We’re integrating our on-premises ERP system with multiple Azure services (Storage, SQL Database, Event Grid, Functions) and need to establish comprehensive network security. Currently considering a combination of private endpoints, Azure Firewall, and network security groups, but want to understand industry best practices.
Our security requirements include preventing data exfiltration, controlling outbound ERP connections, monitoring for threats, and maintaining compliance with financial regulations. What network security patterns have worked well for production ERP integrations? Particularly interested in hearing about threat monitoring approaches and whether private endpoints alone are sufficient or if we need additional layers.
From a compliance perspective, private endpoints are critical but insufficient alone. You need comprehensive logging of all network flows for audit trails. Enable NSG flow logs, Azure Firewall logs, and diagnostic logs on all private endpoints. Feed these into Azure Sentinel for correlation and threat detection. Financial regulations typically require 90-day retention minimum, so plan your Log Analytics workspace sizing accordingly.
Don’t forget about Azure Firewall Premium for deep packet inspection if you’re handling sensitive financial data. The TLS inspection capability is crucial for detecting threats in encrypted traffic between ERP and Azure services. Also implement Azure Bastion for any administrative access to VMs - never allow direct RDP/SSH even from your corporate network. Every access path is a potential attack vector.
Private endpoints should be your foundation - they eliminate public internet exposure for Azure services. But don’t stop there. Implement Azure Firewall with threat intelligence enabled to inspect traffic between your ERP environment and Azure services. We also use Azure DDoS Protection Standard even for private connectivity because it provides additional network flow telemetry that’s valuable for threat detection.