Network

Tier 1 Checks

#	Check	Service	License
N01	DDoS Protection is enabled for all public IP addresses in VNets	DDoS Protection	Azure DDoS Protection (Network Protection tier)
N02	Outbound traffic from VNet-integrated workloads is routed through Azure Firewall	Azure Firewall	Azure Firewall (Standard or Premium)
N03	Threat intelligence is enabled in deny mode on Azure Firewall	Azure Firewall	Azure Firewall Standard or Premium (Basic supports Alert mode only)
N04	Application Gateway WAF is enabled in prevention mode	App Gateway WAF	Application Gateway WAF_v2
N05	Azure Front Door WAF is enabled in prevention mode	Front Door WAF	Azure Front Door Premium (managed rule sets)

License legend

Each Azure network security service is licensed per-resource and per-SKU tier. Several Tier 1 checks require a specific SKU tier — most notably, Azure Firewall Basic supports threat intelligence in Alert mode only (Standard or Premium is required for Deny), Front Door WAF managed rule sets require Premium (Standard supports custom rules only), and Application Gateway WAF_v2 is the only supported SKU for new deployments (v1 is deprecated). Pricing is documented on the Azure pricing pages.

Scope note

Network is omitted from engagements where the client's Microsoft footprint is M365-only (no Azure-hosted workloads, no public IPs, no VNet-integrated apps). For Microsoft 365 identity-perimeter controls (Conditional Access named locations, Microsoft Entra Internet Access / Private Access), see the Identity pillar — Microsoft groups those under "Protect networks" within the Entra surface even though they aren't Azure networking proper.

Tier 2 / Tier 3 coverage

Tier 1 covers the highest-impact configurations of each Azure network security service. Tier 2 and Tier 3 add depth on TLS inspection bypass rules, rate-limiting configuration, bot protection rule sets, IDPS policy tuning, diagnostic logging integration with Sentinel, and the broader Azure Bastion / Private Link / NSG governance surface.