to eliminate this sliding scale of choosing between enforcement and flexibility altogether by providing central governance teams with the ability to establish guardrails, while intentionally allowing traffic for individual teams to flexibly pinpoint security as needed through NSG rules.

Difference from NSGs

Security admin rules are similar to NSG rules in structure and input parameters, but they are not the exact same construct. Let’s boil down these differences and similarities:

	TARGET AUDIENCE	APPLIED ON	EVALUATION ORDER	ACTION TYPES	PARAMETERS
SECURITY ADMIN RULES	Network admins, central governance team	Virtual networks	Higher priority	Allow, Deny, Always Allow	Priority, protocol, action, source, destination
NSG RULES	Individual teams	Subnets, NICs	Lower priority, after security admin rules	Allow, Deny

One key difference is the security admin rule’s Allow type. Unlike its other action types of Deny and Always Allow, if you create a security admin rule to Allow a certain type of traffic, then that traffic will be further evaluated by NSG rules matching that traffic. However, Deny and Always Allow security admin rules will stop the evaluation of traffic, meaning NSGs down the line will not see or handle this traffic. As a result, regardless of NSG presence, administrators can use security admin rules to protect an organization by default.

Key Scenarios

Providing exceptions

Being able to enforce security rules throughout an organization is useful, to say the least. But one of the benefits of security admin rules that we’ve mentioned is its allowance for flexibility by teams within the organization to handle traffic differently as needed. Let’s say you’re a network administrator and you’ve enforced security admin rules to block all high-risk ports across your entire organization, but an application team 1 needs SSH traffic for a few of their resources and has requested an exception for their VNets. You’d create a network group specifically for application team 1’s VNets and create a security admin rule collection targeting only that network group—inside that rule collection, you’d create a security admin rule of action type Allow for inbound SSH traffic (port 22). The priority of this rule would need to be higher than the original rule you created that blocked this port across all of your organization’s resources. Effectively, you’ve now established an exception to the blocking of SSH traffic just for application team 1’s VNets, while still protecting your organization from that traffic by default.

Force-allowing traffic to and from monitoring services or domain controllers

Security admin rules are handy for blocking risky traffic across your organization, but they’re also useful for force-allowing traffic needed for certain services to continue running as expected. If you know that your application teams need software updates for their virtual machines, then you can create a rule collection targeting the appropriate network groups consisting of Always Allow security admin rules for the ports where the updates come through. This way, even if an application team misconfigures an NSG to deny traffic on a port necessary for updates, the security admin rule will ensure the traffic is delivered and doesn’t hit that conflicting NSG.

How to implement security admin configurations with existing environments

Let’s say you have an NSG-based security model consisting of hundreds of NSGs that are modifiable by both the central governance team and individual application teams. Your organization implemented this model originally to allow for flexibility, but there have been security vulnerabilities due to missing security rules and constant NSG modification.

Here are the steps you would take to implement and enforce organization-wide security using AVNM:

1. Create your network manager.

2. Create a network group for each application team’s respective VNets using Azure Policy definitions that can be conditionally based on parameters including (but not limited to) subscription, VNet tag, and VNet name.

3. Create a security admin configuration with a rule collection targeting all network groups. This rule collection represents the standard security rules that you’re enforcing across your entire organization.

4. Create security admin rules blocking high-risk ports. These security admin rules take precedence over NSG rules, so Deny security admin rules have no possibility of conflict with existing NSGs. Redundant or now-circumvented NSGs can be manually cleaned up if desired.

5. Deploy your security admin configuration to your desired regions.

You’ve now set up an organization-wide set of security guardrails among all of your application teams’ VNets globally through AVNM. You’ve established enforcement without sacrificing flexibility, as you’re able to create exceptions for any application team’s set of VNets. Your old NSGs still exist, but all traffic will hit your security admin rules first. You can clean up redundant or avoided NSGs, and your network resources are still protected by your security admin rules, so there is no downtime from a security standpoint.

