{"id":1304,"date":"2025-04-04T12:49:34","date_gmt":"2025-04-04T12:49:34","guid":{"rendered":"https:\/\/blog.gustavomagella.com\/?p=1304"},"modified":"2025-04-30T12:53:12","modified_gmt":"2025-04-30T12:53:12","slug":"005-beyond-the-cloud-spin-off-cloud-security-c03-09-network-security","status":"publish","type":"post","link":"https:\/\/blog.gustavomagella.com\/index.php\/2025\/04\/04\/005-beyond-the-cloud-spin-off-cloud-security-c03-09-network-security\/","title":{"rendered":"#005 | Beyond the Cloud &#8211; Spin-Off | Cloud Security | C03-09 &#8211; Network Security"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">[en-gb] \u26a0\ufe0f Important Disclaimer<\/h2>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>1\ufe0f\u20e3 Some time ago, I recorded a course on cloud security in Microsoft environments for a Brazilian university called IGTI. This course was part of a Cloud Computing bootcamp and helped many students who were just starting their careers in the field. (After the institution shut down, the content became unavailable.)<\/p>\n\n\n\n<p>\ud83c\udfaf So, I decided to remaster, sanitize, and re-release this content for free on YouTube, with the goal of continuing to support those who are beginning their journey in Cloud and Cloud Security.<\/p>\n\n\n\n<p>2\ufe0f\u20e3 The original course is in Portuguese (pt-BR), but throughout the series I\u2019ll also publish articles in English (en-US) so the content can reach more people \u2014 at least until the new courses in English are recorded and ready.<\/p>\n\n\n\n<p>3\ufe0f\u20e3 Important: this series is not certification prep and not a silver bullet.<br>The goal here is to share structured knowledge, with a hands-on, accessible approach focused on:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud beginners,<\/li>\n\n\n\n<li>Security enthusiasts, and<\/li>\n\n\n\n<li>Anyone looking to better understand how Azure actually handles security.<\/li>\n<\/ul>\n\n\n\n<p>4\ufe0f\u20e3 Microsoft has <strong>rebranded some of its products<\/strong> \u2014 for example, <em>Azure Security Center<\/em> is now <strong>Defender for Cloud<\/strong>, and <em>Azure Active Directory<\/em> is now <strong>Entra ID<\/strong>. Some lessons may still refer to the old names, but don\u2019t worry \u2014 the <strong>core concepts, technical foundations, and functionalities remain the same<\/strong>. Focus on the architecture and principles being taught.<\/p>\n\n\n\n<p>Hope you enjoy it! Big hug!<\/p>\n\n\n\n<p>Gustavo Magella<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83c\udfac Watch Episode #03 of 09 Now<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\ud83d\udd17 <strong><a href=\"https:\/\/youtu.be\/zUCdZ0MNttQ\" data-type=\"link\" data-id=\"https:\/\/youtu.be\/2FeBjah0cJk\">Click here to watch on YouTube \u2013 Episode 03 of 09.<\/a><\/strong><br><em>(And yes, hit that subscribe button. I\u2019m watching\u2026 \ud83d\udc40)<\/em><\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">[en-us] Beyond The Cloud &#8211; Spin-Off | Chapter 03: Network Security in Azure<\/h2>\n\n\n\n<p><strong>Hey, what\u2019s up folks!?<\/strong> <\/p>\n\n\n\n<p>Welcome to Chapter 03 of the Beyond The Cloud \u2013 Spin-Off series. Today, we\u2019re diving deep into <strong>Network Security in Azure<\/strong>. It\u2019s time to talk about VNets, NSGs, Azure Firewall, and DDoS Protection. <\/p>\n\n\n\n<p>If you think this chapter is just about blocking ports \u2014 hold on tight. It&#8217;s about building layered defenses that work.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\ude80 Virtual Networks: The Backbone of IaaS<\/h3>\n\n\n\n<p>Before we dive into security tools, let\u2019s go back to basics. Virtual Networks (VNets) are the backbone of Azure IaaS. Every VNet is <strong>logically isolated<\/strong>, even within the same subscription or region. They are composed of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CIDR address blocks;<\/li>\n\n\n\n<li>Subnets;<\/li>\n\n\n\n<li>Private IP allocations;<\/li>\n<\/ul>\n\n\n\n<p>You can create multiple VNets and subnets, but by default, they won\u2019t talk to each other. That isolation is powerful \u2014 and it\u2019s where network security begins.