Monitoring for suspicious network activity in Microsoft Azure

ylwong

Below is a comprehensive solution design for monitoring suspicious network activity on 29 Azure VMs behind 10 WAF instances, with Azure AD Identity Protection for 100 users—all aligned to ISO 27001 requirements. Following the design, you will find estimated monthly pricing for the Southeast Asia (Singapore) region.

1. Solution Architecture Overview

The key pillars of this architecture are:

Microsoft Defender for Cloud (Azure Security Center)
Azure Firewall (with Threat Intelligence)
Azure DDoS Protection Standard
Network Security Group (NSG) Flow Logs & Traffic Analytics
Web Application Firewall (WAF) on Azure Application Gateway or Azure Front Door
Azure Sentinel (SIEM)
Azure AD Identity Protection
Incident Response & Governance

Below is how each component fits into the security stack:

1.1 Microsoft Defender for Cloud

Microsoft Defender for Servers:
- Monitors the 29 Azure VMs for operating system-level threats, vulnerabilities, and suspicious activity (e.g., malware, abnormal processes).
- Provides vulnerability assessment, file integrity monitoring, and Just-In-Time (JIT) VM access.
- Integrates security alerts into Azure Sentinel.
Microsoft Defender for SQL (Optional if you have SQL databases on these VMs or Azure SQL):
- Protects your SQL environment from common attack vectors (SQL injections, suspicious login patterns).
Compliance Dashboard:
- Enables you to track ISO 27001 compliance posture for each resource.

1.2 Azure Firewall with Threat Intelligence

Azure Firewall:
- Centrally enforces inbound and outbound traffic policies for your VMs and subnets.
- Integrates with Microsoft Threat Intelligence to block known malicious IPs and domains in real time.
- Generates Firewall logs (sent to Log Analytics / Azure Sentinel).
Threat Intelligence Mode:
- Can be set to Alert or Deny.
- Recommended to start with Alert and then move to Deny once your baseline is established.

1.3 Azure DDoS Protection Standard

Protects publicly exposed endpoints—such as public IPs on load balancers or application gateways—from volumetric and protocol-based DDoS attacks.
Provides real-time mitigation and DDoS attack analytics.

1.4 Network Security Group (NSG) Flow Logs & Traffic Analytics

NSG Flow Logs:
- Enable for each subnet or VM NSG.
- Records inbound/outbound traffic and provides visibility into source/destination IP, ports, and protocols.
- Stored in Azure Storage or Log Analytics.
- Used by Traffic Analytics to highlight top talkers, traffic hotspots, and potential threats.

1.5 Web Application Firewall (WAF)

Azure WAF is typically deployed on either:
- Azure Application Gateway (layer 7 load balancer), or
- Azure Front Door (global edge network).
Use Cases:
- Protects web workloads from common exploits (SQL injection, Cross-Site Scripting).
- Enforces OWASP core rule sets and custom rules.
- Generates WAF logs which feed into Sentinel.
Multiple Instances:
- You’ve indicated 10 WAF instances. This could be multiple App Gateway WAF deployments or Front Door WAF for each major web application/environment.

1.6 Azure Sentinel (SIEM)

Data Collection:
- Ingest logs from:
- Azure Firewall
- NSG Flow Logs
- WAF logs
- Microsoft Defender alerts
- DDoS Protection logs
- Azure AD sign-in logs (including Identity Protection alerts)
Analytics & Hunting:
- Built-in queries to detect anomalies: unusual login behavior, large data exfiltration, port scans, etc.
- Custom detection rules aligned with ISO 27001 incident detection controls.
Incident Management:
- Investigate alerts in Sentinel’s Investigation Graph.
- Use Workbooks for compliance and security dashboards.
Automation (Playbooks):
- Automatically block IP addresses in NSGs, send notifications to Slack/Teams, or force password reset via Logic Apps integration.

