When it comes to network defense, demilitarized zone (DMZ) is thought of first. What is so-called demilitarized zone? Is it a very sensitive military zone you should not step into?
In the field of security, DMZ is a separate zone which is not associated to a private or trusted network. It simply stands alone to isolate from your private network to untrusted network. It is difficult to measure the level of trust. Untrusted network is the one which you have very low trust. Where? The answer is Internet. Why? You do not know exactly who has access to your system because when exposing to the Internet (e.g. internet-facing website), the access is considered anonymously. Internet is not the only untrusted network. DMZ can be used in the case you do not want to expose your private network to any other network.
If you want to learn advanced Azure IaaS Defense in Depth with lot of hands-on labs to practice, go pre-order my upcoming book here
Let’s bring an example in which your web front-end server needs to call to an API to query up-to-date stock data from an internet-facing website. Without defense in depth in mind, the design is straightforward. The web front-end server can directly talk to the Internet to query data and web visitor can send a request directly to the web front-end server.
You are not wrong with this design. However, this design has a security breach. An attacker from the Internet has chances to attack to your web front-end server. If he successfully gets in, the other servers would be potentially compromised by his local attack inside the same private network.
When we consider defense in depth, we should not allow private network to directly communicate with the Internet although the web front-end server needs to have Internet-bound traffic to the stock API. A practical approach is to prepare an external network which separates from the private network. In the external network, we place another server whose capability to forward HTTP request or synchronize data to the web front-end server. With this design below, the web front-end server is no longer responsible for querying stock data. Instead, the Internet-facing server is.
Why do we think this design a DMZ practice? Private network should only be private by its name, as always. When considering private, only authorized and monitored access are allowed. If you let your web front-end server go to the Internet, how do you control anonymous access to the server? The internet-facing server in the DMZ design is an extra layer to communicate with the stock API.
The internet-facing server in the above design is often a firewall facing with the Internet. In fundamental security courses, you are taught that DMZ is a network segment between two firewalls. One faces with the Internet and another one faces with the private network.
Can Azure Virtual Network provide the ability to build a DMZ architecture? It can absolutely. Purchase my upcoming book to get access to full hands-on lab on building a DMZ on Microsoft Azure with the sample of SharePoint farm deployment.