Source: microsoft.com

Continue reading

Monitor Azure Virtual Network Manager changes with event logging

Today, our customers establish and manage their Azure virtual networks at scale. As their number of network resources grows, the question of how to maintain connectivity and security among their scale of resources arises. This is where Microsoft Azure Virtual Network Manager comes in—your one-stop shop for managing the connectivity and security of your network resources at scale (currently in preview). And when customers use Azure Virtual Network Manager, they also need visibility into what kind of changes were made so that they can audit those events, analyze those changes over time, and debug issues along the way. This capability is now a reality—Azure Virtual Network Manager event logging is now in preview.

Azure Virtual Network Manager (AVNM) uses Azure Monitor for telemetry collection and analysis like many other Azure services. AVNM now provides event logs that you can interact with through Azure Monitor’s Log Analytics tool in the Azure Portal, as well as through a storage account. You can also send these logs to an event hub or partner solution.

With this preview announcement, Azure Virtual Network Manager will provide a log category for network group membership change. In the context of AVNM, network groups are defined by the user to contain virtual networks. The membership of a network group can be manually provided (such as by selecting VNetA, VNetB, and VNetC to be a part of this network group) as well as conditionally set through Azure Policy (such as by defining that any virtual network within a certain subscription that contains some string in its name will be added to this network group). The network group membership change log category tracks when a particular virtual network is added to or removed from a network group. This can be used to track network group membership changes over time, to capture a snapshot of a particular virtual network’s network group membership, and more.

What attributes are part of this event log category?

This network group membership change category emits one log per network group membership change. So, when a virtual network is added to or removed from a network group, a log is emitted correlating to that single addition or removal for that particular virtual network. If you’re looking at one of these logs from your storage account, you’ll see several attributes:

Attribute	Description
time	Datetime when the event was logged.
resourceId	Resource ID of the network manager.
location	Location of the virtual network resource.
operationName	Operation that resulted in the virtual network being added or removed. Always the “Microsoft.Network/virtualNetworks/networkGroupMembership/write” operation.
category	Category of this log. Always “NetworkGroupMembershipChange.”
resultType	Indicates successful or failed operation.
correlationId	GUID that can help relate or debug logs.
level	Always “Info.”
properties	Collection of properties of the log.

Within the properties attribute are several nested attributes:

Properties attribute	Description
Message	Basic success or failure message.
MembershipId	Default membership ID of the virtual network.
GroupMemberships	Collection of what network groups the virtual network belongs to. There may be multiple “NetworkGroupId” and “Sources” listed within this property since a virtual network can belong to multiple network groups simultaneously.
MemberResourceId	Resource ID of the virtual network that was added to or removed from a network group.

Within the GroupMemberships attribute are several nested attributes:

GroupMemberships attribute	Description
NetworkGroupId	ID of a network group the virtual network belongs to.
Sources	Collection of how the virtual network is a member of the network group.

Within the Sources attribute are several nested attributes:

 

Sources attribute	Description
Type	Denotes whether the virtual network was added manually (“StaticMembership”) or conditionally via Azure Policy (“Policy”).
StaticMemberId	If the “Type” value is “StaticMembership,” this property will appear.
PolicyAssignmentId	If the “Type” value is “Policy,” this property will appear. ID of the Azure Policy assignment that associates the Azure Policy definition to the network group.
PolicyDefinitionId	If the “Type” value is “Policy,” this property will appear. ID of the Azure Policy definition that contains the conditions for the network group’s membership.

How do I get started?

The first step you’ll need to take is to set up your Log Analytics workspace or your storage account, depending on how you want to consume these event logs. You should note that if you’re using a storage account or event hub, it will need to be in the same region of the network manager you’re accessing logs from. If you’re using a Log Analytics workspace, it can be in any region. The network manager you’re accessing the logs of won’t need to belong to the same subscription as your Log Analytics workspace or storage account, but permissions may restrict your ability to access logs cross-subscription.

Note that at least one virtual network must be added or removed from a network group in order to generate logs. A log will generate for this event a couple minutes later.

Accessing Azure Virtual Network Manager’s event logs with Log Analytics

The first step is to navigate to your desired network manager and select the Diagnostic settings blade under the Monitoring section. Then you can select Add diagnostic setting and select the option to send the logs to your Log Analytics workspace.

Then you can navigate to your Log Analytics workspace directly through your network manager by selecting the Logs blade under the Monitoring section.

