In today’s rapidly evolving digital landscape, it has become crucial for businesses to prioritize the security of their cloud environments. With increasing cyber threats, organizations seek robust security solutions to protect their valuable data and applications. In this blog post, we will explore the concepts of the Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) in Azure and understand how they can fortify the security of your cloud infrastructure.

An Intrusion Detection System (IDS) is vital to any comprehensive security strategy. IDS is a vigilant watchdog, continuously monitoring network traffic for suspicious activities and potential security breaches. It identifies and analyzes unauthorized access attempts, malware infections, and other malicious activities within the network.

Highlights IDP IPS Azure

  • Azure IDS

Azure offers a native IDS solution called Azure Security Center. This cloud-native security service provides threat detection and response capabilities across hybrid cloud workloads. By leveraging machine learning and behavioral analytics, Azure Security Center can quickly identify potential security threats, including network-based attacks, malware infections, and data exfiltration attempts.

  • Azure Cloud

Microsoft Azure Cloud consists of functional design modules and services such as Azure Internet Edge, Virtual Networks (VNETs), ExpressRoute, Network Security Groups (NSGs) & User Defined Routing (UDR). Some resources are controlled solely by Azure; others are within the customer’s remit. The following post discusses some of those services and details a scenario design use case incorporating Barracuda Next Generation (NG) appliances and IDS IPS Azure.


For pre-information, you may find the following post helpful:

  1. Network Security Components
  2. WAN Design Considerations
  3. Distributed Firewalls
  4. Network Overlays
  5. NFV Use Cases
  6. OpenStack Architecture



Key IDS IPS Azure Discussion Points:

  • Introduction to IDS IPS Azure and what is involved.

  • Highlighting Network and Cloud Access.

  • Critical points on the Azure Cloud Access Layer.

  • Technical details on inside Azure Cloud.

  • Technical details for the NG firewall and VNET communication.


Back to basics with an Intrusion Detection

Network Intrusion

Network intrusion detection determines when unauthorized people attempt to break into your network. However, keeping those bad actors out or extracting them from the network once they’ve gotten in are two different problems. However, keeping intruders out of your network is only meaningful if you know when they’re breaking in. Unfortunately, it’s impossible to keep everything out all the time.

So as a good starting point, detecting unauthorized connections is a good start, but it is only part of the story. For example, network intrusion detection systems are great at detecting attempts to, for example, log in to your system and access unprotected network shares.


Key Features of Azure IDS:

1. Network Traffic Analysis:

Azure IDS analyzes network traffic to identify patterns and anomalies that may indicate potential security breaches. It leverages machine learning algorithms to detect unusual behavior and promptly alerts administrators to take appropriate action.

2. Threat Intelligence Integration:

Azure Security Center integrates with Microsoft’s global threat intelligence network, enabling it to access real-time information about emerging threats. This integration allows Azure IDS to stay up-to-date with the latest threat intelligence, providing proactive defense against known and unknown threats.

3. Security Alerts and Recommendations:

The IDS solution in Azure generates detailed security alerts, highlighting potential vulnerabilities and offering actionable recommendations to mitigate risks. It empowers organizations to address security gaps and fortify their cloud environment proactively.


IDS IPS Azure: Network & Cloud Access

Azure Network Access Layer is the Azure Internet edge security zoneconsisting of IDS/IPS for DDoS and IDS protection. It isolates Azure’s private networks from the Internet, acting as Azure’s primary DDoS defense mechanism. Azure administrators ultimately control this zone; private customers do not have access and can not make configuration changes.

The customer can, however, implement their IDS/IPS protection by deploying 3rd party-virtual appliances within their private virtual network (VNET). Ideally in a services sub-VNET. Those appliances can then be used in conjunction with Azures IDS/IPS but can not be used as a replacement. The Azure Internet Edge is a mandatory global service offered to all customers.


Diagram: IDS IPS Azure.


Azure Cloud Access Layer is the first point of control for customers, and it gives administrators the ability to administer and manage network security on their Azure private networks. It is comparable to the edge of a corporate network that faces the Internet, i.e., Internet Edge.

