惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Simon Willison's Weblog
Simon Willison's Weblog
T
Troy Hunt's Blog
L
Lohrmann on Cybersecurity
S
Schneier on Security
Spread Privacy
Spread Privacy
WordPress大学
WordPress大学
阮一峰的网络日志
阮一峰的网络日志
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
G
GRAHAM CLULEY
博客园 - 【当耐特】
有赞技术团队
有赞技术团队
SecWiki News
SecWiki News
博客园 - 叶小钗
博客园 - Franky
V
Vulnerabilities – Threatpost
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
O
OpenAI News
小众软件
小众软件
V
V2EX
N
News and Events Feed by Topic
T
The Exploit Database - CXSecurity.com
博客园 - 三生石上(FineUI控件)
The Hacker News
The Hacker News
Project Zero
Project Zero
The Last Watchdog
The Last Watchdog
雷峰网
雷峰网
Google Online Security Blog
Google Online Security Blog
T
Tailwind CSS Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
量子位
D
Docker
Recent Announcements
Recent Announcements
T
Threat Research - Cisco Blogs
P
Privacy International News Feed
爱范儿
爱范儿
PCI Perspectives
PCI Perspectives
Jina AI
Jina AI
博客园 - 司徒正美
云风的 BLOG
云风的 BLOG
大猫的无限游戏
大猫的无限游戏
V2EX - 技术
V2EX - 技术
H
Hackread – Cybersecurity News, Data Breaches, AI and More
The Register - Security
The Register - Security
T
The Blog of Author Tim Ferriss
博客园 - 聂微东
Cloudbric
Cloudbric
S
Security Affairs
F
Fortinet All Blogs

