Part 4 Conceptual Complete

Part 4: Connecting the Dots — Azure Networking & Security

Marcus designs a secure, multi-tier architecture for CloudVault. We explore Virtual Networks, Network Security Groups, Azure Key Vault for secrets management, and identity/access control with Azure AD. Learn how to design networks that protect your data while enabling communication between services.

March 6, 2025 4 min read

Part 4: Connecting the Dots — Azure Networking & Security

Building CloudVault’s Secure Infrastructure

The Security Audit

Week four. The compliance team schedules a security audit. Marcus realizes they need to think seriously about network security, secrets management, and access control.

“Right now, everything is accessible from the internet,” says the security lead. “That’s a problem. We need to segment our network, control access, and manage secrets properly.”

Marcus nods. This is critical infrastructure work. One misconfiguration could expose customer data. He needs to design a secure, multi-tier architecture.

Azure Virtual Networks (VNets)

A Virtual Network (VNet) is your private network in Azure. It’s isolated from the public internet and other VNets (unless you explicitly connect them).

Creating a VNet

az network vnet create \
  --resource-group rg-cloudvault-prod \
  --name vnet-cloudvault \
  --address-prefix 10.0.0.0/16

az network vnet subnet create \
  --resource-group rg-cloudvault-prod \
  --vnet-name vnet-cloudvault \
  --name subnet-web \
  --address-prefix 10.0.1.0/24

az network vnet subnet create \
  --resource-group rg-cloudvault-prod \
  --vnet-name vnet-cloudvault \
  --name subnet-data \
  --address-prefix 10.0.2.0/24

Network Security Groups (NSGs)

An NSG is a firewall that controls inbound and outbound traffic.

Creating NSGs

# Create an NSG for the web tier
az network nsg create \
  --resource-group rg-cloudvault-prod \
  --name nsg-web

# Allow HTTPS from the internet
az network nsg rule create \
  --resource-group rg-cloudvault-prod \
  --nsg-name nsg-web \
  --name AllowHTTPS \
  --priority 100 \
  --direction Inbound \
  --access Allow \
  --protocol Tcp \
  --source-address-prefixes "*" \
  --destination-port-ranges 443

# Create an NSG for the data tier
az network nsg create \
  --resource-group rg-cloudvault-prod \
  --name nsg-data

# Allow SQL traffic only from the web tier
az network nsg rule create \
  --resource-group rg-cloudvault-prod \
  --nsg-name nsg-data \
  --name AllowSQLFromWeb \
  --priority 100 \
  --direction Inbound \
  --access Allow \
  --protocol Tcp \
  --source-address-prefixes "10.0.1.0/24" \
  --destination-port-ranges 1433

# Attach NSGs to subnets
az network vnet subnet update \
  --resource-group rg-cloudvault-prod \
  --vnet-name vnet-cloudvault \
  --name subnet-web \
  --network-security-group nsg-web

Azure Key Vault

Azure Key Vault is a secure store for secrets, keys, and certificates. Instead of hardcoding passwords, store them in Key Vault.

Creating a Key Vault

az keyvault create \
  --resource-group rg-cloudvault-prod \
  --name kv-cloudvault \
  --location eastus

# Store a secret
az keyvault secret set \
  --vault-name kv-cloudvault \
  --name "db-password" \
  --value "ComplexPassword123!"

