Network Security¶

Section: 5-security-architecture
Document: Network Security
Status: Network Layer Security Documentation
Audience: DevOps, network engineers, security teams

🎯 Overview¶

MachineAvatars implements network-level security controls using Azure infrastructure to protect against unauthorized access, DDoS attacks, and network-based threats.

Infrastructure: Azure Cloud (Central India primary)
Network Isolation: Virtual Networks (VNets)
Firewall: Azure Firewall + Network Security Groups
DDoS Protection: Azure DDoS Protection Standard

🌐 Network Architecture¶

Azure Virtual Network (VNet)¶

graph TB
    subgraph "Internet"
        USERS[Users/Clients]
        ATTACKERS[Potential Attackers]
    end

    subgraph "Azure DDoS Protection"
        DDOS[DDoS Protection<br/>Standard Tier]
    end

    subgraph "Azure Firewall"
        FW[Azure Firewall<br/>Rules Engine]
    end

    subgraph "Application Gateway"
        APPGW[Application Gateway<br/>WAF Enabled]
    end

    subgraph "Virtual Network (VNet)"
        subgraph "Frontend Subnet"
            FE[Next.js Frontend<br/>App Service]
        end

        subgraph "Backend Subnet"
            GW[Gateway Service<br/>8000/9000]
            BE[Backend Services<br/>23 microservices]
        end

        subgraph "Data Subnet"
            DB[(MongoDB<br/>Cosmos DB)]
            VDB[(Milvus<br/>Vector DB)]
        end
    end

    subgraph "Private Endpoints"
        PE[Private Endpoints<br/>No Public Access]
    end

    USERS --> DDOS
    ATTACKERS -.-> DDOS
    DDOS --> FW
    FW --> APPGW
    APPGW --> FE
    FE --> GW
    GW --> BE
    BE --> PE
    PE --> DB
    PE --> VDB

    style DDOS fill:#FFE082
    style FW fill:#FFCDD2
    style APPGW fill:#E3F2FD
    style PE fill:#C8E6C9

VNet Configuration:

Address Space: 10.0.0.0/16
Subnets:
Frontend: 10.0.1.0/24
Backend: 10.0.2.0/24
Data: 10.0.3.0/24 (private)
DNS: Azure DNS
Peering: None (single VNet deployment)

🔥 Firewall Rules¶

Azure Firewall Configuration¶

Inbound Rules:

Priority	Name	Action	Source	Destination	Port	Protocol
100	Allow HTTPS	Allow	Any	Frontend	443	TCP
110	Allow HTTP Redirect	Allow	Any	Frontend	80	TCP
200	Deny All Other	Deny	Any	Any	*	*

Outbound Rules:

Priority	Name	Action	Source	Destination	Port	Protocol
100	Allow Azure Services	Allow	Backend	Azure Services	*	*
110	Allow OpenAI API	Allow	Backend	*.openai.azure.com	443	HTTPS
120	Allow Together AI	Allow	Backend	api.together.xyz	443	HTTPS
130	Allow Groq API	Allow	Backend	api.groq.com	443	HTTPS
140	Allow Email Service	Allow	Backend	*.communication.azure.com	443	HTTPS
200	Deny All Other	Deny	Any	Any	*	*

Network Security Groups (NSGs)¶

Frontend Subnet NSG:

{
  "securityRules": [
    {
      "name": "AllowHTTPS",
      "priority": 100,
      "direction": "Inbound",
      "access": "Allow",
      "protocol": "Tcp",
      "sourcePortRange": "*",
      "destinationPortRange": "443",
      "sourceAddressPrefix": "*",
      "destinationAddressPrefix": "*"
    },
    {
      "name": "AllowHTTP",
      "priority": 110,
      "direction": "Inbound",
      "access": "Allow",
      "protocol": "Tcp",
      "sourcePortRange": "*",
      "destinationPortRange": "80",
      "sourceAddressPrefix": "*",
      "destinationAddressPrefix": "*"
    },
    {
      "name": "DenyAllInbound",
      "priority": 4096,
      "direction": "Inbound",
      "access": "Deny",
      "protocol": "*",
      "sourcePortRange": "*",
      "destinationPortRange": "*",
      "sourceAddressPrefix": "*",
      "destinationAddressPrefix": "*"
    }
  ]
}

Backend Subnet NSG:

{
  "securityRules": [
    {
      "name": "AllowFrontendToBackend",
      "priority": 100,
      "direction": "Inbound",
      "access": "Allow",
      "protocol": "Tcp",
      "sourceAddressPrefix": "10.0.1.0/24",
      "destinationPortRange": "8000-8100",
      "destinationAddressPrefix": "10.0.2.0/24"
    },
    {
      "name": "DenyInternetInbound",
      "priority": 200,
      "direction": "Inbound",
      "access": "Deny",
      "protocol": "*",
      "sourceAddressPrefix": "Internet",
      "destinationAddressPrefix": "*"
    }
  ]
}

🛡️ DDoS Protection¶

Service: Azure DDoS Protection Standard
Coverage: All public IP addresses
Protection Types:

Volumetric attacks (UDP floods, amplification attacks)
Protocol attacks (SYN floods, fragmented packet attacks)
Resource layer attacks (HTTP floods)

Traffic Baseline:

Automatic learning of normal traffic patterns
Real-time threat mitigation
Attack analytics and reporting

Mitigation Policies:

Threshold: Automatically calculated per resource
Action: Traffic scrubbing + rate limiting
Duration: Until attack subsides

Monitoring:

