Overview – Apply Zero Trust principles to Azure networking

This series of articles help you apply the principles of Zero Trust to your networking infrastructure in Microsoft Azure based on a multi-disciplinary approach. Zero Trust is a security strategy. It isn't a product or a service, but an approach in designing and implementing the following set of security principles:

• Verify explicitly
• Use least privileged access
• Assume breach

Implementing the Zero Trust mindset to "assume breach, never trust, always verify" requires changes to cloud networking infrastructure, deployment strategy, and implementation.

The following articles show you how to apply Zero Trust approach to networking for commonly deployed Azure infrastructure services:

• Encryption
• Segmentation
• Gain visibility into your network traffic
• Discontinue legacy network security technology

Important

This Zero Trust guidance describes how to use and configure several security solutions and features available on Azure for a reference architecture. Several other resources also provide security guidance for these solutions and features, including:

• Microsoft Cloud Security Benchmark
• Microsoft Cloud Security Baseline

To describe how to apply a Zero Trust approach, this guidance targets a common pattern used in production by many organizations: a virtual-machine-based application hosted in a VNet (and IaaS application). This is a common pattern for organizations migrating on-premises applications to Azure, which is sometimes referred to as "lift-and-shift."

Threat Protection with Microsoft Defender for Cloud

For the Assume breach Zero Trust principle for Azure networking, Microsoft Defender for Cloud is an extended detection and response (XDR) solution that automatically collects, correlates, and analyzes signal, threat, and alert data from across your environment. Defender for Cloud is intended to be used together with Microsoft Defender XDR to provide a greater breadth of correlated protection of your environment, as shown in the following diagram.

In the diagram:

• Defender for Cloud is enabled for a management group that includes multiple Azure subscriptions.
• Microsoft Defender XDR is enabled for Microsoft 365 apps and data, SaaS apps that are integrated with Microsoft Entra ID, and on-premises Active Directory Domain Services (AD DS) servers.

For more information about configuring management groups and enabling Defender for Cloud, see:

• Organize subscriptions into management groups and assign roles to users
• Enable Defender for Cloud on all subscriptions in a management group

Additional resources

See these additional articles for applying Zero Trust principles to Azure IaaS:

• For Azure IaaS:
  • Azure storage
  • Virtual machines
  • Spoke virtual networks
  • Hub virtual networks
  • Spoke virtual networks with Azure PaaS services
• Azure Virtual Desktop
• Azure Virtual WAN
• IaaS applications in Amazon Web Services
• Microsoft Sentinel and Microsoft Defender XDR