Alternatively, you can also navigate to your Log Analytics workspace in the Azure Portal and select the Logs blade.

From either place, you can run your own queries on your network manager’s emitted logs for network group membership changes, or you can also run our preloaded queries. Our preloaded queries can fetch the most recent network group membership changes and failed network group membership changes.

Accessing Azure Virtual Network Manager’s event logs with a storage account

The first step is to again navigate to your desired network manager and select the Diagnostic settings blade under the Monitoring section. Then you can select Add diagnostic setting and select the option to archive the logs to your storage account.

Then you can navigate to your storage account and select the Storage browser blade.

Select Blob containers. A blob container will be automatically generated once network group membership changes occur.

Navigate down the blob container’s file path until you reach a JSON file for the datetime specified by that file path.

Download the JSON file to view the raw logs for the file path’s datetime.

Source: microsoft.com

Continue reading

Protect against cyberattacks with the new Azure Firewall Basic

Cyberattacks continue to rise across businesses of all sizes as attackers are adapting their techniques and increasing the complexity of their operations.1 The risk of these attacks is significant for small and medium businesses (SMBs) as they usually don’t have the specialized knowledge or resources to protect against emerging threats and face more challenges when recovering from an attack. In a recent Microsoft survey,2 70 percent of SMBs think cyberthreats are becoming more of a business risk and nearly one in four SMBs stated that they had a security breach in the last year.

SMBs need solutions that are tailored to their unique needs and challenges. Microsoft is committed to delivering security solutions to meet the needs of all our customers. We are excited to announce the general availability of Azure Firewall Basic, a new SKU of Azure Firewall built for SMBs.

Since public preview, we have seen a wide adoption of the Azure Firewall Basic. Customers stated the simplicity and ease of use of the Azure Firewall as one of the key benefits for choosing Azure Firewall Basic.  We have also added the capability to deploy Azure Firewall inside a virtual hub in addition to a virtual network. This gives businesses the flexibility to choose the deployment option that best meets their needs.

Deploying Azure Firewall in a virtual network is recommended for customers who plan to use traditional hub-and-spoke network topology with a Firewall on the hub. Whereas, deploying on a virtual hub is recommended for customers with large or global network deployments in Azure where global transit connectivity across Azure regions and on-premises locations is needed.

Providing SMBs with a highly available Firewall at an affordable price point

Azure Firewall Basic brings the simplicity & security of Azure Firewall to SMBs at a cost-effective price point

It offers Layer 3–Layer 7 filtering and alerts on malicious traffic with built-in threat intelligence from Microsoft threat intelligence. As a cloud-native service, Azure Firewall Basic is simple to deploy with a few clicks and seamlessly integrates with other Azure services, including Microsoft Azure Firewall Manager, Azure Monitor, Azure Events Hub, Microsoft Sentinel, and Microsoft Defender for Cloud.

Key features of Azure Firewall Basic

Comprehensive, cloud-native network firewall security

◉ Network and application traffic filtering—Centrally create, allow, or deny network filtering rules by source and destination IP address, port, and protocol. Azure Firewall is fully stateful, so it can distinguish legitimate packets for different types of connections. Rules are enforced and logged across multiple subscriptions and virtual networks.

◉ Threat intelligence to alert on malicious traffic—Enable threat intelligence-based filtering to alert on traffic from or to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft threat intelligence feed.

◉ Built-in high availability—Azure Firewall Basic provides built-in high availability to ensure that your network traffic is always protected. Azure Firewall Basic can replicate your firewall instance across two availability zones, ensuring that your traffic is always filtered even if one of the zones goes down.

Simple setup and easy to use

◉ Set up in just a few minutes—Use the Quickstart deployment Azure Resource Manager (ARM) templates to easily deploy Azure Firewall Basic directly to your Azure environment.

◉ Automate deployment (deploy as code)—Azure Firewall Basic provides native support for Infrastructure as Code (IaC). Teams can define declarative ARM templates that specify the infrastructure required to deploy solutions. Third-party platforms like Terraform also support IaC to manage automated infrastructure.