# Retrieve a secret
az keyvault secret show \
  --vault-name kv-cloudvault \
  --name "db-password" \
  --query value -o tsv

Accessing Key Vault from Java

Add dependencies:

<dependency>
    <groupId>com.azure</groupId>
    <artifactId>azure-security-keyvault-secrets</artifactId>
    <version>4.7.0</version>
</dependency>
<dependency>
    <groupId>com.azure</groupId>
    <artifactId>azure-identity</artifactId>
    <version>1.10.0</version>
</dependency>

Configure:

@Configuration
public class KeyVaultConfig {

    @Bean
    public SecretClient secretClient() {
        return new SecretClientBuilder()
            .vaultUrl("https://kv-cloudvault.vault.azure.net/")
            .credential(new DefaultAzureCredentialBuilder().build())
            .buildClient();
    }
}

Use in your application:

@Service
public class SecretsService {

    @Autowired
    private SecretClient secretClient;

    public String getSecret(String secretName) {
        return secretClient.getSecret(secretName).getValue();
    }

    public String getDatabasePassword() {
        return getSecret("db-password");
    }
}

Azure AD & Role-Based Access Control (RBAC)

Azure Active Directory (AD) manages user identities and access. RBAC controls what authenticated users can do.

Creating Service Principals

A service principal is an identity for your application.

az ad sp create-for-rbac \
  --name "cloudvault-app" \
  --role "Contributor" \
  --scopes "/subscriptions/{subscription-id}/resourceGroups/rg-cloudvault-prod"

Assigning RBAC Roles

# Grant the app access to Key Vault
az role assignment create \
  --assignee "cloudvault-app" \
  --role "Key Vault Secrets User" \
  --scope "/subscriptions/{subscription-id}/resourceGroups/rg-cloudvault-prod/providers/Microsoft.KeyVault/vaults/kv-cloudvault"

Managed Identity

In App Service, use Managed Identity to authenticate without storing credentials:

# Enable Managed Identity on your App Service
az webapp identity assign \
  --resource-group rg-cloudvault-prod \
  --name api-cloudvault-prod

Encryption

Always encrypt data in transit and at rest.

Encryption in Transit

Use HTTPS/TLS for all communication:

# Create a certificate in Key Vault
az keyvault certificate create \
  --vault-name kv-cloudvault \
  --name "cloudvault-cert" \
  --policy @cert-policy.json

# Bind the certificate to your App Service
az webapp config ssl bind \
  --resource-group rg-cloudvault-prod \
  --name api-cloudvault-prod \
  --certificate-thumbprint "<thumbprint>"

Encryption at Rest

Azure encrypts data at rest by default using Microsoft-managed keys. For sensitive data, use customer-managed keys.

Marcus’s Security Architecture

After designing the network and security layers, Marcus implements:

VNet with subnets — Web tier and data tier separated
NSGs — Strict firewall rules, principle of least privilege
Key Vault — All secrets stored securely
Managed Identity — App Service authenticates without credentials
RBAC — Each service has minimal required permissions
Encryption — HTTPS for transit, encryption at rest

“This architecture protects CloudVault’s data while keeping operations manageable,” Marcus explains. “We’ve implemented defense in depth.”

Key Takeaways

VNets provide network isolation; use subnets to segment by tier
NSGs enforce firewall rules; follow the principle of least privilege
Key Vault stores secrets securely; never hardcode credentials
Managed Identity authenticates without storing credentials
RBAC controls what services can access
Encryption protects data in transit and at rest

What’s Next?

Marcus has built a secure infrastructure. Now CloudVault wants to add intelligent features. In the next chapter, we’ll explore Azure’s AI services and integrate AI capabilities into CloudVault’s backend.

The fortress is built. Now let’s add intelligence.

This is Part 4 of a 6-part series: “The Azure Ascent: A Backend Engineer’s Journey to Cloud Mastery.”

Series Progress 7/7 parts

0 The Azure Ascent: A Backend Engineer's Journey to Cloud Mastery Complete 1 Part 1: The Summit Awaits — Azure Fundamentals & Core Concepts Complete 2 Part 2: Building the Engine — Azure Compute Services Complete 3 Part 3: Storing the Treasures — Azure Data & Storage Services Complete 4 Part 4: Connecting the Dots — Azure Networking & Security Complete 5 Part 5: The Intelligent Layer — Azure AI & Machine Learning Complete 6 Part 6: Automating the Climb — Azure DevOps & Deployment Complete