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udee1\ufe0f NSGs: The First Line of Defense<\/h3>\n\n\n\n<p>Azure Network Security Groups (NSGs) are stateless filters that operate at the NIC or subnet level. They don\u2019t remember the session state \u2014 they simply evaluate:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Source\/Destination IPs;<\/li>\n\n\n\n<li>Source\/Destination Ports;<\/li>\n\n\n\n<li>Protocols;<\/li>\n<\/ul>\n\n\n\n<p>And apply Allow\/Deny rules accordingly.<\/p>\n\n\n\n<p>Key rules:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>NSG priority order matters. Lower numbers = higher priority.<\/li>\n\n\n\n<li>As soon as a rule matches, evaluation stops.<\/li>\n\n\n\n<li>Default deny rules are at the bottom of every list.<\/li>\n<\/ul>\n\n\n\n<p>Attach NSGs to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>NICs: More granular, per VM;<\/li>\n\n\n\n<li>Subnets: Broader protection across segments;<\/li>\n<\/ul>\n\n\n\n<p>Use service tags or application security groups (ASGs) for dynamic, maintainable rules.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"574\" src=\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-133601-1024x574.png\" loading=\"lazy\" alt=\"\" class=\"wp-image-1313\" srcset=\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-133601-1024x574.png 1024w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-133601-300x168.png 300w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-133601-768x431.png 768w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-133601.png 1282w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd25 Azure Firewall: Stateful and Powerful<\/h3>\n\n\n\n<p>While NSGs are great, Azure Firewall is where <strong>serious control<\/strong> begins. It\u2019s a fully managed, <strong>stateful firewall<\/strong> as a service (FWaaS) that supports:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Threat intelligence-based filtering;<\/li>\n\n\n\n<li>Application and network rule collections;<\/li>\n\n\n\n<li>FQDN and domain filtering;<\/li>\n\n\n\n<li>TLS inspection and IDPS (in Premium tier);<\/li>\n<\/ul>\n\n\n\n<p>This beast is:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Highly available (HA by design);<\/li>\n\n\n\n<li>Compliant (SOC, PCI DSS, ISO&#8230; you name it);<\/li>\n\n\n\n<li>Scalable without appliances or third-party NVAs;<\/li>\n<\/ul>\n\n\n\n<p>If you need <strong>deep packet inspection<\/strong>, centralized control, or scalable governance \u2014 Azure Firewall is your tool.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"575\" src=\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-133735-1024x575.png\" loading=\"lazy\" alt=\"\" class=\"wp-image-1314\" srcset=\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-133735-1024x575.png 1024w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-133735-300x168.png 300w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-133735-768x431.png 768w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-133735.png 1276w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udea8 DDoS Protection: Don&#8217;t Be Caught Off Guard<\/h3>\n\n\n\n<p>Think NSG + Firewall are enough? Not against volumetric DDoS attacks.<\/p>\n\n\n\n<p>Azure DDoS Protection comes in two flavors:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Basic<\/strong>: Enabled by default, free, decent for most scenarios;<\/li>\n\n\n\n<li><strong>Standard<\/strong>: Paid (~$3k\/month), includes telemetry, analytics, mitigation reports, and <strong>attack insurance<\/strong>;<\/li>\n<\/ul>\n\n\n\n<p>Azure\u2019s global backbone and machine learning models analyze traffic patterns and scrub malicious traffic <strong>before it hits your resources<\/strong>.<\/p>\n\n\n\n<p>When paired with a well-architected environment, DDoS Protection keeps uptime sacred.