📄️ Overview Network Pillar
Implementation Effort: High
📄️ Stop buying or building Active Directory dependent apps
Implementation Effort: Low
📄️ 002: Enable QuickAccess and Deploy Connectors
Implementation Effort: Medium
📄️ 003: Migrate key remote apps to QuickAccess & enable private DNS
Implementation Effort: Medium
📄️ 004: Secure remote app access with modern security controls (MFA/Device Trust)
Implementation Effort: Low
📄️ 005: Bring all legacy apps under full governance lifecycle
Implementation Effort: High
📄️ 006: Complete migration of apps to Private Access/App Proxy
Implementation Effort: Medium
📄️ 007: Header Decommission VPN infrastructure
Implementation Effort: Low
📄️ Design and Implement SDWAN capabilties
Implementation Effort: High
📄️ Roll out GSA client to all managed devices
Implementation Effort: Low
📄️ Discover App Usage and plan for App Segmentation
Implementation Effort: Medium
📄️ Define Segmentation Strategy
Implementation Effort: Medium
📄️ Rollout App Segments for Macro Segmentation
Implementation Effort: Medium
📄️ Secure sensitive legacy AppAccess with PIM
Implementation Effort: Low
📄️ Rollout / Implement Application Segments for Macro-segmentation based on business needs
Overview
📄️ Implement process level Microsegementation
Overview
📄️ Implement DC Agent for Microsoft Entra Private Access
Overview
📄️ Define legacy protection and enforcement
Overview
📄️ Implement intelligent Local Access
Overview
📄️ Monitoring: Leverage and monitor Traffic Logging
Implementation Effort: Low
📄️ Monitoring: Review GSA Audit Logs
Implementation Effort: Medium
📄️ Monitoring: Export Traffic and Audit logs to external SIEM solution
Implementation Effort: Medium
📄️ Monitoring: Leverage GSA Azureworkbooks
Implementation Effort: Low
📄️ Monitoring: Leverage GSA Sentinel integration (MS Roadmap)
Overview
📄️ Monitoring: Monitor and scale out
Implementation Effort: Medium
📄️ Define your SaaS app and Internet Access protection policy
Implementation Effort: Medium
📄️ Base SWG: Onboard M365 traffic
Implementation Effort: Low
📄️ Base SWG: Update Conditional Access policies to leverage Compliant Network controls
Implementation Effort: Low
📄️ Base SWG: Review and Redesign existing Internet Access filtering policies
Implementation Effort: Medium
📄️ Base SWG: Onboard Internet Access Secure Web Gateway capabilities
Overview
📄️ Base SWG: Enable and configure URL Filtering capabilities (MS Roadmap)
Overview
📄️ Base SWG: Rollout advanced filtering and inspection (MS Roadmap)
Overview
📄️ Roll out GSA client to all managed devices
Implementation Effort: Low
📄️ Protect M365: Implement Universal Tenant Restrictions to protect Auth and Data Plane for M365
Implementation Effort: Medium
📄️ Protect M365: Enable GSA Signaling for Conditional Access
Implementation Effort: Low
📄️ Protect M365: Implement for Guest Access in AVD and W365 (MS Roadmap)
Overview
📄️ Advanced SWG: Enable and Configure TLS inspection
Overview
📄️ Advanced SWG: Enable and configure Network DLP capabilties (MS Roadmap)
Overview
📄️ Advanced SWG: Implement Threat Intelligence filtering (MS Roadmap)
Overview
📄️ Advanced SWG: Configure 3rd Party inspection capabilities - Advanced Threat Protection (ATP)
Implementation Effort: Medium
📄️ Advanced SWG: Implement Cloud Firewall capabilities (MS Roadmap)
Overview
📄️ Advanced SWG: Design and Implement SDWAN capabilties
Implementation Effort: High
📄️ Agentless SWG: Onboard M365 traffic remote or agentless network segments
Implementation Effort: Medium
📄️ Agentless SWG: Update CA policies to leverage Compliant Network controls
Implementation Effort: Low
📄️ Agentless SWG: Enable and configure Internet Access for Remote Networks (MS Roadmap)
Overview
📄️ Monitoring: Leverage and monitor Traffic Logging
Implementation Effort: Low
📄️ Monitoring: Review GSA Audit Logs
Implementation Effort: Medium
📄️ Monitoring: Export Traffic and Audit logs to external SIEM solution
Implementation Effort: Medium
📄️ Monitoring: Leverage GSA Azureworkbooks
Implementation Effort: Low
📄️ Monitoring: Review remote network health logs
Implementation Effort: Low
📄️ Monitoring: Leverage GSA Sentinel integration (MS Roadmap)
Overview
📄️ Monitoring: Monitor and scale out
Implementation Effort: Medium
📄️ Discover and Assess Public Network Endpoints/Resources
Implementation Effort: Medium
📄️ Create an Azure DDoS Protection Plan for VNETs / Enable Azure DDoS Protection for Public IPs
Implementation Effort: Low
📄️ Simulate DDoS Attacks to ensure readiness
Implementation Effort: Low
📄️ Automate Governance, Monitoring, and Response for Azure DDoS Protection
Implementation Effort: Medium
📄️ Evaluate Network Traffic Flows
Implementation Effort: Medium
📄️ Deploy Azure Firewall and route all outbound and inbound traffic through it
Implementation Effort: High
📄️ Enable and use Azure Firewall Network rules to explicity allow traffic from specific sources/to specific destinations.
