Zero Trust Networking on Azure
Never Trust, Always Verify
Introduction
Zero Trust is a security model that assumes no implicit trust based on network location, user identity, or device. Every access request must be validated, authenticated, and authorized. Traditional perimeter-based security (like VPN) assumes everything inside the network is trusted—Zero Trust eliminates that assumption, requiring continuous verification for all access attempts.
This comprehensive guide covers:
- Zero Trust principles — Understanding the framework
- Azure Zero Trust architecture — Implementation patterns
- Network segmentation — Micro-segmentation strategies
- Identity-based access — Conditional access implementation
- Microsoft Defender integration — Security monitoring
- Implementation roadmap — Migration from perimeter security
Zero Trust Fundamentals
Core Principles
┌─────────────────────────────────────────────────────────────────────┐
│ ZERO TRUST CORE PRINCIPLES │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ 1. NEVER TRUST, ALWAYS VERIFY │
│ ───────────────────────────────────── │
│ ✗ Old: User inside network = trusted │
│ ✓ New: Every request verified, regardless of location │
│ │
│ 2. ASSUME BREACH │
│ ─────────────────── │
│ ✗ Old: Prevent attackers from getting in │
│ ✓ New: Minimize blast radius when they do │
│ │
│ 3. EXPLICITLY VERIFY │
│ ───────────────────── │
│ ✗ Old: Single factor authentication │
│ ✓ New: Multiple signals - identity, device, location, risk │
│ │
│ 4. LEAST PRIVILEGE ACCESS │
│ ─────────────────────────── │
│ ✗ Old: Broad access based on role │
│ ✓ New: Just-enough, time-bound access │
│ │
│ 5. SEGMENTATION │
│ ───────────────── │
│ ✗ Old: Flat network with perimeter │
│ ✓ New: Micro-segments, lateral movement prevention │
│ │
└─────────────────────────────────────────────────────────────────────┘
Traditional vs Zero Trust
┌─────────────────────────────────────────────────────────────────────┐
│ TRADITIONAL VS ZERO TRUST │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ TRADITIONAL (Perimeter-Based) │
│ ────────────────────────────── │
│ │
│ ┌────────────────────────────────────────┐ │
│ │ PERIMETER │ │
│ │ ┌──────────┐ ┌──────────┐ ┌─────┐ │ │
│ │ │ Front │ │ Back │ │ DB │ │ │
│ │ │ End │──▶│ End │──▶│ │ │ │
│ │ └──────────┘ └──────────┘ └─────┘ │ │
│ │ │ │ │ │ │
│ │ Trusted Trusted Trusted | │
│ └────────────────────────────────────────┘ │
│ │
│ Once inside: Full access to all services │
│ │
│ ZERO TRUST │
│ ────────── │
│ │
│ ┌────────────────────────────────────────┐ │
│ │ VERIFIED ACCESS │ │
│ │ ┌──────────┐ ┌──────────┐ ┌─────┐ │ │
│ │ │ Front │ │ Back │ │ DB │ │ │
│ │ │ End │──▶│ End │──▶│ │ │ │
│ │ └──────────┘ └──────────┘ └─────┘ │ │
│ │ │ │ │ │ │
│ │ Every call verified, authorized | │
│ └────────────────────────────────────────┘ │
│ │
│ Each request: Authenticated, authorized, encrypted │
│ │
└─────────────────────────────────────────────────────────────────────┘
Azure Zero Trust Architecture
Implementation Components
┌─────────────────────────────────────────────────────────────────────┐
│ ZERO TRUST ARCHITECTURE ON AZURE │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ IDENTITY LAYER │ │
│ │ │ │
│ │ Microsoft Entra ID │ │
│ │ ├── Conditional Access Policies │ │
│ │ ├── MFA Enforcement │ │
│ │ ├── Privileged Identity Management │ │
│ │ └── Identity Protection │ │
│ └────────────────────────────┬────────────────────────────────┘ │
│ │ │
│ ┌────────────────────────────┼────────────────────────────────┐ │
│ │ DEVICE LAYER │ │
│ │ │ │
│ │ Intune │ │
