- Establish network segmentation boundaries — divide your network into smaller segments (subnets, VNets, virtual networks, or security zones) to limit lateral movement and contain incidents.
- Secure cloud services with network controls — use access restrictions, Network Security Groups (NSGs) or ACLs, private endpoints, and service-level controls to reduce exposure and restrict who can reach resources.
- Deploy perimeter and internal firewalls — inspect and filter traffic at the edge and between segments; enforce consistent policy across zones.
- Use IDS and IPS — intrusion detection systems (IDS) identify suspicious activity; intrusion prevention systems (IPS) can block or mitigate malicious traffic before workloads are impacted.
- Defend against large-scale availability attacks — use DDoS protection services to absorb or mitigate volumetric attacks that aim to overwhelm your applications.
- Deploy a Web Application Firewall (WAF) — place a WAF in front of web-facing applications to block application-layer threats like SQL injection and cross-site scripting.
- Use policy and guardrails — implement built-in security policies, role-based access control (RBAC), and automation to apply controls consistently across subscriptions and tenants.
- Continuously discover and remediate — perform regular scans and inventory to find weak, misconfigured, or out-of-date services and either remediate or decommission them.
- Use secure private connectivity — when handling sensitive traffic, prefer Private Link, ExpressRoute, or dedicated circuits; use VPNs for encrypted transit when private circuits are unavailable.

These mappings help you choose the right Azure features when implementing each control.
These controls are not just best practices — they are the elements that Microsoft Defender for Cloud evaluates to produce security and compliance recommendations and reports.
Microsoft Defender for Cloud assesses these network controls and provides prioritized recommendations, continuous posture monitoring, and compliance insights.



- Control = high-level security requirement (for example, protect data-in-transit).
- Baseline = specific implementation for a given service (for example, Azure SQL baseline listing network and configuration requirements).