Some quick background. We are a small company (13 employees, 6 of which or IT/developers). Everyone works remotely and there is no central office. Our datacenter is only used for development and production environments. We do not use it for any internal company functions (eg. only IT has VPN access to it currently and we use things like Office365/OneDrive rather than a file server on our network) We develop, host, and sell a SaaS solution. We deal a bit with medical data (eg. HIPAA and PHI) so we have gone through the process of getting HIPAA and NIST certified which is very important to our customers.
Current Infrastructure
We have a half rack at a datacenter with clustered Hyper-V environment (3 physical servers connected to a Nimble SAN). Our environment consists of:
- pfSense perimeter firewall (OpenVPN configured as well as Snort for IDS/IPS)
- Redundant HAProxy using keepalived with SSL termination
- Two Windows 2008R2 VMs running IIS for our main application (Note: currently using Cloudflare Business which has a WAF)
- Two Windows 2012R2 VMs running SQL 2014 in an active/passive failover cluster.
- We also have a separate Dev VM, 2 AD VMs, and a DPM VM for backups but I am not really concerned about those for this post - just wanted to mention they exist
We already use Azure storage for housing client documents as well as offsite backups. We also have a cold DR site configured in Azure consisting of three VMs (AD, Web, and DB) that, while minimal, would allow us to spin up our main infrastructure on Azure within a couple of hours.
Plan Forward
Our goal (ideally by the end of 2019) is to move out of the datacenter and into Azure. Our current hardware is aging and while showing no signs of failure (knock on wood), we want to get out of the datacenter arena of having to worry about physical equipment when a company like Microsoft (or Amazon/Google/etc) is far more capable of doing so. I have a decent idea in my head on how to make this work and have been playing with Azure over the last month to familiarize myself with the options.
From a high level standpoint, I am looking at something as simple as this deployment (https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/basic-web-app) for our application. We considered a lift and shift approach of recreating our existing VMs directly in Azure but moving to PaaS is much more appealing from a maintenance standpoint. The main difference would be that we would be using the SQL Managed Instance for our database instead of a SQL Database. This architecture would be for our production environment only. For our development/QA environment, we would most likely deploy the same or a similar architecture in a separate Resource Group and vNet.
My biggest questions revolve around how/if a firewall fits in here. We get IT questionnaires and have to go through a full IT security audit with most of our clients. Here are a sample of the questions we get:
- Are firewalls in use for all internal connections?
- Are firewalls in use for all external connections?
- Are firewalls used to segment internal networks?
- Does the organization employ an intrusion detection (IDS) or intrusion prevention (IPS) system?
In basically all of the examples I have found so far, the recommended Azure deployments do not include anything firewall or IDS/IPS related. Is this pretty standard? I know that Azure Firewall exists but at $900/month it doesn't see worth it for the limited protection it provides on top of NSGs. I have started to look at the option of NVA (specially the Netgate pfSense one because I am very familiar with pfSense) but I don't know if that is going to be overkill?
So, if you are still reading after the long winded plan, I guess what I am asking is:
- Does it at least seem like I am on the right path forward? Or am I way off base?
- If we were to go forward with a deployment like mentioned above, how would you handle questions from clients regarding firewall and IDS/IPS?