│ │ ├── Device Compliance │ │
│ │ ├── Endpoint Security │ │
│ │ └── Conditional Access (device-based) │ │
│ └────────────────────────────┬────────────────────────────────┘ │
│ │ │
│ ┌────────────────────────────┼────────────────────────────────┐ │
│ │ NETWORK LAYER │ │
│ │ │ │
│ │ Azure Firewall / WAF │ │
│ │ ├── Private Endpoints │ │
│ │ ├── NSG Flow Logs │ │
│ │ └── DDoS Protection │ │
│ └────────────────────────────┬────────────────────────────────┘ │
│ │ │
│ ┌────────────────────────────┼────────────────────────────────┐ │
│ │ APPLICATION LAYER │ │
│ │ │ │
│ │ APIM + Function │ │
│ │ ├── mTLS Authentication │ │
│ │ ├── OAuth/JWT Validation │ │
│ │ └── API Policies │ │
│ └────────────────────────────┬────────────────────────────────┘ │
│ │ │
│ ┌────────────────────────────┼────────────────────────────────┐ │
│ │ DATA LAYER │ │
│ │ │ │
│ │ Azure Key Vault │ │
│ │ ├── Secrets Management │ │
│ │ └── CMK (Customer-Managed Keys) │ │
│ │ │ │
│ │ Azure Purview │ │
│ │ └── Data Classification │ │
│ └─────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘
Network Segmentation Strategies
Micro-Segmentation Design
{
"networkSecurityGroups": [
{
"name": "nsg-web-tier",
"rules": [
{
"name": "allow-https",
"direction": "Inbound",
"sourceAddressPrefix": "AzureLoadBalancer",
"destinationPortRange": "443",
"action": "Allow"
},
{
"name": "deny-all-inbound",
"direction": "Inbound",
"sourceAddressPrefix": "*",
"destinationPortRange": "*",
"action": "Deny"
}
]
},
{
"name": "nsg-app-tier",
"rules": [
{
"name": "allow-from-web-tier",
"direction": "Inbound",
"sourceAddressPrefix": "10.0.1.0/24",
"destinationPortRange": "443",
"action": "Allow"
},
{
"name": "deny-internet-inbound",
"direction": "Inbound",
"sourceAddressPrefix": "Internet",
"action": "Deny"
}
]
},
{
"name": "nsg-data-tier",
"rules": [
{
"name": "allow-from-app-tier",
"direction": "Inbound",
"sourceAddressPrefix": "10.0.2.0/24",
"destinationPortRange": "1433",
"action": "Allow"
}
]
}
]
}
Private Endpoints
# Create private endpoint for storage
az network private-endpoint create \
--name storage-private-endpoint \
--resource-group my-rg \
--vnet-name my-vnet \
--subnet my-subnet \
--connection-name storage-connection \
--private-link-resource-type Microsoft.Storage/storageAccounts \
--group-id blob \
--target-resource /subscriptions/xxx/resourceGroups/my-rg/providers/Microsoft.Storage/storageAccounts/mystorage
# Create private endpoint for Cosmos DB
az network private-endpoint create \
--name cosmos-private-endpoint \
--resource-group my-rg \
--vnet-name my-vnet \
--subnet my-subnet \
--connection-name cosmos-connection \
--private-link-resource-type Microsoft.DocumentDB/databaseAccounts \
--group-id Sql \
--target-resource /subscriptions/xxx/resourceGroups/my-rg/providers/Microsoft.DocumentDB/databaseAccounts/mycosmos
Identity-Based Access Control
Conditional Access Policies
{
"conditionalAccessPolicies": [
{
"displayName": "Require MFA for sensitive apps",
"state": "enabled",
"conditions": {
"signInRiskLevels": ["medium", "high"],
"applications": {
"includeApplications": ["app-id-1", "app-id-2"]
}
},
"grantControls": {
"operator": "AND",
"controls": [
{
"type": "mfa"
},
{
"type": "compliantDevice"
}
]
}
},
{
"displayName": "Block access from non-compliant devices",
"state": "enabled",
"conditions": {
"deviceStates": {
"includeDeviceStates": ["nonCompliant"]
}
},
"grantControls": {
"operator": "OR",
"controls": [
{
"type": "block"
}
]
}
}
]
}
Role-Based Access with Least Privilege
# Create custom role with specific permissions
az role definition create \