Megaport Blog

A Guide to NAT Gateway A Guide to Cloud Storage How the Data Center Is Evolving in 2026 What to Expect When Attending Your First Network Operator Group (NOG) Nine Ways to Connect to Cloud Using Private Connectivity Migrate Your On-premises to the Cloud: A Step-by-Step Guide How to Lower Your Egress Fees in 2026 How to Achieve Data Sovereignty in Europe Cisco and Megaport: Redefining the Edge of Modern Networking How to Reduce Latency in Your Multicloud Environment Introducing Megaport High-Speed Cross-Cloud Encryption Are Businesses Leaving the Cloud? Using Meraki and Megaport Virtual Edge for Multicloud Networking Equinix Metal® is Going Away: Here’s What You Can Do Introducing Megaport On-ramp as a Service Megaport’s Full Solution Portfolio Is Coming to India New Bare-metal GPU Instance Now Available with NVIDIA RTX Pro 6000 A Look Back at 2025: Megaport's Biggest Updates Megaport Expands Into India With Strategic Acquisition of Extreme IX Your 2026 Predictions From AWS re:Invent 2025 What’s Next for NaaS? Top Trends for 2026 What is IPsec? When to Move From Public Internet to Private Connectivity Megaport and Latitude.sh: Bringing Compute and Connectivity Together How to Improve Your Microsoft ExpressRoute Resilience with Megaport Connectivity Comparing Ways to Connect to AWS What is API-First Networking? The Hidden Cost of Running Cloud-Hosted SD-WAN for IaaS How to Overcome NaaS Integration Challenges Introducing SCION with Anapaya and Megaport How You Can Use Network as a Service (NaaS) to Future-Proof Your Network Introducing 400G Ports All the As-a-services, Compared Introducing Megaport IPsec Tunnels High Score: Megaport Hits 1,000 Locations A Guide to Colocation Data Centers Maximizing Peering Through Flow Analysis How to Build Resilient Networks for AI Production Workloads Introducing Packet Filtering on Megaport Cloud Router Building Resilient Government IT: Strategies for Secure, Compliant, and Scalable Connectivity Future-Proofing Government IT: Balancing Innovation, Security, and Sovereignty in a Changing World Telstra Programmable Network Is Being Discontinued. Here’s How to Migrate The Future of WAN Design Depends on Network as a Service (NaaS) Cisco Webex Edge Connect Launches on Megaport Voice and Video Exchange How to Prepare for APRA CPS 230 Regulations Comparing the SD-WAN Licensing Needs of Major Vendors A Guide to Improving Network Performance How Latitude.sh, Wasabi, and Megaport Unlock Cost-Effective Multicloud Four Ways to Connect Your Clouds SD-WAN and MPLS: Weighing the Similarities, Differences, and Benefits What is Network as a Service (NaaS)? How to Arrange Bilateral Peering Sessions Comparing Major SD-WAN Vendors Software Defined Networking in the Healthcare Industry Deploying A Global Network in Minutes With Megaport AWS Direct Connect Gateway (DGW) Data Transfer Outbound Rules Bilateral and Multilateral Peering: What’s the Difference? Multi-Region SD-WAN: Why Megaport SDCI is the Right Choice Building Production-Ready AI Infrastructure: How Megaport and Vultr Are Solving the Enterprise Challenge Introducing Megaport NAT Gateway A Guide to AWS Security Tools How to Deploy Amazon Bedrock Using AWS Direct Connect and Megaport Azure Private Link, Explained Introducing 100G MCRs Your Questions Answered on Simplifying Hybrid and Multicloud Network Connectivity How to Fix Poor AWS Latency A Look Back at 2024: Megaport’s Biggest Updates Your 2025 Predictions From AWS re:Invent 2024 Six Ways to Get a More Resilient Network in 2025 Multicloud Security: Challenges and Solutions The Real Cost of High Network Latency Why Brazil is Your Key to Unlocking Business Growth in Latin America Why You Need Integrated Network Security Six Key Differences Between Major Cloud Providers How to Automate Your Megaport Infrastructure With APIs Why Italy is Europe’s Next Cloud Expansion Hotspot How to Lower Your Cloud Costs Peering: How Local Is Local? Introducing Megaport AI Exchange Two Scenarios for Hybrid Multicloud Deployment With IBM Cloud and Microsoft Azure How to Connect Equinix and Digital Realty Megaport Enables Microsoft Azure ExpressRoute Metro for More Resilient Network Connectivity Executives, Here’s What Your Network Team Wants You to Know Easy Ways to Interconnect Your Network The Role of the Data Center in Your Network 100G VXC Expansion: Now Available From 597 Data Centers Worldwide Top 10 How-To Guides To Improve Your Network Comparing Encryption in Transit Options A Sustainable Business Strategy Starts With Your Network Solutions to Common API Issues With Megaport Transforming Financial Connectivity: Introducing Megaport Financial Services Exchange (FSX) Megaport Enhancing Connectivity in Adelaide Megaport’s Latest Portal Features and Functionalities Automate Your Network Deployments With The New Megaport Terraform Provider A Recap of the Megaport World Tour 2024 Top 5 Cloud and Networking Announcements From Cisco Live 2024 Megaport Enhancing Connectivity in Canberra AWS PrivateLink, Explained How Megaport and Wasabi Are Simplifying Cloud Storage Megaport Launches First AWS Direct Connect Network Service Offering on AWS Marketplace
Microsoft Azure is Going Secure by Default. Are You Ready?
Jason Bordujenko · 2025-02-19 · via Megaport Blog

By Jason Bordujenko, Global Head of Solutions Architects

Developers aren't lazy – but sometimes cloud service defaults can be. Here’s what to look out for, and how Azure is changing the game.

Let’s face it: Developers can sometimes be labeled as “laissez faire” when it comes to security. But is that really fair?

In reality, it’s not about being lax or lazy; it’s about the default configurations of many cloud services setting the security bar too low on initial deployment. When racing against the clock, it’s tempting to rely on these defaults, which can inadvertently open doors for malicious actors.

But as network attack surfaces grow wider from global expansions, edge integrations, and AI/ML, using these defaults puts more and more at stake.

In this blog, we’ll tell you what to look out for when it comes to cloud service defaults, how major players like Microsoft Azure are stepping up their security, and how you can keep up.