The Cloud Access Layer contains several Azure “free” services, including virtual firewalls, load balancers, and network address translation ( NAT ) functionality. It allows administrators to map ports and restrict inbound traffic with ACL. A VIP represents the cloud access load balance appliance to the outside world.

Any traffic destined for your services first hit the VIP. You can then configure what ports you want to open and match preferred traffic sources. If you don’t require using any cloud access layer services, you can bypass it, allowing all external traffic directly to that service. Beware that this will permit all ports from all sources.


Inside Azure cloud

Customers can create VNETs to represent subscriptions or services. For example, you can have a VNET for Production services and another VNET for Development. Within the VNET, you can further divide the subnet to create DMZ, Application tiers, Database, and Active Directory ADFS subnets. A VNET is a control boundary, and subnets configured within a VNET are usually within the VNET’s subnet boundary. Everything within a VNET can communicate automatically. However, VNET-to-VNET traffic is restricted and enabled via configuring gateways.


  • Network security groups

To segment traffic within a VNET, you can use Azures Network Security Groups (NSGs). They are applied to a subnet or a VM and, in some cases, both. NSGs are more enhanced than standard 5-tuple packet filters, and their rules are stateful. For example, if an inbound rule allows traffic on a port, then a matching rule on the outbound side is not required for the packets to flow on the same port.


  • User-defined routing

User-Defined Routing modifies the next hop of outbound traffic flows. It can point traffic to appliances for further actions or scrubbing, providing more granular traffic engineering. UDR could be compared to Policy-Based Forwarding (PBR) and a similar on-premise feature. 


Multi VNET with multi NG firewalls 

The following sections will discuss the design scenario for Azure VNET-to-VNET communication via Barracuda NG firewalls, TINA tunnels, and Azures UDR. The two VNETs use ExpressRoute gateways for “in” cloud Azure fabric communication. Even though the Azure ExpressRoute gateway is for on-premise connectivity, it can be used for cloud VNET-to-VNET communication.

DMZ subnet consists of Barracuda NG firewalls for security scrubbing and Deep Packet Inspection (DPI). Barracuda’s Web Application Firewalls (WAF) could also be placed a layer ahead of the NG and have the ability to perform SSL termination and offload. To route traffic to and from the NG appliance, use UDR. For example, TOO: ANY | FROM: WEB | VIA: NG

To overcome Azure’s lack of traffic analytics, the NG can be placed between service layers to provide analytics and traffic profile analyses. Traffic analytics helps determine outbound traffic flows if VMs get compromised, and attackers attempt to “beachhead.” If you ever compromised better to analyze and block traffic yourself than call the Azure helpline 🙂


VNET-to-VNET TINA tunnels

To secure VNET-to-VNET traffic, Barracuda NG supports TINA tunnels for encryption. Depending on the number of VNETs requiring cross-communication, TINA tunnels can be deployed as full mesh or hub and spoke design terminating on the actual NG. TINA tunnels are also used to provide backup traffic engineering over the Internet. They are transport agnostic and can route different flows via the ExpressRoute and Internet gateways. They hold a similar analogy to SD-WAN but without the full feature set.

Diagram: VNET-to-VNET TINA tunnels


A similar design case exists using Barracuda TINA agents on servers to create TINA tunnels directly to NGS in remote VNET. It’s a similar concept to an Agent VPN configured on hosts. However, instead of UDR, you can use TINA agents and enable tunnels from hosts to NG firewalls.

The agent method reduces the number of NGS and is potentially helpful for hub and spoke VNET design. The main drawbacks are the lack of analytics in the VNET without the NG and the requirement to configure agents on participating hosts.


Implementing robust security measures is paramount in today’s digital landscape, where cyber threats are becoming increasingly sophisticated. Azure IDS and IPS solutions, offered through Azure Security Center, provide organizations with the tools to effectively detect, prevent, and respond to potential security breaches in their cloud environment. By leveraging the power of machine learning, behavioral analytics, and real-time threat intelligence, Azure IDS and IPS enhance the overall security posture of your Azure infrastructure, enabling you to focus on driving business growth with peace of mind.


Matt Conran
Latest posts by Matt Conran (see all)

Comments are closed.