1.7 Azure AD Identity Protection

100 Azure AD Identities:
- Detects and alerts on suspicious sign-ins (impossible travel, unfamiliar locations, known compromised credentials).
- Enforce Conditional Access to require Multi-Factor Authentication (MFA) for risky sign-ins.
- Optional Just-In-Time (JIT) access for privileged roles using Privileged Identity Management (PIM).

1.8 Incident Response & Governance

Continuous Audit:
- Regularly review Microsoft Defender for Cloud security recommendations.
- Run ISO 27001 compliance checks in the Regulatory Compliance dashboard.
Incident Response Runbooks:
- Document escalation paths, severity classification, and specialized playbooks in Sentinel.
- Conduct regular tabletop exercises to ensure readiness.

2. Estimated Monthly Pricing (Southeast Asia / Singapore)

Important: All pricing below is approximate and subject to change. Actual costs depend on resource size, usage, data ingestion volume, and Azure discounts/enterprise agreements. Always validate final pricing in the Azure Pricing Calculator.

2.1 Compute (29 Azure VMs)

The exact cost depends on the VM size (CPU/RAM), OS type (Windows vs. Linux), and usage patterns. Below is an example using a moderate D2s v4 (2 vCPU, 8GB RAM) running 24/7:

D2s v4 in Southeast Asia:
- Approx. \$120 USD/month per VM (Linux OS; Windows would add extra licensing).
- For 29 VMs: 29 × \$120 ≈ \$3,480/month

If you are running larger VM sizes, or if they are Windows-based, costs will be higher.

2.2 Microsoft Defender for Servers (Plan 2)

\$15 per VM per month
For 29 VMs: 29 × \$15 = \$435/month

Plan 2 is the fully-featured tier, including advanced threat detection, vulnerability assessment, file integrity monitoring, and JIT VM access.

2.3 Azure Firewall

Base Deployment Cost: ~\$1.25/hour = \$900–\$950/month
Data Processed: \$0.016/GB (varies with your traffic volume)

A safe estimate for a moderately utilized Azure Firewall (without massive data throughput) is around \$1,200–\$1,400/month total.

Let’s assume \$1,300/month as a ballpark.

2.4 Azure DDoS Protection Standard

Standard Plan typically: \$2,944/month per protected environment (covers all public IPs in that region).

2.5 Network Security Group (NSG) Flow Logs + Traffic Analytics

NSG Flow Logs: _\$0.50 per million flow records. Actual cost depends on the volume of traffic.
Log Analytics ingestion cost: _\$2.30–\$2.76 per GB ingested (depends on Pay-As-You-Go or commitment tier).
Traffic Analytics: \$0.10 per GB processed after the first 5GB.

For a moderate environment of 29 VMs, you might estimate \$100–\$200/month for NSG Flow Logs (storage + analytics), but it can be higher depending on traffic volume.

2.6 Web Application Firewall (WAF)

You noted 10 WAF instances. WAF is available on:

Azure Application Gateway v2 (WAF SKU)
- Base cost (e.g., _\$0.368/hour)
- WAF surcharge (_\$0.25/hour)
- Capacity unit charges (depends on traffic)

A single Application Gateway WAF instance can cost around \$400–\$600/month for low-to-moderate traffic. For 10 instances, the total can be in the range of:

10 × \$400 = \$4,000/month (lower estimate)
Could be higher if each WAF instance sees significant traffic or if you choose larger SKUs.

2.7 Azure Sentinel

Azure Sentinel pricing is primarily driven by how much data you ingest. The base ingestion rate in the Southeast Asia region is roughly:

Log Analytics: \$2.30–\$2.76 per GB ingested (Pay-As-You-Go).
Azure Sentinel “attached” cost: \$2.50 per GB (approximately)

In practice, many organizations opt for a capacity reservation if ingesting large amounts of data. A few reference points:

100 GB/month ingestion: ~\$500–\$700 total
500 GB/month ingestion: ~\$2,500–\$3,500 total
1 TB/month ingestion: ~\$5,000–\$6,500 total

For a moderate environment (29 VMs + Firewall + WAF + NSG logs), you could easily ingest a few hundred GB/month. We’ll estimate \$1,000–\$2,000/month for a smaller to medium environment. It can be substantially higher if you keep detailed logs from every service 24/7.

2.8 Azure AD Identity Protection

Requires Azure AD Premium P2 licenses for each user.
Typical price: \$6–\$9 per user/month (depends on direct Azure subscription vs. Enterprise Mobility + Security (EMS E5) or Microsoft 365 E5).

Assuming direct Azure licensing at \$6 per user/month:

100 users × \$6 = \$600/month.

3. Approximate Monthly Cost Summary

Below is a rough monthly total, assuming moderate usage and typical licensing in the Southeast Asia (Singapore) region:

| Service | Monthly Estimate |
|-------------------------------------|----------------------------------|
| 29 Azure VMs (D2s v4, Linux) | \$3,480 |
| Microsoft Defender for Servers | \$435 |
| Azure Firewall | \$1,300 |
| Azure DDoS Protection Standard | \$2,944 |
| NSG Flow Logs + Traffic Analytics | \$100–\$200 (assume \$150) |
| Web Application Firewall (10x) | \$4,000 (approx. \$400 each) |
| Azure Sentinel (data ingestion) | \$1,000–\$2,000 (assume \$1,500) |
| Azure AD Identity Protection | \$600 |
| Total (Approx.) | \$14,409/month (mid-range) |

Again, actual costs can vary significantly based on:

VM size (Windows vs. Linux, more CPU/RAM)

Data ingestion volumes in Sentinel, Firewall, NSG Flow Logs

WAF traffic (capacity units)

Whether you’re on a CSP/Enterprise Agreement with negotiated rates

4. Implementation Steps

Onboard VMs to Microsoft Defender for Cloud
- Enable Defender for Servers for all 29 VMs.
- Set vulnerability scanning and JIT VM access.
Deploy Azure Firewall
- Create a dedicated Firewall subnet in your Virtual Network.
- Configure routing (UDRs) so inbound and outbound traffic passes through the Firewall.
- Enable Threat Intelligence (set to Alert/Deny).
Enable DDoS Protection Standard
- Associate the DDoS protection plan with the VNet containing the public IPs.
Configure NSG Flow Logs & Traffic Analytics
- Enable Flow Logs for each NSG.
- Store in Log Analytics (or Azure Storage) for ingestion into Sentinel.
Set Up WAF Instances (10)
- Deploy either Application Gateway WAF v2 or Azure Front Door WAF (depending on your architecture).
- Enable custom WAF rules, logging, and integration to Sentinel.
Integrate Everything into Azure Sentinel
- Connectors: Azure Firewall, WAF, NSG Flow Logs, Defender for Servers, DDoS, Azure AD, etc.
- Configure alerts, incidents, and run Playbooks (Logic Apps) for automated response.
Azure AD Identity Protection
- Purchase/Assign Azure AD Premium P2 licenses to the 100 users.
- Enable Risk Policies (sign-in risk, user risk).
- Integrate alerts into Sentinel.
Ongoing Management & Incident Response
- Review security recommendations in Microsoft Defender for Cloud.
- Use Sentinel Workbooks for ongoing compliance tracking (ISO 27001).
- Conduct regular incident response drills.

5. Key Takeaways & Next Steps

Start Small & Scale:
- Initially enable logging with minimal retention to gauge data ingestion before scaling up Sentinel capacity.
- Gradually move Azure Firewall Threat Intelligence from Alert to Deny mode.
Budget Monitoring:
- Set up Azure Cost Management alerts to avoid unexpected overages.
- Consider capacity reservations for Sentinel/Log Analytics if your ingestion grows large.
Security Governance:
- Align all policies and processes with ISO 27001’s Annex A controls (access control, incident management, logging & monitoring, etc.).
- Keep an up-to-date Statement of Applicability for each control.

By implementing the above solution, you will have a robust, layered security monitoring and threat detection strategy in Azure—fully supporting your ISO 27001 compliance requirements.

Final Note on Pricing

All figures given are estimates; real-world monthly costs may be lower or higher depending on actual consumption, negotiated Azure rates, VM sizes, and the complexity of your workloads. Always utilize the Azure Pricing Calculator or your Azure portal’s Cost Management for the most accurate, up-to-date cost projections.

ylwong

Short Answer:
Yes, you can integrate Azure WAF (e.g., Application Gateway WAF or Azure Front Door WAF) with Cloudflare. You would place Cloudflare in front (for DNS, basic DDoS, caching) and configure its proxy to forward traffic to your Azure WAF endpoint. The WAF would then perform deeper Layer 7 inspection before finally forwarding traffic to your VMs.

How the Integration Works

DNS & Proxy at Cloudflare
- Your domain’s DNS is managed by Cloudflare.
- Cloudflare proxies requests from the internet, providing basic DDoS protection and optional caching.
Traffic Flows to Azure WAF
- Cloudflare forwards the HTTP/HTTPS traffic to the public IP or frontend of your Azure WAF (e.g., Application Gateway, Front Door).
- The Azure WAF enforces OWASP rules, custom rules, and any threat intelligence checks you have configured.
- Key Consideration: Make sure to preserve client IP addresses via X-Forwarded-For headers so you can properly log and enforce any source-based rules.
Azure WAF to Your Backend VMs
- After inspection, the WAF routes requests to the backend pool (your Azure VMs hosting the web app/API).
Response Path
- The response returns from the VMs → to the WAF → to Cloudflare → and back to the client.

Configuration Steps

Cloudflare
- DNS Settings: Keep the “Proxy” (orange cloud) enabled so Cloudflare is actively proxying traffic.
- Page Rules/Transform Rules (Optional): If you have advanced configurations, ensure they don’t conflict with Azure WAF rules.
Azure WAF (Application Gateway or Front Door)
- Frontend Hostname: Configure a custom domain or direct IP.
- Listener & Routing Rules:
  - Create a listener on port 80/443.
  - Point the backend pool to your Azure VMs or a load balancer containing the VMs.
- WAF Policy:
  - Enable the OWASP core rule set (CRS).
  - Add custom rules based on your application’s needs.
- Check X-Forwarded-For: Confirm that your logs show the true client IP from Cloudflare’s X-Forwarded-For header.
SSL/TLS Considerations
- End-to-End Encryption:
  - (a) Cloudflare to WAF: You can have Cloudflare re-encrypt traffic to the WAF with an SSL certificate.
  - (b) WAF to VMs: Configure an internal TLS certificate if you need end-to-end encryption behind the WAF.
- Certificate Management:
  - Keep an SSL certificate on Cloudflare and an SSL certificate on the Azure WAF.
Testing & Tuning
- Perform test requests to confirm you see the correct client IP in the logs.
- Verify that Cloudflare caching or rewrite rules don’t interfere with the WAF detection logic.

Benefits & Caveats

Benefits
- Layered Security: Cloudflare handles basic DDoS and caching, while Azure WAF applies detailed application-layer filtering.
- Better Visibility: Azure WAF logs let you detect and block OWASP threats (SQL injection, XSS, etc.).
- Scalability: Both Cloudflare and Azure scale automatically to handle surges.
Caveats
- Double Proxy: You have two layers of proxies (Cloudflare + Azure WAF). This can introduce added complexity for debugging network issues.
- Cost: You are paying for both Cloudflare (if you’re on any paid tier) and Azure WAF.
- IP Address Handling: Ensure your Azure WAF logs show real client IP addresses, not just Cloudflare’s IP.
- Rule Overlap: If you eventually enable Cloudflare WAF, ensure rules don’t conflict or cause double blocking.

Conclusion

Yes, you can run both Cloudflare (for DNS and basic DDoS/caching) and Azure WAF (for deep Layer 7 protection) in tandem. Ensure you configure SSL properly, preserve client IP addresses via headers, and tune your WAF policies to avoid false positives. This approach gives you a layered security model that helps protect against a wide variety of threats while giving you advanced visibility and control in Azure.