The problem with default security configurations

In the realm of cybersecurity, default configurations often prioritize ease of getting started over security, inadvertently creating vulnerabilities that can persist if left unmodified. Here are some notable examples of such “bar set too low” security defaults:

1. Unnecessarily opened ports: Sure, you can hit the web interface for the service, but what about the database ports? Do they really need to be world readable/writable?

2. Excessively lax permissions: Default settings might grant broader access than necessary, violating the principle of least privilege.

3. Revision fatigue: Failing to apply the latest security patches leaves these systems susceptible to exploits.

4. Disabled security features: Certain security features might be turned off by default to enhance performance or user experience. Worse yet, the dreaded line: “that might need a different license”.

And last, but not least:

5. Default credentials, default permissions, or default configuration settings: What’s the first userID/password combination you think of? Is it admin/admin? Services also may often run with elevated privileges or have overly permissive configurations, increasing the risk of an environment being exploited.

Azure’s secure-by-default networking: Don’t get caught out

Recognizing these challenges, Microsoft Azure is making some major changes to move towards what they are terming a secure-by-default deployment model, particularly in its networking components.

With a currently advertised commencement date of September 30, 2025, this shift will bring a major change to Azure networking with Microsoft removing default outbound internet access for newly deployed virtual machines.

That’s big news for those deploying on cloud. And it doesn’t stop there, with the additional announcement that legacy multifactor authentication (MFA) and self-service password reset (SSPR) policies will also be deprecated on September 30. This means cloud engineers must migrate any legacy policies to a new converged authentication methods policy for Microsoft Entra ID. Thankfully, the deprecation for the IP addressing is slightly less onerous than the above.

Here’s the exact wording on the scope of the change:

“On September 30, 2025, Basic SKU public IPs will be retired. If you are currently using Basic SKU public IPs, make sure to upgrade to Standard SKU public IPs prior to the retirement date."

It’s not that scary, but there could certainly be implications for the scenario of “rolling over” any existing addressing under the Basic SKU, as well as the non-availability of the Basic SKU in favour of the Standard SKU going forward past that date.

In the following section of this blog, we’ll dive into the key logical drivers behind these substantial changes and what they might mean for you.

What makes a secure-by-default model?

Beyond the buzzwords, a secure-by-default model ensures that services and resources are provisioned with security configurations already in place, reducing the risk of misconfigurations.

Key aspects include:

  • Default security posture: Services are secure upon provisioning, minimizing the chance of misconfigurations.
  • Minimized attack surface: By disabling unnecessary features and enforcing strong authentication, network segmentation, and data protection, the potential entry points for attackers are reduced.
  • Ground up compliance: Default security settings often align with regulatory standards like ISO 27001 and PCI-DSS, simplifying compliance efforts.

The building blocks for secure by default on Azure

  1. Network Security Groups (NSGs): By default, NSGs are configured in a “deny all” manner with regards to inbound traffic, allowing only outbound communications unless address(es) are specifically added to an allow group. This minimizes exposure to potential threats in the out-of-box experience (OOBE).
  2. Azure Firewall: This managed, cloud-based network service built to protect Azure Virtual Network (or VNet) resources allows for centralized creation, enforcement, and logging of application and network connectivity policies across subscriptions and virtual networks. Azure Firewall operates at OSI layers 3, 4 and 7 – that is the network, transport and application layers.
  3. DDoS protection: Azure provides built-in Distributed Denial of Service (DDoS) protection to safeguard applications from overwhelming traffic flows, ensuring availability and resilience. There are three main types of attacks that the DDoS mitigation strategies defend against: Volumetric Attacks (e.g. UDP floods, amplification attacks), Protocol Attacks (e.g. SYN floors and reflection attacks) and Resource (or Application) Layer Attacks, which commonly compromise the upper layer protocols such as HTTP or SQL.