# Azure CLI - Check DDoS events
az network ddos-protection show \
  --resource-group machineavatars-rg \
  --name machineavatars-ddos

🔒 IP Whitelisting (Enterprise)¶

Availability: Premium Plan only
Use Case: Restrict access to corporate IP ranges

Configuration¶

Azure App Service IP Restrictions:

{
  "ipSecurityRestrictions": [
    {
      "ipAddress": "203.0.113.0/24",
      "action": "Allow",
      "priority": 100,
      "name": "Acme Corp Office",
      "description": "Head office IP range"
    },
    {
      "ipAddress": "198.51.100.50/32",
      "action": "Allow",
      "priority": 110,
      "name": "VPN Gateway",
      "description": "Corporate VPN exit IP"
    },
    {
      "ipAddress": "0.0.0.0/0",
      "action": "Deny",
      "priority": 2147483647,
      "name": "Deny All",
      "description": "Deny all other IPs"
    }
  ]
}

Frontend Application:

// Additional validation in frontend (optional)
const ALLOWED_IP_RANGES = ["203.0.113.0/24", "198.51.100.50/32"];

function isIPAllowed(clientIP: string): boolean {
  // Check if client IP is in allowed ranges
  return ALLOWED_IP_RANGES.some((range) => ipInRange(clientIP, range));
}

Benefits:

Prevent unauthorized access outside corporate network
Compliance requirement for some industries
Reduce attack surface

🌍 Private Endpoints¶

Purpose: Access Azure services without public internet exposure

MongoDB (Cosmos DB) Private Endpoint¶

# Create private endpoint
az network private-endpoint create \
  --name machineavatars-mongodb-pe \
  --resource-group machineavatars-rg \
  --vnet-name machineavatars-vnet \
  --subnet data-subnet \
  --private-connection-resource-id /subscriptions/.../Microsoft.DocumentDB/databaseAccounts/machineavatars-mongodb \
  --group-id MongoDB \
  --connection-name mongodb-connection

Benefits:

No public IP exposure
Traffic stays within Azure backbone
Better security posture

Current Status: ⏳ Planned for production

🔐 VPN & Secure Access¶

Site-to-Site VPN (Enterprise)¶

Use Case: Connect on-premise data center to Azure

graph LR
    subgraph "On-Premise"
        CORP[Corporate Network]
        VPN_GATEWAY[VPN Gateway]
    end

    subgraph "Azure"
        AZURE_VPN[Azure VPN Gateway]
        VNET[Virtual Network]
    end

    CORP --> VPN_GATEWAY
    VPN_GATEWAY -.IPsec Tunnel.-> AZURE_VPN
    AZURE_VPN --> VNET

    style VPN_GATEWAY fill:#FFE082
    style AZURE_VPN fill:#E3F2FD

Configuration:

Protocol: IPsec/IKE
Encryption: AES-256
Authentication: Pre-shared key + certificates
Bandwidth: Up to 10 Gbps

Point-to-Site VPN (Developers)¶

Use Case: Remote developer access to internal resources

# Create P2S VPN
az network vnet-gateway create \
  --name machineavatars-vpn-gateway \
  --resource-group machineavatars-rg \
  --vnet machineavatars-vnet \
  --gateway-type Vpn \
  --vpn-type RouteBased \
  --sku VpnGw1

Client Configuration:

Download VPN client from Azure portal
Install certificate
Connect to Azure VNet
Access backend services securely

📊 Network Monitoring & Logging¶

Azure Network Watcher¶

Features Enabled:

Network performance monitoring
Connection troubleshooting
Packet capture
NSG flow logs
Traffic analytics

Flow Logs Configuration:

{
  "enabled": true,
  "storageAccountId": "/subscriptions/.../microsoft.storage/storageaccounts/machineavatarslogs",
  "retentionPolicy": {
    "days": 90,
    "enabled": true
  },
  "format": {
    "type": "JSON",
    "version": 2
  },
  "trafficAnalytics": {
    "enabled": true,
    "workspaceId": "...",
    "workspaceRegion": "centralindia"
  }
}

Sample Flow Log:

{
  "time": "2025-01-15T10:30:00.000Z",
  "sourceIP": "203.0.113.50",
  "destinationIP": "10.0.2.10",
  "sourcePort": 52341,
  "destinationPort": 8000,
  "protocol": "TCP",
  "flowState": "Allowed",
  "packetsSent": 1250,
  "bytesSent": 3840000
}

🚨 Security Alerts¶

Azure Security Center Alerts:

Suspicious Inbound Traffic
Alert when unusual traffic patterns detected
Action: Investigate source IP, block if malicious
Port Scanning Detected
Alert on port scan attempts
Action: Automatically block source IP
Brute Force Attack
Alert on multiple failed login attempts from single IP
Action: Rate limiting + IP block
DDoS Attack
Alert when DDoS protection activates
Action: Monitor mitigation, scale resources if needed

✅ Network Security Best Practices¶

Implemented¶

✅ VNet isolation
✅ NSG rules (least privilege)
✅ DDoS Protection Standard
✅ HTTPS enforcement
✅ Azure Firewall
✅ Network monitoring & logging

Planned¶

⏳ Private endpoints for databases (Q1 2025)
⏳ Site-to-Site VPN (Enterprise, Q2 2025)
⏳ Web Application Firewall (WAF) - Q1 2025
⏳ Azure Front Door (CDN + DDoS) - Q2 2025

Security:

Authentication & Authorization - Application-layer security
API Security - API-level protection
Encryption - TLS configuration

Infrastructure:

System Architecture - Overall architecture

"Defense in depth starts at the network layer." 🔐🌐