◉ Zero maintenance with automatic updates—Azure Firewall is automatically updated with the latest threat intelligence and security updates to ensure that it stays up-to-date and protected against the latest threats.

◉ Centralized management via Azure Firewall Manager—Azure Firewall Manager is a central management solution that allows you to manage multiple Azure Firewall instances and policies across your organization from a single location, ensuring that your security policies are consistent and up to date across your organization.

Cost-effective

Designed to deliver essential, cost-effective protection of your Azure resources within your virtual networks.

Choose the right Azure Firewall SKU for your business

Azure Firewall is offered in three SKUs to meet a wide range of use cases and needs:

1. Azure Firewall Premium is recommended for customers looking to secure highly sensitive applications, such as payment processing. In addition to all features of the Azure Firewall standard, it also supports advanced threat protection capabilities like malware and Transport Layer System (TLS) inspection.

2. Azure Firewall Standard is recommended for customers looking for Layer 3–Layer 7 firewall and require auto-scaling to handle peak traffic periods of up to 30 gigabits per second (Gbps). It supports enterprise features like threat intelligence, Domain Name System (DNS) proxy, custom DNS, and web categories.

3. Azure Firewall Basic is recommended for SMB customers with throughput needs of less than 250 megabits per second (Mbps).

Let’s take a closer look at the features across the three Azure Firewall SKUs.

Azure Firewall Basic pricing

 

Azure Firewall Basic pricing includes both deployment and data processing charges for both virtual network and virtual hub scenarios. Pricing and billing for Azure Firewall Basic with virtual hub will be effective starting May 1, 2023

Source: microsoft.com

Continue reading

Azure WAF guided investigation Notebook using Microsoft Sentinel for automated false positive tuning

The SQL injection attack remains one of the critical attacks in the OWASP Top 10, and it involves injecting a SQL query via the input data field into a web application without input validation. According to Microsoft Digital Defense Report 2022, 67 percent of web application exploits include SQL injections.

Azure Web Application Firewall (Azure WAF) provides centralized protection of your web applications from exploits and vulnerabilities. It protects against OWASP Top 10 attacks, bot attacks, application layer Distributed Denial of Service (DDoS) attacks, and other web attacks.

Read More - DP-500: Designing and Implementing Enterprise-Scale Analytics Solutions Using Microsoft Azure and Microsoft Power BI

Azure WAF detects SQL injection attacks and blocks them by default. In certain instances, this could be a false positive that requires investigation and creation of Azure WAF exclusions. To complete a successful investigation, full context about the attack is needed and a process that guides you through the investigation is required.

We are pleased to announce a new Azure WAF guided investigation to tune WAF policy Notebook in preview. It guides you through an investigation experience to understand the Azure WAF incidents in Microsoft Sentinel, identify false positives, and automatically apply exclusions to WAF rules to address the false positives. This Notebook allows you to understand the WAF alert and pivot on key entities of the WAF event such as the request URI, client IP, hostname, and correlate with Threat Intelligence feeds to get a holistic view of the attack surface.

Azure WAF investigations powered by Microsoft Sentinel

Azure WAF is deeply integrated with Microsoft Sentinel, Microsoft’s Security Information and Event Management (SIEM) solution. Using the existing Azure WAF data connector, WAF logs are ingested and later analyzed for a variety of web application attacks and powerful visualizations pivoting on the full attack pattern are presented to you. This Notebook is built using Microsoft Threat Intelligence Center’s MSTICpy packages. With this Notebook, you can access rich historical contextual information using Microsoft Sentinel’s capabilities like incident generation, entity graph, and threat intelligence correlation, in conjunction with Azure WAF’s SQL injection detections based on OWASP rules and Microsoft Threat Intelligence rules.

Automated investigation and mitigation of web application attacks

Our new Azure WAF guided investigation to tune WAF policy Notebook provides an automated guided investigation for triaging Sentinel incidents triggered by Azure WAF SQL injection rules.

The solution includes the following components:

◉ Azure WAF data connector in Microsoft Sentinel.

◉ Microsoft Sentinel incidents that are generated due to SQL injection attack detected by the Microsoft Sentinel analytic rules.