Diving deeper into default outbound access

In Azure, virtual machines (VMs) created in a virtual network without explicit outbound connectivity are assigned a default outbound public IP address. This IP address enables outbound internet connectivity, but can be subject to change and is not recommended for production workloads.

If you have existing VMs using default outbound access, they will continue to work after the scheduled change date and you will retain your Basic SKU IP addresses. However, it is strongly recommended to transition to an explicit method to avoid potential disruptions.

Let’s say you’re using a cloud-based security appliance that reaches out to the internet for threat intelligence feeds and other system updates. Unless you’re aware of the change and make an explicit connectivity configuration change, it’s likely your detection pipeline will stall and potentially leave your organization open to zero-day threats.

In order to ensure a smooth transition, Microsoft recommends using explicit outbound connectivity methods such as:

  • Azure NAT Gateway
  • Azure Load Balancer outbound rules
  • Enhanced Azure Firewall support
  • Directly attached Azure public IP addresses
  • Zone-redundant and zonal front ends for both inbound and outbound traffic.

Here’s a table that details the major changes, and availability of features between Basic and Standard SKU:

Public IP Address

Standard

Basic

Allocation method

Static

For IPv4: Dynamic or Static; For IPv6: Dynamic.

Idle Timeout

Have an adjustable inbound originated flow idle timeout of 4-30 minutes, with a default of 4 minutes, and fixed outbound originated flow idle timeout of 4 minutes.

Have an adjustable inbound originated flow idle timeout of 4-30 minutes, with a default of 4 minutes, and fixed outbound originated flow idle timeout of 4 minutes.

Security

Secure by default model and be closed to inbound traffic when used as a frontend. Allow traffic with network security group (NSG) is required (for example, on the NIC of a virtual machine with a Standard SKU Public IP attached).

Open by default. Network security groups are recommended but optional for restricting inbound or outbound traffic.

Availability zones

Supported. Standard IPs can be nonzonal, zonal, or zone-redundant. Zone redundant IPs can only be created in regions where 3 availability zones are live. IPs created before availability zones aren't zone redundant.

Not supported.

Routing preference

Supported to enable more granular control of how traffic is routed between Azure and the internet.

Not supported.

Global tier

Supported via cross-region load balancers.

Not supported.

The specific configuration of these Microsoft items is beyond the scope of this blog, but our Solutions team is more than happy to assist in advising the best path forward for your requirement.

The role of Megaport in enhancing network security

At Megaport, we understand the critical importance of secure network connectivity. Our Network as a Service (NaaS) platform offers private, scalable, and on-demand connectivity, enabling businesses to establish secure connections to Azure and other cloud providers in just a few clicks.

By leveraging Megaport services, organizations can further enhance their network security posture, ensuring that data traverses through secure, dedicated connections rather than the public internet.

Megaport NAT Gateway

If your business is running high-volume data migration/ingest pipelines, managing enterprise-scale cloud infrastructure, or otherwise dealing with large volumes (petabytes-per-month scale) of Network Address Translation (NAT) traffic, using Megaport NAT Gateway may well be worthy of your consideration. Consider the following potential benefits:

  • Scalable cost savings: The larger your NAT requirements, the greater the potential savings to be made. For example, a business currently using a cloud managed NAT gateway processing 1 petabyte of data a month can potentially save over $78,000, or 76% of its NAT bill, each month – translating to nearly $1 million in annual savings.
  • Reduce ingress and egress charges: Utilize Megaport’s cost-effective network backbone instead of paying hyperscaler rates.
  • High availability and scalability: Our solution is built to handle enterprise-scale workloads while maintaining network resilience, with 1,100 global locations and available bandwidth of up to 100G.
  • Flexibility to grow with you: With our vendor-neutral, scalable network underlay, you’re never locked into a single provider’s pricing and your network can simply grow right alongside your business needs.

For the most accurate savings estimate for your business, reach out through our NAT Gateway product page to get a personalized cost analysis. We can guide you through pricing and integration, and once you’ve decided on the perfect resilient design, we can deploy it within minutes.

Discover NAT Gateway