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83e\ude96 Practical Checklist<\/h3>\n\n\n\n<p>\u2705 NSG applied to all subnets and NICs (Don\u2019t skip this \u2014 even if NSGs are stateless, they are your first line of defence!);<br>\u2705 Use explicit deny rules and mind the priority (Low number = high power. Don&#8217;t mess this up.);<br>\u2705 Never expose RDP\/SSH directly to the internet (Seriously. No excuses. Use Bastion or VPN.);<br>\u2705 Azure Firewall deployed for centralised inspection and policy enforcement (It\u2019s not cheap, but neither is downtime.);<br>\u2705 DDoS Standard enabled on critical production workloads (And yes, it can save your bacon.);<br>\u2705 Regularly monitor logs and metrics (Because if you\u2019re not watching, no one is.);<br>\u2705 Use service tags and ASGs to simplify rule management (Unless you like chasing changing IPs.);<br>\u2705 Combine NSG, Azure Firewall, and DDoS \u2014 layers matter (Single point of failure? Not here.);<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udcca My Tech Two Cents<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>NSG = Security gate with a clipboard.<\/li>\n\n\n\n<li>Azure Firewall = Security officer with camera, logs, and orders.<\/li>\n\n\n\n<li>DDoS Protection = Riot squad at the perimeter.<\/li>\n<\/ul>\n\n\n\n<p>Use them together. Layer your defenses. Respect priorities in rule evaluation. And never, <strong>ever<\/strong>, rely on defaults alone.<\/p>\n\n\n\n<p>Next up: Chapter 04 \u2014 we tackle <strong>general security services<\/strong> in Azure:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure Backup;<\/li>\n\n\n\n<li>Dedicated Hosts;<\/li>\n\n\n\n<li>Azure Key Vault;<\/li>\n\n\n\n<li>Defender for Cloud;<\/li>\n\n\n\n<li>Microsoft Sentinel;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"575\" src=\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-135933-1024x575.png\" loading=\"lazy\" alt=\"\" class=\"wp-image-1316\" srcset=\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-135933-1024x575.png 1024w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-135933-300x168.png 300w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-135933-768x431.png 768w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-135933.png 1283w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Until then, patch those ports and protect those packets! \ud83c\udf39\ufe0f\u2764\ufe0f<\/p>\n\n\n\n<p>Gustavo Magella<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">[pt-br] \u26a0\ufe0f Um aviso importante:<\/h2>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>1\ufe0f\u20e3 H\u00e1 um tempo, eu gravei um curso de seguran\u00e7a em nuvem focado em ambientes Microsoft para uma universidade brasileira chamada <strong>IGTI<\/strong>. Esse curso fazia parte de um bootcamp de Cloud Computing e, na \u00e9poca, ajudou muitos alunos que estavam come\u00e7ando suas jornadas na \u00e1rea. (Com o fechamento da institui\u00e7\u00e3o, o conte\u00fado acabou ficando indispon\u00edvel.)<\/p>\n\n\n\n<p>\ud83c\udfaf Sendo assim, resolvi <strong>remasterizar, sanitizar e re-lan\u00e7ar esse conte\u00fado gratuitamente no YouTube<\/strong>, com o objetivo de continuar ajudando quem est\u00e1 come\u00e7ando na \u00e1rea de Cloud e Cloud Security.<\/p>\n\n\n\n<p>2\ufe0f\u20e3 O curso original est\u00e1 em <strong>portugu\u00eas (pt-BR)<\/strong>, mas ao longo da s\u00e9rie vou publicar tamb\u00e9m <strong>artigos em ingl\u00eas (en-US)<\/strong>, para que o conte\u00fado possa alcan\u00e7ar mais pessoas at\u00e9 que os novos cursos em ingl\u00eas estejam gravados e dispon\u00edveis.<\/p>\n\n\n\n<p>3\ufe0f\u20e3 <strong>Importante:<\/strong> essa s\u00e9rie <strong>n\u00e3o \u00e9 preparat\u00f3ria para certifica\u00e7\u00f5es<\/strong> e <strong>n\u00e3o \u00e9 uma bala de prata<\/strong>.<br>A proposta aqui \u00e9 <strong>compartilhar conhecimento de forma estruturada<\/strong>, com uma pegada pr\u00e1tica e acess\u00edvel, voltada para:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Iniciantes em Cloud,<\/li>\n\n\n\n<li>Entusiastas de seguran\u00e7a, e<\/li>\n\n\n\n<li>quem busca entender melhor como o Azure trata seguran\u00e7a de verdade.<\/li>\n<\/ul>\n\n\n\n<p>4\ufe0f\u20e3 A Microsoft <strong>renomeou alguns de seus produtos<\/strong> \u2014 por exemplo, o <em>Azure Security Center<\/em> agora se chama <strong>Defender for Cloud<\/strong>, e o <em>Azure Active Directory<\/em> virou <strong>Entra ID<\/strong>. Em algumas aulas, os nomes antigos ainda aparecem, mas foquem nos <strong>conceitos e fundamentos t\u00e9cnicos<\/strong>, que continuam v\u00e1lidos e extremamente relevantes.