When people talk about "Cloud Computing" and "Cloud Computing Service Providers" (e.g. Microsoft Azure – Cloud Computing Platform by Microsoft), the first thing they are asking and talking about is the security of Cloud. Various layers of security are provided by Clouds like Azure to the customers. Azure Platform offers customer defined features also.
DDOS Protection - Distributed Denial of Service Protection against DDOS Attacks.
Azure physical layer has DDOS protection layer which protects the massive scale and large scale of malicious requests and attacks using bot nodes. DDoS Protection layer does not have any user defined ACLs or rules and also, is not accessible by cloud users. It automatically monitors all out bound traffic and Azure cross-region traffic also. The only limitation with Azure DDoS protection service is that it takes care of large amount of attacks, not small scale attacks. In DDoS attack, a malicious actor compromises the system and fires multiple unnecessary requests from different sources on the target, in order to affect the availability of that target service. Microsoft Azure uses SYN cookies, rate limiting, and connection limits in DDoS defence technology so that the customer environment is not affected by such attacks.
Public IP Addresses and Ports are also safe because the endpoint uses NAT - Network Address Translation to route user request to the internal port and IP address
NAT Service comes with Load Balancer where you can map you front-end public IP address with source port and target port so that you can hide your internal targetport using NAT Mapping and Port Mapping with Source Port in Azure Load Balancer Service. So, while using Public IP also, you can determine which traffic you want to pass where and how.
![Azure]()
In Azure, Traffic Isolation is also there. Example - If we are creating Azure VNET in the same data center, they can't communicate to each other until you configure some hybrid Network Connectivity like Site to Site connectivity or VNET Peering between the two virtual networks you created in Azure VNET, because Azure Site to Site connectivity uses IPSec Protocol.
In Azure NSG
You can associate Network Security Rules with VNET / Subnet or NICs of your Virtual Networks. NSGs are collection of ACLs where you can create in-bound and out-bound rules to allow or deny. In one NSG, you can create 200 rules and in normal Azure subscription, you can create 100 NSGs to in-bound and out-bound your traffic. In Azure, user can define the User Defined Routes (UDR) to define his / her own traffic using Firewall etc. Using Routing Tables in Azure, you can force the subnet traffic to pass through the firewall, IDS or IPS devices. Your subnet has internet connectivity by default, but using NIC and NSG and Routing Table, you can route them via secure gateway to come into your subnet.
Along with that, Microsoft Azure offers Security Appliance Functionality like Firewall, Threat Detection and prevention, Auditing andLogging, Reverse Proxy and Forward Proxy, VPN Devices.