◉ Azure WAF Notebook that helps investigate Azure WAF logs and automatically applies WAF exclusions to the WAF policy.

A high-level diagram explaining the data flow is given below:

Let us look at two use case scenarios for using this Notebook:

Understanding the attack landscape when there is a true positive

Using the Notebook, you can pivot on various attack artifacts such as IP, URL, or domain threat intelligence, and understand the entity graph. This Notebook retrieves the WAF SQLi rule that generated the detection and looks up related SQLi rule events within the pre-selected time. Based on the above details, if you decide that the SQL injection attack is valid then you can update the incident severity and priority. In this scenario, the web application remains protected by Azure WAF.

Understand the attack pattern and create exclusions if there is a false positive

Using the Notebook, you can pivot on various attack artifacts such as IP, URL, or domain threat intelligence, and understand the entity graph. This Notebook retrieves the WAF SQLi rule that generated the detection and looks up related rule events. It also retrieves raw WAF logs to understand the relations between the request URI, client Ips, hostname entities and allows you to dynamically access the OWASP rule set in GitHub to understand the rule match pattern. Based on the investigations, if you decide this incident is a false positive, the process to automatically create granular exclusions is presented to you and the exclusions are applied to the Azure WAF policy using Azure WAF APIs.

The following personas would benefit from this Notebook:

Persona: Developer at SomeUnionFlight.com

Understanding SQL injection detection logic

Chris is a developer at SomeUnionFlight.com. His company hosts a website for users to search for flights and make flight reservations. They have hosted their website behind WAF with Azure Front Door (AFD) where AFD accepts user requests to search their website. SomeUnionFlight.com has an SQL backend where they store flight information. He notices that when users try to access the website, their access is getting blocked because the URL has “Union” keyword which is triggering the SQL injection rule. This detection is considered as a false positive because the “Union” keyword is used to mention a website name and not an SQL injection attack. He would like an investigation experience that helps him understand how to analyze this detection using Microsoft Sentinel and determine if it is a false positive. He would also like to automatically create exclusions for false positives for the URL without having to disable the entire rule.

Persona: SecOps analyst at Contoso.com

Understanding collateral attack vectors

Ashley is a Security Operations analyst at Contoso.com. Her company has purchased both Azure WAF and Microsoft Sentinel. She oversees analyzing WAF logs and identifying attack patterns. She would like to understand if the client IP or the request URI associated with the WAF rule that triggered the SQL injection are Indicators of Compromise (IoC). By understanding related Threat Intelligence Indicators of Compromises, she can prevent future attacks on her organization.

Get started today

SQL injection attacks are getting more prevalent by the day and Azure WAF protects web applications from these attacks. To enable a high-quality investigation experience for Azure WAF customers, we have created this new Azure WAF guided investigation Notebook that enables you quickly understand full attack surface and take actions on the incidents. 

This new Azure WAF Notebook can be found in Microsoft Sentinel under the Notebooks in the Threat Management section.

Source: microsoft.com

Continue reading

Azure Confidential Computing on 4th Gen Intel Xeon Scalable Processors with Intel TDX

Microsoft continues to be the cloud leader in confidential computing, and the Azure team is excited to continue our leadership by partnering with Intel to offer confidential computing on 4th Gen Intel Xeon Scalable processors with Intel Trusted Domain Extensions (Intel TDX) later this year, enabling organizations in highly regulated industries to lift and shift their workloads that handle sensitive data to scale in the cloud. Intel TDX meets the Confidential Computing Consortium (CCC) standard for hardware-enforced memory protection not controlled by the cloud provider, all while delivering minimal performance impact with no code changes. 

Azure and Intel enable innovative use cases

Across industries, Microsoft Azure customers use confidential computing with Intel processors to achieve higher levels of data privacy and mitigate risks associated with unauthorized access to sensitive data or intellectual property. They are leveraging innovative solutions such as data clean rooms to accelerate the development of new healthcare therapies, and privacy-preserving digital asset management solutions for the financial industry. These scenarios and more are in production today, leveraging 3rd Gen Intel Xeon Scalable processors with Intel Software Guard Extensions (Intel SGX), a foundational technology of the Azure confidential computing portfolio. In fact, Azure was the first major cloud provider to offer confidential computing in the cloud with virtual machines (VMs) enabled with Intel SGX application isolation. As founding members of the CCC, Microsoft and Intel work with numerous other member organizations to define and accelerate adoption of confidential computing. This effort includes contributions to several open source projects. The Azure team looks forward to extending this collaboration by bringing to market Intel TDX–based services in Azure.

