Cisco Secure Remote Employee Architecture for Azure

Today companies are buying empowering their workforce to truly have a secure link with the resources hosted inside the Cloud. Cisco offers a secure remote worker alternative that utilizes the Cisco AnyConnect Safe Mobility Customer, Cisco Duo, Cisco Umbrella, and Cisco Advanced Malware Safety (AMP) for Endpoints.

  • Cisco AnyConnect Secure Flexibility Client: Cisco AnyConnect Secure Flexibility Client empowers remote employees with frictionless, secure usage of the enterprise system from any gadget highly, at any period, in any place while protecting the business. It provides a frequent user experience across products, both on and off-premises, without developing a headache for the IT teams. Simplify administration with an individual agent.
  • Cisco Duo: Cisco Duo is really a user-friendly, scalable solution to keep business before ever-changing safety threats by implementing the Zero Confidence security model. Multi-aspect authentication from Duo protects the system with a second way to obtain validation, like a telephone or token, to verify consumer identity before granting accessibility. Cisco Duo is manufactured to provide a straightforward, streamlined login knowledge for every remote consumer. As a cloud-based answer, it integrates together with your existing technology and administrative easily, visibility, and supervising.
  • Cisco Umbrella Roaming Safety Module: Cisco Umbrella Roaming Protection module for Cisco AnyConnect provides always-on protection on any system, anywhere, any right time – both on and off your corporate VPN. The Roaming Safety module enforces safety at the DNS level to block malware, phishing, and handle and order callbacks over any slot. Umbrella provides real-time presence into all internet action per hostname both on / off your VPN or system.
  • Cisco Advanced Malware Security (AMP) Enabler: Cisco AnyConnect AMP Enabler module can be used as a moderate for deploying Advanced Malware Defense (AMP) for Endpoints. It pushes the AMP for Endpoints software program to a subset of endpoints from the server hosted locally within the business and installs AMP solutions to its existing consumer base. This process provides AnyConnect user bottom administrators having an additional security broker that detects possible malware threats in the system, gets rid of those threats, and protects the business from compromise. It will save time and bandwidth taken up to download, requires no noticeable adjustments on the portal aspect, and can be achieved without authentication credentials getting delivered to the endpoint. AnyConnect AMP Enabler protects an individual both on / off the VPN or network.

Figure 1 – Components of the Cisco secure remote worker solution

Cisco Secure Remote Employee Architecture for Azure

Today organizations are usually consuming providers, workloads, and apps hosted in Azure (Community Cloud). Azure offers a wide variety of services offering simple usability, orchestration, and administration. Clients are embracing these continuing services, but another attack surface is opened by this resource consumption model. Using Cisco Security settings, customers can offer a secure link with the Azure cloud infrastructure. This remote gain access to VPN architecture shields multi-VNet, multi-AZ (availability area) by extending the Cisco Protected Remote Worker remedy. This Architecture includes Cisco Protection and Azure Infrastructure-as-a-services (IaaS) and extends remote control access VPN features with Duo, Umbrella, and AMP Enabler.

Figure 2 – Secure Remote Worker architecture for multi-VNet, multi-AZ

The aforementioned network design gets the adhering to components and solutions:

  • Cisco ASAv or even Cisco NGFWv for Remote control entry VPN termination (TLS or even DTLS)
  • Cisco Secure AnyConnect Flexibility Customer on the endpoints
  • Microsoft Windows 2019 Dynamic Directory for LDAP
  • Cisco Duo for Multi-Factor Authentication
  • Umbrella Safety Roaming Module for DNS Level Security
  • AMP Enabler for security against Malware

This Architecture was created on the bases of the Spoke and Hub model, the hub-vnet has firewalls for VPN termination. The Hub-VNet is linked to spoke-VNets making use of VNet peering. VNet peering utilizes the Azure backbone system and the Azure backbone system provides higher throughput.

    • Remote Access VPN periods are balanced simply by Azure Visitors Manager


  • Azure Internal Load Balancer (Standard) can be used for non-VPN visitors load balancing (East/West)
  • Azure External/General public Load Balancer can be used for non-VPN visitors load balancing (North/South)

Visitors Flow

Remote Access VPN: Azure blocks layer-2 visibility necessary for indigenous HA and VPN load balancing to function. Make it possible for resiliency and VPN load balancing, one must depend on the indigenous cloud providers such as for example Azure Traffic Supervisor (ATM), DNS, and UDR. In this architecture, VPN customers send VPN visitors to the Azure Visitors Supervisor. ATM tracks all of the firewalls making use of probes, also it load-balances VPN link endpoints (Cisco Firewalls).

    • Each Firewall includes a separate VPN swimming pool
    • Azure User Defined Path (UDR) forwards visitors back again to the correct firewall
    • Azure Traffic Supervisor load balances the RAVPN visitors

Figure 3 – Secure Remote Worker architecture for multi-VNet, multi-AZ (RA VPN Traffic Flow)

Non-VPN (East/West): Firewalls inside the HubvNET inspects east-west traffic, every subnet inside the spoke VNet includes a route-table which has a user-described route (UDR) pointing to Azure ILB “virtual-IP address”. Traffic lands about ILB and ILB it to the firewall forwards. The firewall inspects the visitors; if visitors is allowed, it really is sent to the location VNet making use of VNet peer. Return visitors is forwarded back again to the ILB due to the comparable UDR is used on location VNet also. ILB maintains hawaii and sends visitors to exactly the same firewall that processed the original packet flow back.

Figure 4 – Non-VPN East/West Traffic Flow

Non-VPN (North/South)

    • Outbound Traffic Flow: Each spoke subnet includes a route-table connected with it. UDR handles traffic routing, and contains a default path that factors to ILB’s digital IP (VIP). HubvNET provides ILB, and ILB factors to firewalls for web connectivity. Internet visitors is load-well balanced on the perimeter firewall, and visitors will be SNATed to the exterior interface Ip. Outbound traffic will not hit the exterior load balancer just because a open public IP mapped to the exterior user interface of the firewall and UDR externally subnet used like the default gateway. Azure ILB found in this architecture is really a standard SKU that will require explicit Azure NSG to permit visitors on firewalls (backend gadgets). There’s an azure NSG put on outside and inside interfaces of firewalls; allow-all principle is experienced by this NSG used, nevertheless, you can restrict visitors in accordance with your Infosec plan.

Figure 5 – Non-VPN North/South (Outbound Traffic Flow)

    • Inbound Traffic Flow: External customers would accessibility frontend IP on the Azure open public load balancer (ELB), ELB has outside interfaces in the backend swimming pool. ELB is in charge of load balancing incoming non-VPN visitors, ELB sends visitors to the firewall if permitted traffic is usually SNATed to inside user interface to keep traffic symmetry.

Figure 6 – Non-VPN North/South (Inbound Traffic Flow)

For detailed info on Cisco Secure Remote Worker Architecture for Azure, check-out our Cisco Validated Design Guide (CVD): https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/srw-azure-design-guide.pdf

Anubhav Swami
Security Solutions Architect
CCIEx2 – 21208
Youtube Channel
Anubhav Swami

Important Resources: