Azure NAT Gateway for Security - Coffee with Conrad

_This is a recap of an episode of Agile IT’s Coffee with Conrad, in which we worked through a couple of scenarios where Azure NAT Gateway can help provide IP whitelisting for accessing sensitive infrastructure from remote workers working in Windows Virtual Desktop.

---

It’s important to examine how Microsoft technology can help organizations change their approach to how they work throughout the COVID-19 response. More and more teams are working remotely, which means there’s an increased need to communicate and interact remotely as well. You’ll need to have tools in place to make the lives of your remote workforce a lot easier. Azure Network Address Translation (NAT) Gateway is one tool that can assist.

As Windows desktop solutions are deployed, Microsoft takes care of all the infrastructure and can deploy all the tools to virtual shared machines. When you need to access local resources for apps or other business purposes, you can use site-to-site VP and/or Azure to access resources. There’s another scenario, however, that occurs when people are working via Windows Virtual Desktop (WVD). Employees can be working in those desktops as either contractors or employees. No matter what their status, when they go to the Internet they’ll get an IP address dynamically available for that virtual network that can change. Most of the time, that isn’t an issue or a problem.

The problem arises when your team members working via WVD need access to resources such as another customer’s location. What if they need to use a remote desktop session, web VPN, or want to do whitelisting? What if people on the desktop need to access specific, web-based environment resources with critical information (financial information, government data, etc.)? You’ll need the ability to define their IP address. Azure NAT Gateway provides you with that capability.

Why Should I Use This?

Think of Azure NAT Gateway as a tool that provides a single, external IP address, shared among resources. The reasons you’d want or need this capability include whitelisting, accessing external resources, or auditing.

For these purposes, this makes Azure NAT Gateway a pretty fantastic resource. You can insert this into your WVD network that you can only attach one Azure NAT Gateway to. Once that’s set up, the only thing that really changes is that outgoing Internet traffic will have one fixed IP address shared among all resources. It functions the same way it would at a corporate office with a firewall. WVD now provides a fixed IP address you can give a vendor who has special data. It’s essentially a whitelist IP address. If you’re accessing the customer’s IP address, you can provide them with a fixed IP address to access.

With Azure NAT Gateway, you’re able to say to your own team: “Whenever we access customer resources that need whitelisting, we’ll do it through WVD.” You can whitelist any sources you need to.  From an auditing perspective, it gives the customers the ability to audit where you’re coming from with whitelisting.

How Azure NAT Gateway Can Work for External Contractors

Azure NAT Gateway provides you with the ability to control who has access to your resources and where they can access it from.

Azure NAT Gateway is particularly useful for companies that work with contractors. Let’s say, for example, you have a team of contractors that function interchangeably with your internal team, using the same resources. You want to give them full access to Office 365, but only when they’re using WVD. You can set that by creating a policy: for a given group of people (in this case, those contractors you’ve identified), you can use Microsoft InTune to give conditional access to everything unless they’re operating from a trusted IP address. This sets up a constraint that only allows approved individuals access.

You might even say that Azure NAT Gateway assists in setting up a virtual office in terms of accessing resources from a single location. For example, if you have financial information stored, you can treat it with conditional access that anyone can access from the right location. Once you set up WVD and have a fixed IP address you can control with conditional access, you can control who can access the specific information.

If someone isn’t coming from the approved environment, you can then set up multi-factor authentication before they’re granted access. Alternatively, if users go through WVD, you’ll be able to fast-track them for access. If they don’t, you can create more rules and challenge them to authenticate their identity. It’s all about adding security that ensures data integrity without obstacles for those who have already been verified from a trusted location.

How Does Azure NAT Gateway Work With Other Microsoft Security Tools?

Azure has many components you can leverage, which offer many advantages. There’s an Azure Firewall you can insert. Within a virtual network you can set up security groups with restrictions. Then, you can stack those on other layers of restrictions if you choose to. Azure Firewall will feed into Sentinel and any other Security Information and Event Management (SIEM) systems.

Will You Have to be Concerned With Download or Upload Capacity?

No more than you usually would. All network traffic handled by Microsoft is software-based. That means that when you go out, you’re still giving off and sharing that IP address. With Azure NAT Gateway, the IP address just becomes fixed.

In short, Azure NAT Gateway offers one less security concern, especially when you have external contractors accessing your resources. As learning how to work remotely becomes more important, Azure NAT Gateway can help support a stronger virtual office environment. The shift from office to remote work isn’t going anywhere, so you’ll want as many tools as you can get to support that adjustment. Azure NAT Gateway is one of those tools.