We are migrating legacy on-prem workloads to Azure but need to maintain a hybrid footprint. I’m confused about the best way to apply Zero Trust principles across both environments. Should I focus on Microsoft Entra ID for identity or prioritize Azure Firewall for network segmentation?
3 answers
Zero Trust is a strategy, not a single tool. For a hybrid setup, your first priority must be Identity. Microsoft Entra ID (formerly Azure AD) acts as your control plane. Use Conditional Access policies to enforce Multi-Factor Authentication based on user location and device health. Once identity is secure, use Azure Arc to manage your on-premise servers as if they were native Azure resources. This allows you to apply Azure Policy and Microsoft Defender for Cloud across the entire estate, ensuring consistent security posture and threat detection regardless of where the workload sits.
Have you looked into Azure Bastion to eliminate public IP exposure for your hybrid VMs, or is your current focus more on internal lateral movement?
Don't choose one over the other; Identity and Network go hand-in-hand. Use Entra ID for the users and Azure Firewall for the traffic packets.
Spot on! It's called "defense in depth." I'd add that Microsoft Sentinel is great for seeing how both layers are interacting in real-time.
We are definitely worried about lateral movement, Nancy. Our on-prem legacy apps aren't naturally segmented. I was considering using Micro-segmentation via NSGs in the cloud, but I'm unsure how to bridge that logic to our local VLANs. Would you recommend looking into Azure Private Link to keep the traffic off the public internet entirely, or is that overkill for a standard site-to-site VPN?