Azure Network & Storage · Rolling Thunder Security

The principles are the same as AWS: filter network traffic, prefer private endpoints over public, encrypt by default, monitor continuously. The vocabulary changes: NSG instead of security group, private endpoint instead of VPC endpoint, SAS token instead of presigned URL. Knowing the translations is what makes someone genuinely multi-cloud, not just AWS-with-a-Microsoft-accent.

Virtual Networks & NSGs

An Azure Virtual Network (VNet) is the same idea as an AWS VPC: an isolated network space carved out for your resources. Subnets divide it. Routes direct traffic. NSGs filter it.

A Network Security Group (NSG) is the per-resource (or per-subnet) firewall. It contains a list of inbound and outbound security rules with a priority, source/destination, port, protocol, and Allow/Deny action. Rules evaluate in priority order; lowest number wins; default rules at priority 65000+ handle the "everything else" case.

Default-deny inbound from the internet. Out of the box, NSGs allow VNet-internal traffic but deny inbound from the public internet (other than load balancers).
Service tags. Symbolic names for Microsoft service IP ranges — Storage, AzureKeyVault, SQL, AzureCloud.westus. Use them in NSG rules so you don't have to maintain IP lists.
Application Security Groups (ASGs). Symbolic names for groups of VMs — "webservers," "dbservers." Reference ASGs in NSG rules so a new VM added to dbservers automatically picks up the firewall posture.
Azure Firewall is the upper-tier offering: a managed L3-L7 firewall service with FQDN filtering, IDPS, TLS inspection. NSGs handle the basic case; Azure Firewall handles enterprise-grade egress control.

Private Endpoints — PaaS without the public

Most Azure PaaS services (Storage, SQL Database, Cosmos DB, Key Vault) have public endpoints by default — mystorage.blob.core.windows.net, reachable from anywhere. Private Endpoints let you instead expose the service on a private IP inside your VNet, with the public endpoint disabled.

Service Endpoint — old way

Extends the service's identity into the VNet's route table. Traffic still leaves the VNet to reach the service's public IP, but Azure verifies it came from a permitted VNet. Easier to set up; doesn't give you a private IP.

Adequate for many workloads but doesn't satisfy "no public endpoints" requirements common in regulated industries.

Private Endpoint — current way

The PaaS service gets a real network interface in your VNet with a private IP. Traffic never traverses the public internet. Public endpoint can be disabled entirely on the service.

Combined with DNS configuration so mystorage.blob.core.windows.net resolves to the private IP for clients inside the VNet, the legacy public endpoint can be completely removed from the picture.

Storage Accounts & SAS tokens

An Azure Storage Account is a top-level container for Blob, File, Queue, and Table storage. The account-level controls matter most:

Public network access: Disabled, Enabled from selected networks, or Enabled from all networks. New storage accounts default to "Disabled" since 2023 — verify older accounts.
Allow Blob anonymous access: Disabled by default since November 2023. Even if a container's policy allows anonymous read, the account-level switch overrides it.
Minimum TLS version: Set to TLS 1.2 or higher; deprecate older clients explicitly.
Shared Key authorization: The classic per-account access key. Microsoft now recommends disabling shared key access and using Entra-based authentication instead, especially for management plane operations.

For granting time-limited or scope-limited access to storage without sharing the account key, Azure uses Shared Access Signatures (SAS):

User delegation SAS. Signed with Entra credentials, scoped to a user or service principal. Auditable, revocable via the Entra identity. Preferred.
Service SAS. Signed with the storage account key. Hard to track; revocation requires rotating the account key.
Account SAS. Signed with the storage account key, broad scope across services. Avoid in modern designs.

SAS token sprawl. SAS tokens are bearer tokens — anyone holding the URL has the access. Storm-0558 (2023) wasn't a SAS issue, but the same class of risk applies: long-lived SAS tokens in deployment artifacts, code repositories, or browser histories become persistent footholds. Default-short expiry. Use user delegation SAS where possible. Audit issued SAS tokens via storage analytics.

Defender for Cloud — the observability layer

Microsoft Defender for Cloud is the security posture management and threat detection plane for Azure (and, increasingly, AWS and GCP). Two parts worth knowing:

Cloud Security Posture Management (CSPM). Continuously evaluates your resources against benchmarks (Microsoft Cloud Security Benchmark, CIS, PCI, NIST). Produces a "Secure Score" and prioritized recommendations. The free tier covers the basics; Defender CSPM (paid) adds attack path analysis — "this misconfiguration plus this exposure equals reachable from the internet."
Workload Protection (CWPP). Per-workload threat detection: Defender for Servers (EDR for VMs), Defender for Storage (anomalous access detection), Defender for Containers, Defender for App Service, Defender for SQL. Each is priced separately; turn them on for sensitive workloads.

Defender alerts feed into Microsoft Sentinel (the SIEM), which correlates with on-prem signals via a single XDR pane. The integration story is the main reason Microsoft-centric organizations consolidate on Defender + Sentinel rather than mixing best-of-breed tools.

The point

Azure network and storage security is the same set of patterns as AWS, expressed in different vocabulary. The recurring discipline: turn on the account-level deny-by-default switches (storage account public access, anonymous blob access, account key auth), prefer private endpoints to public for PaaS services, prefer user delegation SAS to account-key SAS, and turn on Defender for Cloud so misconfigurations surface before an attacker finds them.

If you can articulate "the Azure equivalent of S3 Block Public Access is storage account public network access disabled plus allowBlobPublicAccess disabled," you can carry the same hardening discipline across providers.

References

Formatted in APA 7. Alphabetized by first author's last name.

Microsoft. (n.d.-a). Microsoft Defender for Cloud documentation. https://learn.microsoft.com/en-us/azure/defender-for-cloud/
Microsoft. (n.d.-b). Network security groups. Azure Virtual Network documentation. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
Microsoft. (n.d.-c). Private Endpoint overview. Azure Private Link documentation. https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview
Microsoft. (n.d.-d). Grant limited access to data with shared access signatures (SAS). Azure Storage documentation. https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview