only certain traffic to flow to the internal network. Then OS instances themselves
have their own firewall, but that’s about it. The reality is that once something bad
makes its way onto the network, its lateral movement is fairly simple. SDNv2 adds
many layers of security to help prevent this lateral movement, as shown in Figure
3.35.
Figure 3.35 Security layers with SDNv2
The SDNv2 adds three more layers of protection. First, using virtual networks
provides isolation between networks, which itself limits the ability for malware and
other types of attacks to traverse the network. Next, SDNv2 includes a datacenter
firewall that, through use of policies, enables further segmentation of the virtual
network by strictly controlling which traffic can flow between virtual subnets and even
to specific virtual machine NIC (vmNICs). Additionally, virtual appliances can be used
to supplement security through third-party technologies, such as other types of traffic
inspection or filtering implementations, which are placed in the data path through the
use of customized routing (user-defined routing).
The datacenter firewall is not an edge device, as its name may lead you to believe.
Instead it is a set of technologies that implements a firewall enforced at the VMSwitch
as traffic attempts an ingress or egress from a connected vmNIC. This firewall uses a
set of policies (ACLs) distributed from a component called the Distributed Firewall
Manager, which is part of the Network Controller. If you have used Network Security
Groups in Azure, this is the SDNv2 equivalent and works in exactly the same way,
with exactly the same set of properties and keywords. It is a stateful firewall: If a
connection is allowed inbound, the outbound response will be allowed. Each policy
consists of the following:
A name
Five-tuple set: destination port range, destination IP range using CIDR notation,
source port range, source IP range using CIDR, and protocol (TCP, UDP or *).
There are also special tags for certain types of resources.