Firewalls
Filter by source IP, destination IP, port, and protocol.
- Allow 443 (HTTPS)
- Block 22 (SSH) from public
- Allow SSH only from trusted IP
Azure implementation: Network Security Groups (NSG).
Network Security - Deep Technical Explanation
Network security is the practice of protecting computer networks from unauthorized access, misuse, modification, or disruption. For microservices on Azure VMs, Docker, Kubernetes, Redis, Kafka, and Keycloak, this is one of the most critical layers in the entire architecture.
First: What Is a Network Really?
A network consists of:
- Devices (servers, laptops, routers)
- IP addresses
- Ports
- Protocols (TCP/UDP)
- Switches and routers
- Firewalls
- DNS
- Public and private interfaces
If an attacker gains access at the network layer, application security will not matter.
Core Objectives of Network Security
- Confidentiality -> Prevent packet sniffing
- Integrity -> Prevent packet tampering
- Availability -> Prevent DDoS and flooding
Network Security Layers (Defense in Depth)
Internet
->
Perimeter Firewall
->
DMZ (Public Services)
->
Internal Network
->
Private Subnets
->
Application Layer
1) Perimeter Security (Edge Protection)
This is the first line of defense.
Web Application Firewall (WAF)
Protects against SQL injection, XSS, and malicious payloads.
- For CRM, HRMS, and workflow services, place WAF in front.
- Use Nginx + WAF or Azure Application Gateway + WAF.
2) Network Segmentation (Very Important)
Segmentation means splitting network into isolated zones.
Public Subnet
- Nginx
- Load Balancer
Private App Subnet
- NestJS services
- API Gateway
Private Data Subnet
- PostgreSQL
- Redis
- Kafka
If Redis is exposed publicly, an attacker can dump memory.
3) Port Security and Service Exposure
Every open port is an attack surface.
22 -> SSH
80 -> HTTP
443 -> HTTPS
5432 -> PostgreSQL
6379 -> Redis
9092 -> Kafka
8080 -> Keycloak
- Never expose DB ports publicly.
- Never expose Redis publicly.
- Never expose Kafka publicly.
- Only allow internal communication.
4) Encryption in Transit
Without encryption, packets can be sniffed (for example via Wireshark).
- TLS/SSL for Browser <-> Server, API <-> API, Service <-> DB.
- In Kubernetes, use mTLS and service mesh (Istio or Linkerd).
5) Intrusion Detection and Prevention
- IDS detects suspicious traffic.
- IPS blocks malicious traffic automatically.
- Examples: Snort, Suricata, cloud-native monitoring.
6) DDoS Protection
Distributed Denial of Service means massive request floods to exhaust services.
- Rate limiting
- Load balancers
- Auto scaling
- CDN (Cloudflare)
- Azure DDoS Protection
7) Secure Routing and VPN
- Use VPN for Azure VM, cluster, and DB access.
- Use a bastion host.
- Disable public SSH.
8) Zero Trust Network Model (Modern)
- Old model: Inside network = safe.
- Modern model: Trust nothing, verify everything.
- Every service must authenticate, authorize, and encrypt communication, even internal traffic.
9) Network Attacks Explained
- Man-in-the-Middle: attacker intercepts traffic.
- ARP Spoofing: attacker impersonates gateway.
- Packet Sniffing: captures unencrypted traffic.
- Port Scanning: finds open ports (for example with nmap).
- DNS Spoofing: redirects traffic to fake servers.
Real Example (Based on Your Stack)
Suppose NestJS on 3000, Redis on 6379, and PostgreSQL on 5432 are all publicly open.
Attacker can dump Redis, brute-force DB, inject payloads, and crash infrastructure even without app-level vulnerability.
Ideal Secure Architecture for Your SaaS
Internet
->
Cloudflare (DDoS + WAF)
->
Azure Load Balancer
->
Nginx Reverse Proxy (443 only)
->
Private Kubernetes Cluster
->
Internal Services
->
Private DB + Redis (No public IP)