Network Security Controls

Network security controls are the foundational measures used to protect enterprise and cloud networks. This guide explains the essential controls, how they fit together into a layered defense, and how Microsoft Defender for Cloud and the Microsoft Cloud Security Benchmark (MCSB) use these controls and service baselines to produce prioritized security recommendations for on‑premises, cloud, and hybrid deployments. Core objectives:

Reduce the attack surface
Contain lateral movement
Protect workloads (VMs, PaaS services, containers)
Enforce consistent, auditable configurations

Key network security controls

Control	Purpose	Example / Implementation
Network segmentation	Reduce attack surface and contain lateral movement	Use subnets, VLANs, NSGs, and Azure Firewall to separate zones (web, app, DB)
Cloud network controls	Enforce least privilege connectivity and secure access to cloud resources	Network Security Groups (NSGs), Azure Firewall, Private Endpoints
Edge firewalls	Filter and inspect inbound/outbound traffic at network boundaries	Perimeter firewall clusters (stateful inspection, application rules)
IDS/IPS	Detect and (optionally) block suspicious traffic	Deploy IDS/IPS appliances or hosted services to alert and block threats
DDoS defenses	Protect against volumetric and application-layer attacks	Use cloud DDoS protection plans and rate limiting
Web Application Firewall (WAF)	Block common web exploits and protect application layer	WAF in front of web apps and API gateways to stop SQLi, XSS, etc.
Policy and tooling	Standardize configurations and enable automated enforcement	Azure Policy, security automation, and centralized logging
Vulnerability hygiene	Remove or patch unnecessary services; reduce attack vectors	Vulnerability scanning, patching cadence, and hardening baselines
Private connectivity	Protect sensitive traffic and avoid the public internet	ExpressRoute, VPN, and encrypted tunnels for private peering and transit

A slide titled "Network Security Controls" listing nine items (NS-1 to NS-9). It outlines recommended measures like network segmentation, cloud security controls, firewalls/IDS/IPS, DDoS and web application protection, and private network connections.

When you enable Microsoft Defender for Cloud, Defender for Cloud continuously evaluates these network and platform controls across subscriptions and workloads. It produces prioritised compliance and security recommendations, helping you find gaps and plan remediation in order of business impact.

Microsoft Defender for Cloud maps network and platform controls to built-in security recommendations, simplifying continuous compliance monitoring and remediation planning.

Microsoft Cloud Security Benchmark (MCSB) Next, consider the Microsoft Cloud Security Benchmark (MCSB). MCSB defines a set of high-impact security controls intended to help you secure cloud services consistently across single- and multi-cloud environments. It sets expectations for what to protect, who should be involved, and how to prioritize security work.

A presentation slide titled "Microsoft Cloud Security Benchmark" showing a large shield icon alongside several cloud icons. The slide text explains that MCSB provides high-impact security recommendations for securing cloud services in single and multi-cloud environments.

MCSB organizes guidance into security controls — broad, high-level requirements that apply across workloads — and describes stakeholders and the general objective for each control.

A slide titled "Microsoft Cloud Security Benchmark – Security Controls" showing two panels: "Definition" with checklist icons and a note about security recommendations for cloud workloads, and "Purpose" with three gradient bars labeled Planning, Approval, and Implementation plus a caption about stakeholders. The slide includes a small "© Copyright KodeKloud" at the bottom.

Service baselines Service baselines translate an MCSB control into concrete, actionable configuration guidance for a specific cloud service. In other words:

Control = the high-level requirement (for example, Data Protection).
Baseline = the exact configuration checks and settings for a service (for example, Azure SQL Security Baseline).

Service baselines make it possible to consistently assess and automate compliance checks for each cloud service you use.

A presentation slide titled "Microsoft Cloud Security Benchmark – Service Baselines" showing a shield with slider controls and several cloud icons. The accompanying text explains that service baselines apply security controls to individual cloud services to guide secure configuration.

To summarize the relationship:

Control: A high-level security requirement (what to protect).
Baseline: The service-specific implementation and checks that satisfy the control (how to configure).

A slide titled "Microsoft Cloud Security Benchmark" showing a three-column table with headings Term, Description, and Example. It defines rows for "Control" and "Baseline" with brief explanations and examples like Data Protection and Azure SQL Security Baseline.

Why this matters for Defender for Cloud Microsoft Defender for Cloud evaluates your subscriptions against MCSB controls and service baselines, then surfaces prioritized recommendations that map to those baselines. Understanding the control → baseline relationship helps you:

Interpret recommendations in a business context
Identify responsible stakeholders for remediation
Implement consistent, repeatable configurations across services

Links and references

Start by mapping high-impact MCSB controls to your most critical services (e.g., databases, web apps, identity systems). Then use Defender for Cloud recommendations and service baselines to implement and automate those controls.

Watch Video

Introduction

Using Microsoft Defender for Cloud for Regulatory Compliance

Introduction

Configure Internet Access with Azure Virtual NAT

Configure Peering for an Express Route Deployment

Configure Public IP Addresses

Connect Devices to Networks with Point to Site VPN Connections

Connect Networks with Site to Site VPN Connections

Connect Remote Resources by using Azure Virtual WA Ns

Create a Network Virtual Appliance NVA in a Virtual Hub

Deploy Azure D Do S Protection

Deploy and configure Network Security Groups

Design Azure Application Gateway

Design Azure Front Door

Design Name Resolution for Azure Virtual Network

Design an Express Route deployment

Design and Implement Azure Firewall

Design and Implement Azure Load Balancer

Design and Implement Azure VPN Gateway

Design and implement Azure Bastion

Enable Cross V Net Connectivity

Explain Virtual Network Service Endpoints

Explore Azure Express Route

Explore Azure Traffic Manager

Explore Azure Virtual Networks

Explore Load Balancing Options in the Azure

Express Route Advanced Features

Get Network Security Recommendations with Microsoft Defender for Cloud

Implement Virtual Network Traffic Routing

Implement a Web Application Firewall

Monitor your networks using Azure Monitor

Monitor your networks using Azure Network Watcher

Private Link Services and Private Endpoints

Troubleshooting Express Route Connections

Working with Azure Firewall Manager

Network Security Controls

Watch Video