Improve azure virtual network security
/It’s September again so that means it’s time for Azure Back To School again! I want to use this opportunity to talk some more about improving your Azure networks. In one of my previous blogpost I wrote about using the private DNS resolver to make sure all queries are resolved in the right way without having a lot of Virtual Machines as DNS servers. This time I want to tell more about the virtual networks themselves. Recently Microsoft has introduced some new features which can help you to get a more Zero Trust set up in your Azure networks. So let’s dive into these new features.
Default outbound access
When I started working with Azure this always confused me. If you create a Virtual Machine in a vnet without any other setup it does have internet access. I always thought this was weird as you didn’t have to specify anything special and it would just work. This is due to the default outbound access rule in Azure. When you create a VM a public IP address is assigned to it which is hosted by Microsoft. This IP address will provide you with internet access. You don’t have control over this IP address and it can change, this makes it hard for us to control and monitor. So Microsoft decided that on September 30th 2025 the default outbound access will be removed! This means that starting that date VM’s wont be able to connect to the internet directly anymore.
To prepare for this Microsoft introduced what they call a private subnet. This you can enable to simulate the working of the subnet after the change on September 30th 20205.
This option you might have spotted already when managing subnets in Azure. The problem at the moment is you can only select this option when creating a new virtual network. It’s not possible to change this after the fact. My personal recommendation would be to from now on try to always use this setting to prepare for when it’s changed.
If you still need your machines to have outbound access you can do this via a NAT gateway. This allows you to have a single public IP address which you control to provide outbound access. I do need to add a note here, if you want to fully monitor your network using tools like Traffic Analytics then it might not be the best option. You will still see the traffic to a public IP address if you enable flow logs on a Network Security Group which is attached to the subnet, but you won’t be able to see anything more. If you want to have more information you could consider using a Load Balancer for outbound connections. This will allow you to get more diagnostic data in your traffic analytics. But it will be a more costly approach and will require more configuration, so if you want to go for the least administrative effort the Nat Gateway is the way to go.
Virtual network encryption
You should always try to use protocols which are encrypted when transferring data between resources. But to get an extra layer of security Microsoft offers a new feature now. You can use virtual network encryption to have traffic encrypted at the Network Interface Card (NIC) in Azure. This means that once it goes onto the network it will be encrypted and be decrypted when arriving at the destination.
When you look at the virtual network properties you can see the property “Encryption”, if this is enabled this feature is enabled for you. You can click it to change the settings. Do note that all virtual machines connected to the network need to be restarted for it to take effect!
At the moment there are quite some limitations to this technique as it’s only supported on some virtual machine families and when using PaaS resources it’s depended on the underlying VM family for support. Also when virtual network encryption is enabled you can’t use the Azure DNS Private Resolver.
DDoS Protection for public IP’s
The last feature of Azure Virtual Networks I want to share is DDoS protection. A while back Microsoft released the option to have DDoS protection on Public IP level. This allows this protection to be more accessible for smaller setups. When you wanted to enable DDoS protection on a virtual network it would incur a high cost. But the IP option allows for a cheaper option if you only want to protect a single public IP address. For smaller companies or places which only host a few application in Azure this could be a good solution to protect their network more.
You can easily enable this option in the Azure portal by going to the overview of your public IP address.
Hopefully these tips and tricks will help you to make your Azure Virtual Networks just a little bit more secure again. Later this month I will be back in the Azure Back To School with another blogpost. Don’t forget to check out all other content created by the community and consider to also start contributing!