--role-definition '{
"Name": "Storage Blob Reader - Specific Container",
"IsCustom": true,
"Description": "Can read from specific container only",
"Permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
],
"notDataActions": []
}
],
"assignableScopes": [
"/subscriptions/xxx/resourceGroups/my-rg"
]
}'
Microsoft Defender Integration
Security Posture Management
# Enable Microsoft Defender for Cloud
az security pricing create \
--name CloudPosture \
--pricing-tier Standard
# Enable Microsoft Defender for Storage
az security pricing create \
--name Storage \
--pricing-tier Standard
# Enable Microsoft Defender for SQL
az security pricing create \
--name Sql \
--pricing-tier Standard
Threat Protection
{
"securityContact": {
"email": "security@company.com",
"phone": "+1-555-0100",
"alertNotifications": {
"state": "On",
"minor": "On",
"critical": "On"
}
},
"alertSuppressions": {
"suppressionRules": [
{
"name": "Dev environment suppression",
"state": "Enabled",
"suppressionAlerts": [
"Suspicious PowerShell"
],
"resourceGroups": ["rg-dev"]
}
]
}
}
Implementation Roadmap
Migration Phases
┌─────────────────────────────────────────────────────────────────────┐
│ ZERO TRUST IMPLEMENTATION PHASES │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ PHASE 1: ASSESS (Weeks 1-4) │
│ ────────────────────────── │
│ ✓ Inventory all resources and connections │
│ ✓ Identify sensitive data and workloads │
│ ✓ Assess current security controls │
│ ✓ Define Zero Trust target state │
│ │
│ PHASE 2: FOUNDATION (Weeks 5-12) │
│ ────────────────────────────── │
│ ✓ Enable Microsoft Entra ID P2 │
│ ✓ Deploy Conditional Access policies │
│ ✓ Implement MFA for all users │
│ ✓ Enable device compliance (Intune) │
│ ✓ Configure private endpoints │
│ │
│ PHASE 3: NETWORK (Weeks 13-20) │
│ ─────────────────────────────── │
│ ✓ Deploy Azure Firewall / WAF │
│ ✓ Implement network segmentation │
│ ✓ Configure NSG rules with deny-by-default │
│ ✓ Enable NSG flow logs │
│ ✓ Deploy DDoS protection │
│ │
│ PHASE 4: APPS & DATA (Weeks 21-28) │
│ ──────────────────────────────── │
│ ✓ Enable Defender for all resources │
│ ✓ Implement Key Vault with CMK │
│ ✓ Configure data encryption at rest │
│ ✓ Enable Azure Purview for classification │
│ ✓ Implement API security policies │
│ │
│ PHASE 5: MONITOR & OPTIMIZE (Ongoing) │
│ ───────────────────────────────────── │
│ ✓ Configure security dashboards │
│ ✓ Establish alert workflows │
│ ✓ Regular security reviews │
│ ✓ Continuous improvement │
│ │
└─────────────────────────────────────────────────────────────────────┘
Best Practices
Implementation Checklist
| Practice | Description |
|---|---|
| Deny by default | All traffic blocked unless explicitly allowed |
| Micro-segment | Isolate workloads with fine-grained rules |
| Encrypt everywhere | TLS for transit, keys at rest |
| Identity-first | Every access requires authentication |
| Monitor continuously | Real-time visibility into traffic |
| Least privilege | Grant minimum necessary permissions |
Security Monitoring
{
"microsoft Defender for Cloud": {
"securityScores": {
"monitor": [
"Network Access",
"Identity Security",
"Data Protection",
"Application Security",
"Endpoint Security"
]
},
"alerts": {
"severity": ["High", "Critical"],
"notification": {
"email": "soc@company.com",
"webhook": "https://sentinel.azure.com/webhook"
}
}
}
}
Related Topics
- Key Vault Governance — Secrets management
- Microsoft Defender for Cloud — Security monitoring
- Compliance as Code — Policy enforcement
Azure Integration Hub - Architect Level Security Architecture & Zero Trust