Design 37: Zero Trust Security

Summary

This design implements the Zero Trust methodology: "Never Trust, Always Verify".

Topology: It's not a single resource, but a configuration applied to the Hub & Spoke. It involves Identity (Entra), Network (NSG/Firewall), and Endpoint (Defender).

1. Key Design Decisions (ADR)

ADR-01: Identity

Decision: Conditional Access.
Rationale: Verify user identity + device health + location before granting access.

ADR-02: Network

Decision: Micro-segmentation.
Rationale: Assume breach. If Web Tier is hacked, they shouldn't reach Data Tier (Design 17).

2. High-Level Design (HLD)

+--------------+           +--------------------------+           +--------------+
|  User        |           |        Policy Engine     |           |  Resource    |
|  (Untrusted) |---------->|      (Entra ID)          |---------->|  (VM / App)  |
+--------------+           |      "Is MFA?"           |           |              |
                           |      "Is Compliant?"     |           +--------------+
                           +--------------------------+

3. Low-Level Design (LLD)

+-----------------------------------------------------------------------+
| IDENTITY PILLAR (Entra ID)                                            |
|   Policy: "Require MFA for All"                                       |
|   Policy: "Block Legacy Auth"                                         |
+-----------------------------------|-----------------------------------+
                                    |
                                    v
+-----------------------------------|-----------------------------------+
| NETWORK PILLAR (Hub & Spoke)      |                                   |
|   [Azure Firewall] (Hub)          |                                   |
|     |-- Deny All Outbound         |                                   |
|     |-- Allow specific FQDNs      |                                   |
|                                   |                                   |
|   [NSG] (Spoke)                   |                                   |
|     |-- Deny VNet Inbound         |                                   |
|     |-- Allow specific IP         |                                   |
+-----------------------------------|-----------------------------------+
                                    |
                                    v
+-----------------------------------|-----------------------------------+
| ENDPOINT PILLAR (Defender)        |                                   |
|   [VM Extension]                  |                                   |
|     |-- Real-time scanning        |                                   |
|     |-- Vulnerability assessment  |                                   |
+-----------------------------------------------------------------------+

4. Component Rationale

Conditional Access: The "Front Door" of Zero Trust.
Defender for Cloud: The "Security Guard" inside the VNet.

5. Strategy: High Availability (HA)

N/A.

6. Strategy: Disaster Recovery (DR)

N/A.

7. Strategy: Backup

N/A.

8. Strategy: Security

Just-In-Time (JIT): Open management ports (22/3389) only when needed, for 1 hour.

9. Well-Architected Framework Analysis

Reliability: High.
Security: Excellent. The gold standard.
Cost Optimization: Medium. Defender costs ~$15/server/mo.
Operational Excellence: High.
Performance Efficiency: N/A.

10. Detailed Traffic Flow

1. Login: User tries to login to Portal.

2. Verify: Entra ID challenges for MFA. Checks if Laptop is Intune Compliant.

3. Access: User tries to RDP to VM.

4. JIT: User requests JIT access.

5. Grant: Azure opens NSG port 3389 for User IP for 1 hour.

6. Connect: User connects.

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Enable Defender for Cloud

1. Search: "Microsoft Defender for Cloud".

2. Environment settings -> Select your Subscription.

3. Defender plans:

* Servers: On.

* App Service: On.

* SQL: On.

* Storage: On.

4. Save.

* *Note: This installs the monitoring agent on all VMs automatically.*

Phase 2: Configure JIT (Just-In-Time) Access

1. Go to Workload protections -> Just-in-time VM access.

2. Enable JIT on VMs (if not already).

3. Select a VM -> Enable JIT.

4. Ports:

* 3389 (RDP): Protocol TCP, Allowed Source IPs Per Request.

* Max request time: 1 hour.

5. Save.

Phase 3: Conditional Access (Requires Entra ID P1)

1. Search: "Microsoft Entra ID" -> Security -> Conditional Access.

2. + New policy.

3. Name: Require-MFA-Admins.

4. Assignments:

* Users: Select Directory roles -> Global Administrator.

* Target resources: All Cloud Apps.

5. Access controls:

* Grant: Grant access -> Check Require multifactor authentication.

6. Enable policy: On.

7. Create.

Phase 4: Verify Zero Trust

1. Identity: Open a Private Browser. Login as Admin. You *must* be prompted for MFA.

2. Network (JIT):

* Try to RDP to the VM IP directly. It will fail (Port closed).

* Go to Portal -> VM -> Connect -> Request access.

* Wait 30 seconds.

* Try RDP again. It works.

3. Endpoint:

* Go to Defender for Cloud -> Recommendations.

* You should see security alerts (e.g., "System updates missing").