Security in Azure. One question that constantly recurs. This document addresses many of these issues and provides answers to them all. I have compiled some of the most common questions in my blog post. The entire document is available here if you want to read more.

In Windows Azure, a customer subscription can include multiple deployments, and each deployment can contain multiple VMs. Windows Azure provides network isolation at several points:

  • Deployment: Each deployment is isolated from other deployments. Multiple VMs within a deployment are allowed to communicate with each other through private IP addresses.
  • Virtual Network: Multiple deployments (inside the same subscription) can be assigned to the same virtual network, and then allowed to communicate with each other through private IP addresses. Each virtual network is isolated from other virtual networks.

By default, every VM created through the Windows Azure Management Portal has inbound traffic flow blocked from the Internet, except for remote management ports. (Remote Desktop for Windows, SSH for Linux.)

Windows Azure SQL Database also provides a built-in firewall to filter incoming traffic. Initially, all communication with the SQL database is blocked.

IT administrators can restrict access by:

  • Defining input endpoints to only open ports that you need.
  • Specifying IP access control lists (ACLs) on input endpoints, to control the source IPs from which the VM will allow traffic.
  • Only allowing connectivity from your on-premises corporate network using a site-to-site VPN. Add the VMs to a virtual network, and connect the virtual network to your corporate network via a virtual network gateway.
  • Using a proxy firewall (such as the Web Application Firewall or NG Firewall virtual appliances from Barracuda Networks) that runs on a virtual machine to filter traffic to the VM. Add the VMs to a virtual network, and then define an input endpoint that points to a port on the proxy firewall.
  • Only opening ports you need inside the firewall in the guest OS.

Windows Azure has a distributed denial-of-service (DDoS) defense system that helps prevent attacks against Windows Azure platform services. It uses standard detection and mitigation techniques such as SYN cookies, rate limiting, and connection limits.

Windows Azure’s DDoS defense system is designed not only to withstand attacks from the outside, but also from within.