Before talking about identity and authentication in the cloud, it's important to talk about Azure network security (the main topic of this chapter). I think it's necessary to say that when implementing a cloud infrastructure, the word security is not only related to managing identity and information, but also related to how your network in the cloud must be designed.

This is out of the scope of this book, but I think it's useful to remind you of some of the best practices that Microsoft recommends when you plan to design a network of resources on Azure:

• Logically segment subnets on your Azure virtual networks and use network security groups and Availability Sets.
• Control the routing behavior. By default, a virtual machine on an Azure virtual network can connect to other resources in the same network and have outbound communications with the internet. This is a default, but you can change this behavior if needed.
• Enable forced tunneling on your virtual machines when you have cross-premises connectivity between your Azure virtual network and your on-premises network.
• Use virtual network appliances if you need an extra level of security such as firewalls, intrusion detection/prevention, web filtering, and antivirus.
• Use DMZs for segmenting your network and improving security when needed.
• Avoid exposure to the internet with dedicated WAN links, but for cross-premises connections, it's recommended to use Azure ExpressRoute.
• Optimize uptime and performance by using load balancing.
• Use global load balancing (Azure Traffic Manager) when you have globally distributed applications. This guarantees that your application will be available, even when an entire data center might become unavailable (very remote probability but…).
• Disable direct RDP and SSH access to Azure Virtual Machines from the internet. For remote VM management, it's recommended to use point-to-site or site-to-site VPN or ExpressRoute (for WANs).
• Enable Azure Security Center for all your Azure deployments.