<\/p>\n\n\n\n<p>Espero que voc\u00eas gostem! Um forte Abra\u00e7o!<\/p>\n\n\n\n<p>Gustavo Magella<\/p>\n<\/blockquote>\n<\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83c\udfac Assista o Cap\u00edtulo 03<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\ud83d\udd17 <strong><a href=\"https:\/\/youtu.be\/zUCdZ0MNttQ\">Assista agora no YouTube \u2013 Cap\u00edtulo 03 de 09<\/a><\/strong><br>(E se inscreve no canal, sen\u00e3o vou saber que voc\u00ea pulou essa parte\u2026 rs)<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">[pt&#8211;br] Beyond The Cloud &#8211; Spin-Off | Cap\u00edtulo 03: Seguran\u00e7a de Redes no Azure<\/h2>\n\n\n\n<p>E a\u00ed seus trens bonitows!? <\/p>\n\n\n\n<p>Chegamos no <strong>Cap\u00edtulo 03<\/strong>, e o papo agora \u00e9 <strong>seguran\u00e7a de rede no Azure<\/strong>. Hora de desbravar a camada de defesa que separa seu ambiente da bagun\u00e7a l\u00e1 fora.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\ude80 VNets: A espinha dorsal do IaaS<\/h2>\n\n\n\n<p>Toda arquitetura IaaS come\u00e7a com a rede. E no Azure, a tal da VNet \u00e9 isolada por padr\u00e3o. Mesma subscription, mesmo resource group, tanto faz: se voc\u00ea n\u00e3o conectar, ela n\u00e3o fala com ningu\u00e9m.<\/p>\n\n\n\n<p>Cada VNet tem:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Bloco CIDR;<\/li>\n\n\n\n<li>Subnets;<\/li>\n\n\n\n<li>IPs privados;<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udee1\ufe0f NSG: O primeiro checkpoint<\/h3>\n\n\n\n<p>O NSG \u00e9 como um guarda com uma planilha na m\u00e3o. Ele analisa:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IP de origem\/destino;<\/li>\n\n\n\n<li>Porta de origem\/destino;<\/li>\n\n\n\n<li>Protocolo;<\/li>\n<\/ul>\n\n\n\n<p>E libera ou bloqueia. Simples assim.<\/p>\n\n\n\n<p>Lembretes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prioridade menor = regra executada primeiro;<\/li>\n\n\n\n<li>Match encontrado = para tudo;<\/li>\n\n\n\n<li>Sempre tem um deny all l\u00e1 no fim;<\/li>\n<\/ul>\n\n\n\n<p>Associe NSGs a:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>NICs (por VM);<\/li>\n\n\n\n<li>Subnets (por segmento);<\/li>\n<\/ul>\n\n\n\n<p>Use tags de servi\u00e7o ou Application Security Groups para dinamismo.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"574\" src=\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-132920-1024x574.png\" loading=\"lazy\" alt=\"\" class=\"wp-image-1310\" srcset=\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-132920-1024x574.png 1024w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-132920-300x168.png 300w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-132920-768x431.png 768w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-132920.png 1273w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd25 Azure Firewall: Controle total<\/h3>\n\n\n\n<p>Firewall como servi\u00e7o, com inspe\u00e7\u00e3o de pacotes, TLS, IDPS e filtragem por FQDN. Esse \u00e9 o <strong>Azure Firewall Premium<\/strong>. Ele \u00e9:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Stateful (reconhece contexto de conex\u00e3o);<\/li>\n\n\n\n<li>Altamente dispon\u00edvel;<\/li>\n\n\n\n<li>Escal\u00e1vel e gerenciado;<\/li>\n\n\n\n<li>Certificado (SOC, PCI, ISO&#8230;);<\/li>\n<\/ul>\n\n\n\n<p>Recomendo fortemente se voc\u00ea precisa de um controle centralizado e fino sobre o tr\u00e1fego de rede.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"574\" src=\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-133049-1024x574.png\" loading=\"lazy\" alt=\"\" class=\"wp-image-1311\" srcset=\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-133049-1024x574.png 1024w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-133049-300x168.png 300w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-133049-768x431.png 768w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-133049.png 1277w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udea8 Azure DDoS Protection: N\u00e3o vacile<\/h3>\n\n\n\n<p>Ataque volum\u00e9trico? NSG e firewall n\u00e3o seguram.