Intel TDX extends Azure's existing confidential computing offerings

Today, Azure’s DCsv3 VMs offer application isolation using Intel SGX, delivering the smallest trust boundary of any confidential computing technology today. The addition of Intel TDX expands our portfolio to offer isolation at the VM, container or application levels to meet the diversity of customer needs. Azure is the only major cloud provider committed to offering both VM-level and application-level confidential computing offerings. Both are supported by Intel’s hardware root of trust and address the attestation requirements that meet the confidential computing industry standard. Both Intel TDX and Intel SGX technologies provide capabilities that help remove the cloud operator’s access to data, including removing the hypervisor from the trust boundary. 

Removing trust in the hypervisor

While Azure has engineered our hypervisor to be very secure, we are seeing a growing number of customers seeking further protections to meet data sovereignty and regulatory compliance. These customers require increased isolation and protection of their workloads to reduce the risk of unauthorized data access. As such, Microsoft leverages hardware control over hypervisors to protect customer data. With Intel-based confidential computing solutions on Azure, altering the hypervisor does not allow Azure operators to read or alter customer data in memory.

Establishing trust via attestation

Attestation is a critical concept of confidential computing. It allows customers to verify the third-party hardware root of trust and software stack prior to allowing any code to access and process data. With Intel TDX, the attestation is done against the entire VM or container, each with a unique hardware key to keep memory protected. With Intel TDX, we will offer attestation support with Microsoft Azure Attestation as standard and will also partner closely with Intel on their upcoming trust service, code-named "Project Amber," to meet the security requirements of customers.

Confidential computing takes off

Many Azure confidential computing customers can attest to the value they receive from our existing Intel confidential computing offerings.

Novartis Biome uses BeeKeeperAI’s EscrowAI confidential clean room solution on Azure confidential computing for the training and validation of algorithms to predict instances of a rare childhood condition using real patient data from health records, while maintaining privacy and compliance.

“Rare diseases are often challenging to diagnose and if left untreated, they can significantly diminish a patient’s quality of life. With BeeKeeperAI, our scientists were able to securely access a large gold standard dataset that enabled us to improve the predictive capabilities of our algorithm, bringing us much closer to identifying patients early in the disease course and to improving their outcomes.” —Robin Roberts, Co-founder and Chief Operating Officer, Novartis Biome

Fireblocks provides enterprise-grade secure infrastructure for moving, storing, and issuing digital assets. They use Intel confidential computing technology on Azure to hold one of the keys to its wallets.

"Some of the biggest cryptocurrency businesses, financial institutions, and enterprises in the world trust Fireblocks software and APIs to provide digital custody solutions, manage treasury operations, access DeFi, mint and burn tokens, and manage their digital asset operations. We leverage Azure to hold one of the keys to our wallets due to Azure Confidential Computing ... " —Michael Shaulov, CEO and Co-founder, Fireblocks

Carbon Asset Solutions soil-based carbon credit collection and tracking system uses immutable ledger technology provided by Azure confidential ledger.

"Carbon Asset Solutions is a world-first precision measurement, recording, and verification platform focused on atmospheric carbon removal through soil carbon sequestration. With Azure, we deliver higher integrity Carbon Credits than any other method." —Sara Saeidi, Chief Operating Officer, Carbon Asset Solutions

Azure’s vision for the confidential cloud

We see a future where confidential computing is standard and pervasive both in the cloud and at the edge within all Azure service offerings. Customers will be able to more confidently use the cloud for their most sensitive data workloads while verifying the environment and staying in full control of data access. We look forward to the launch of 4th Gen Intel Xeon Scalable processors and offering Intel TDX–enabled instances with VM-level data protection and performance improvements later this year, continuing our partnership with Intel to help transition Azure to the confidential cloud.

Source: microsoft.com

Continue reading