# Network Security Group (NGS), Firewall and DDoS Protection

## Defense in Depth

Concept is to enforce security through all the layers of your application 

## Security Layers

* `Data` - i.e virtual network endpoint
* `Application` - i.e API Management
* `Compute` - i.e Limit Remote Desktop access, Windows Update
* `Network` - i.e NSG, use of subnets, deny by default
* `Perimeter` - i.e DDoS, Firewalls
* `Identity & access` - i.e Azure AD
* `Physical` - i.e Door locks and key cards

## Network Security Group (NGS)

![](https://3885248957-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FoE4wMO1dMVDOGDjh0En7%2Fuploads%2FcmZXINlk2M7bSvFuzCsi%2Fimage.png?alt=media\&token=b400d02e-3a26-448a-9b12-89bc4fdfef1c)

* Basically a collection of ports that are allowed
* NGS is a very simplistic set of rules
* When used right you can turn of a lot of access
* Denly by default

## Azure Firewall

![](https://3885248957-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FoE4wMO1dMVDOGDjh0En7%2Fuploads%2FZ5uAKabP2hUQU1aVyCjt%2Fimage.png?alt=media\&token=937800a2-7590-4891-9fc5-992c5be71353)

* Is more of an intelligent device that will analyze traffic that comes in
* Will analyze certain bad patterns
* Example: Block SQL Injection attacks and XSS attacks

## Azure DDoS Protection

![](https://3885248957-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FoE4wMO1dMVDOGDjh0En7%2Fuploads%2FPtTrqPqcpSc2YYznRA0V%2Fimage.png?alt=media\&token=56bc0df5-137a-49a5-9996-ee0d1d38ece7)