L1 BIO 13.01.01 ISO A.13.1.1 CIS 6.x

Azure Networking Architecture Design (VNet, NSG, Firewall)

📅 2025-10-30
⏱️ 20 minuten lezen
🔴 Must-Have

💼 Management Samenvatting

Azure Networking architecture design implementeert hub-spoke topology met Virtual Networks (VNets), Netwerkbeveiliging Groups (NSG), Azure firewall, DDoS bescherming en privé endpoints (privé eindpunten) voor segmented, veilige en scalable network infrastructure volgens nul Trust network principles.

Aanbeveling
IMPLEMENTEER AZURE NETWORKING
Risico zonder
Critical
Risk Score
9/10
Implementatie
120u (tech: 80u)
Van toepassing op:
Azure

Network architecture is foundation voor: Segmentation (isolate workloads - compromised VM doesn't access everything), Traffic inspection (Azure firewall filters alle traffic), Private connectivity (no publieke endpoints - privé endpoints (privé eindpunten)), DDoS bescherming (mitigate attacks), Hub-spoke topology (centralized security - firewall in hub, workload VNets in spokes). Zonder proper network design: Flat network (no segmentation - lateral movement easy), publieke endpoints everywhere (aanvalsoppervlak), No traffic inspection (malware lateral spread), DDoS vulnerable.

Implementatie

Network architecture components: (1) Hub-Spoke topology: Hub VNet (centralized services: Azure firewall, VPN Gateway, Bastion), Spoke VNets (workload isolation: Production, Development, DMZ), VNet peering (hub-spoke connectivity); (2) Netwerkbeveiliging Groups (NSGs): Subnet-level firewallregels (Sta toe RDP alleen van bastion subnet), Application Security Groups (ASGs - group VMs door role); (3) Azure firewall: Central egress filtering (FQDN filtering, bedreigingsinformatie), Forced tunneling (all internet traffic via firewall); (4) privé endpoints (privé eindpunten): Azure services accessible via private IPs (opslag, SQL, Key Vault - no publieke endpoints); (5) DDoS bescherming Standard (Layer 3/4 bescherming, 100 Gbps capacity); (6) Bastion: veilige RDP/SSH (no public IPs op VMs).

Vereisten

  1. Network design document (IP adres planning)
  2. Hub VNet (Azure firewall, Bastion)
  3. Spoke VNets per workload
  4. NSG rules defined
  5. Azure firewallregels (allow/deny)
  6. privé endpoints (privé eindpunten) strategy
  7. DDoS bescherming Standard (if public IPs)
  8. Connectivity to on-premises (VPN/ExpressRoute if hybrid)

Implementatie

Design IP adres space, Maak aan hub VNet, implementeren Azure firewall, Maak aan spoke VNets, Configureer VNet peering, implementeren NSGs, Stel in privé endpoints (privé eindpunten), implementeren Bastion, Schakel in DDoS bescherming.

Compliance en Auditing

Network architecture voldoet aan: BIO 13.01 (Netwerkbeveiliging regelt - Segmentation mandatory), ISO 27001 A.13.1.1 (netwerkcontroles), CIS Azure Benchmark 6.x (Networking), NIS2 Artikel 21 (netwerk segmentatie).

Monitoring

Gebruik PowerShell-script azure-networking.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script azure-networking.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Azure Networking Design .DESCRIPTION Implementation for Azure Networking Design .NOTES Filename: azure-networking.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 Related JSON: content/design/platform/azure-networking.json #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter()][switch]$WhatIf, [Parameter()][switch]$Monitoring, [Parameter()][switch]$Remediation, [Parameter()][switch]$Revert ) $ErrorActionPreference = 'Stop' $VerbosePreference = 'Continue' $PolicyName = "Azure Networking Design" $BIOControl = "13.01" function Connect-RequiredServices { # Connection logic based on API } function Test-Compliance { Write-Verbose "Testing compliance for: $PolicyName..." $result = [PSCustomObject]@{ ScriptName = "azure-networking" PolicyName = $PolicyName IsCompliant = $false TotalResources = 0 CompliantCount = 0 NonCompliantCount = 0 Details = @() Recommendations = @() } # Compliance check implementation # Based on: Design Document $result.Details += "Compliance check - implementation required based on control" $result.NonCompliantCount = 1 return $result } function Invoke-Remediation { Write-Host "`nApplying remediation for: $PolicyName..." -ForegroundColor Cyan # Remediation implementation Write-Host " Configuration applied" -ForegroundColor Green Write-Host "`n[OK] Remediation completed" -ForegroundColor Green } function Invoke-Monitoring { $result = Test-Compliance Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "$PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan Write-Host "Total: $($result.TotalResources)" -ForegroundColor White Write-Host "Compliant: $($result.CompliantCount)" -ForegroundColor Green $color = if ($result.NonCompliantCount -gt 0) { "Red" } else { "Green" } Write-Host "Non-compliant: $($result.NonCompliantCount)" -ForegroundColor $color return $result } function Invoke-Revert { Write-Host "Revert: Configuration revert not yet implemented" -ForegroundColor Yellow } try { Connect-RequiredServices if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { if ($WhatIf) { Write-Host "WhatIf: Would apply remediation" -ForegroundColor Yellow } else { Invoke-Remediation } } elseif ($Revert) { Invoke-Revert } else { $result = Test-Compliance if ($result.IsCompliant) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green } else { Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red } } } catch { Write-Error $_ }

Risico zonder implementatie

Risico zonder implementatie
Critical: Flat network = no segmentation (lateral movement easy), public PaaS endpoints (internet attack surface), no traffic inspection (malware spread undetected), open management ports (RDP/SSH brute force). Compliance: BIO 13.01, CIS 6.x, Zero Trust. Het risico is KRITIEK - network foundation.

Management Samenvatting

Azure Networking Architecture: Hub-spoke topology (centralized security), Azure Firewall (egress filtering + threat intelligence), NSGs ALL subnets (micro-segmentation), Private Endpoints PaaS (VNet-only SQL/Storage/Key Vault), Azure Bastion (secure RDP/SSH), DDoS Protection Standard (internet-facing), VPN Gateway/ExpressRoute (hybrid connectivity). Activatie: Network design → VNet deployment → Security controls. Kosten: Firewall €900+/maand, Bastion €140/maand. Verplicht BIO 13.01, CIS 6.x, Zero Trust. Implementatie: 80-120 uur. FOUNDATION secure Azure infrastructure - deploy BEFORE workloads.