<\/p>\n\n\n\n<p>O DDoS Protection vem em duas vers\u00f5es:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Basic<\/strong>: gr\u00e1tis e j\u00e1 vem habilitado;<\/li>\n\n\n\n<li><strong>Standard<\/strong>: pago, com m\u00e9tricas, alertas, relat\u00f3rios e at\u00e9 &#8220;seguro contra ataque&#8221;;<\/li>\n<\/ul>\n\n\n\n<p>A Microsoft analisa padr\u00f5es globais de tr\u00e1fego e bloqueia requisi\u00e7\u00f5es maliciosas <strong>antes de chegarem ao seu ambiente<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83e\ude96 Checklist R\u00e1pido<\/h3>\n\n\n\n<p>\u2705 NSG aplicado em todas as subnets e NICs (N\u00e3o deixe de aplicar uma NSG, pois mesmo que stateless, voc\u00ea precisa ser protegido);<br>\u2705 Use regras expl\u00edcitas de deny e organize a prioridade (Menor n\u00famero, mais forte \u2014 n\u00e3o erra nisso);<br>\u2705 Nunca exponha RDP\/SSH na internet (Use Bastion ou VPN. SEM DESCULPAS);<br>\u2705 Azure Firewall como camada de inspe\u00e7\u00e3o e controle centralizado (Sai caro, mas downtime custa mais);<br>\u2705 DDoS Standard em workloads sens\u00edveis e cr\u00edticas (Voc\u00ea n\u00e3o vai querer aprender isso do jeito dif\u00edcil);<br>\u2705 Monitore logs, m\u00e9tricas e alertas com frequ\u00eancia (Se voc\u00ea n\u00e3o olhar, ningu\u00e9m vai);<br>\u2705 Use service tags e ASGs para facilitar o gerenciamento (Ou prepare-se para ca\u00e7ar IPs mudando o tempo todo);<br>\u2705 Camadas, sempre. NSG + Firewall + DDoS (Zero Trust n\u00e3o \u00e9 uma figurinha de WhatsApp);<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udcca My Tech Two Cents<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>NSG = porteiro do condom\u00ednio<\/li>\n\n\n\n<li>Azure Firewall = seguran\u00e7a com monitoramento<\/li>\n\n\n\n<li>DDoS Protection = tropa de choque na entrada<\/li>\n<\/ul>\n\n\n\n<p>Use tudo junto. N\u00e3o deixe brechas. Priorize suas regras. E n\u00e3o confie no padr\u00e3o.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>No Cap\u00edtulo 04 a gente vai falar de:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure Backup;<\/li>\n\n\n\n<li>Dedicated Hosts;<\/li>\n\n\n\n<li>Azure Key Vault;<\/li>\n\n\n\n<li>Defender for Cloud;<\/li>\n\n\n\n<li>Microsoft Sentinel;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"574\" src=\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-135900-1024x574.png\" loading=\"lazy\" alt=\"\" class=\"wp-image-1318\" srcset=\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-135900-1024x574.png 1024w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-135900-300x168.png 300w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-135900-768x431.png 768w, https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-04-135900.png 1278w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Fechando mais uma camada da arquitetura segura na nuvem!<\/p>\n\n\n\n<p>Um bjo no cora\u00e7\u00e3o e at\u00e9 a pr\u00f3xima! \ud83c\udf39\ufe0f\u2764\ufe0f<\/p>\n\n\n\n<p>Gustavo Magella<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[en-gb] \u26a0\ufe0f Important Disclaimer \ud83c\udfac Watch Episode #03 of 09 Now \ud83d\udd17 Click here to watch on YouTube \u2013 Episode 03 of 09.(And yes, hit&#8230;<\/p>\n","protected":false},"author":2,"featured_media":1308,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19],"tags":[24,23],"class_list":["post-1304","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-01-my-tech-two-cents","tag-en-gb","tag-pt-br"],"menu_order":0,"_links":{"self":[{"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/posts\/1304","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/comments?post=1304"}],"version-history":[{"count":7,"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/posts\/1304\/revisions"}],"predecessor-version":[{"id":1319,"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/posts\/1304\/revisions\/1319"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/media\/1308"}],"wp:attachment":[{"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/media?parent=1304"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/categories?post=1304"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/tags?post=1304"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}