AWS offers a security group for virtual machines/subnets. These security groups follow rules which allow/deny access to certain IPs and ports. Similarly, Azure also provides Azure Endpoints with Manage ACL (Access Control List). These endpoints allow/deny accessing VMs from desired IP addresses for certain ports.
For example:
For a VM, this image shows the endpoint collection
If you click Manage ACL, it gives you an IP list
Here we can assign description name, action (permit or deny) and IP range.
Network security group for Azure Virtual Network:
Azure Virtual network is similar to Amazon VPC. It is subnet isolation from the network. You can use private IP addresses, subnets and access control policies. You can consider virtual networks like a private cloud.
Azure also offers a Network Security Group (NSG). Applying ACLs to a Virtual Machine’s public endpoint controls the traffic to a certain port of a particular virtual Machine. But Network Security Groups allow you to control all inbound and outbound traffic of a Virtual Machine/Subnet.
For Azure NSG operation, you will have to use PowerShell. Azure provides security to infrastructure by assigning Network Security Group to
-VM: This controls traffic to VM directly as per rules
-Subnet: This controls traffic to VMs residing in subnet directly
-VM and Subnet: This provides double protection. We can assign NSG to Subnet and another NSG to VM residing in. So, the traffic can be controlled twice securely.
Note: Azure NSG rules/ACL rules work as per priority.
Identity and Access management:
Azure provides Azure Active directory providing tenant management on same subscription.
Azure Active Directory: For Azure Active Directory (AAD), access management can be decided by the global administrator. Global admin can grant user/global/billing/service/user/password admin types of privileges. This is very useful for access restriction and limitation. For security purposes, global admin/ service admin/ password admin can create, grant or block access to tenant users.
Azure RMS: Azure right management service is another useful feature that works across multiple devices PCs, tablets and phones. To secure information like files and emails, it uses encryption, identity, and authorization policies. Information can be protected both within your organization and outside your organization because the protection remains with the data, even when it leaves your organization’s boundaries. With this feature, you can easily manage access to important sensitive files like reports.
As a security and compliance approach, it is also certified by ISO/IEC 27001:2013, SOC 2 SSAE 16/ISAE 3402 attestations and HIPAA BAA among others.