Implementation Effort: Medium
📄️ Enable and use Azure Firewall Application Rules to manage outbound and east-west traffic application layer traffic
Implementation Effort: Medium
📄️ Automate Azure Firewall Governance, Monitoring, and Response
Implementation Effort: Medium
📄️ Evaluate Network Segmentation Strategy
Implementation Effort: Medium
📄️ Centralize Azure Firewall deployment for inter-VNet traffic inspection.
Implementation Effort: Medium
📄️ Enable and use Azure Firewall Network Rules to segment internal Azure or On-Prem sources and destinations
Implementation Effort: Medium
📄️ Enable and use Azure Firewall Application Rules to segment internal Azure or On-Prem sources and destinations
Implementation Effort: Medium
📄️ Automate Segmentation Policy Enforcement and Compliance
Implementation Effort: Medium
📄️ Evaluate Network Threat Protection Strategy
Implementation Effort: Medium
📄️ Deply Azure Firewall for Network Threat Protection
Implementation Effort: Medium
📄️ Enable Threat Intelligence based filtering in Azure Firewall Policy
Implementation Effort: Medium
📄️ Enable IDPS to inspect all inbound and outbound traffic on Azure Firewall
Implementation Effort: Medium
📄️ Enable IDPS to inspect all east-west traffic on Azure Firewall
Implementation Effort: Medium
📄️ Automate Governance and Response for Firewall Threat Protection
Implementation Effort: Medium
📄️ Discover and evaluate encrypted network traffic
Implementation Effort: High
📄️ Deploy and enable Azure Firewall for TLS Inspection
Implementation Effort: High
📄️ Enable and configure TLS inspection on Azure Firewall policy to Inspect all east-west TLS traffic to allow/deny with IDPS and Application rules
Implementation Effort: High
📄️ Enable and configure TLS inspection on Azure Firewall policy to Inspect all outbound TLS traffic to allow/deny with IDPS and Application rules
Implementation Effort: High
📄️ Enable TLS inspection to Inspect inbound TLS traffic from Azure Application Gateway to allow/deny with IDPS and Application rules
Implementation Effort: High
📄️ Automate TLS Inspection Governance and Compliance
Implementation Effort: Medium
📄️ Assess and Discover Global Regional and Internal Web Applications
Implementation Effort: Medium
📄️ Enable Azure WAF on Azure Front Door to protect global applications
Implementation Effort: Medium
📄️ Azure WAF on Azure Application Gateway to protect regional and internal applications
Implementation Effort: Medium
📄️ Enable and use the latest Default Ruleset and Bot Manager Ruleset
Implementation Effort: Medium
📄️ Enable and configure Custom Rules for Rate Limit, JS Challenge(preview) and CAPTCHA(preview)
Implementation Effort: Medium
📄️ Enable and configure Layer 7 DDoS Ruleset
Overview
📄️ Enable and configure Custom Rules for Rate Limit, JS Challenge(preview) and CAPTCHA(preview)
Implementation Effort: Medium
📄️ Leverage and monitor Traffic Logging
Implementation Effort: Medium
📄️ Enable and configure DDoS Alerting, Logging and Metrics
Implementation Effort: Medium
📄️ Enable and configure diagnostic logging and metrics for the Azure Firewall
Implementation Effort: Medium
📄️ Enable and configure diagnostic logging and metrics for WAF on Azure Front Door and Azure Application Gateway
Implementation Effort: Medium
📄️ Leverage Workbooks for visibility and tracking - DDoS Workbook, WAF Workbook, Firewall Workbook
Implementation Effort: Medium
📄️ Integrate and export diagnostic logs into SIEM
Implementation Effort: Medium
📄️ Automate response to alerts and leverage AI for investigations
Implementation Effort: Medium