Day 2 Wrap-up — What Is Reachable?
25/05/2026About 1 min
Day 2 Wrap-up — What Is Reachable?
Today we started with a question:
What is reachable, what should be reachable, and what should be private?What we covered
Defense in depth
Each layer adds an independent control. Removing one does not remove the others.
| Layer | Control | Protects against |
|---|---|---|
| Identity (Day 1) | RBAC, managed identity | Unauthorized actions |
| Network (Day 2) | Access restrictions, private endpoints | Unauthorized reachability |
| Network (Day 2) | NSG rules | Lateral movement between subnets |
| Application firewall (optional) | App Gateway WAF | Malicious HTTP requests (OWASP rules) |
| DevSecOps (Day 3) | CI/CD security, API protection | Insecure deployments, API vulnerabilities |
| Monitoring (Day 4) | Log Analytics, alerts | Unnoticed incidents |
What we changed
| Component | Before | After |
|---|---|---|
| Frontend | Public | Public |
| Public Backend API | Public | Public |
| Internal Backend Service | Public | Restricted to public backend only |
| DB Storage Account | Public network access enabled | Private endpoint, public access disabled |
| Key Vault | Public network access enabled | Private endpoint, public access disabled |
| NSGs | No rules | Attached to app integration and private endpoint subnets |
End-of-day checklist
[ ] Internal backend is restricted to public backend only
[ ] DB storage account is accessible only via private endpoint
[ ] Key Vault is accessible only via private endpoint
[ ] NSGs are attached to app integration and private endpoint subnets
[ ] Direct call to internal backend returns 403
[ ] Direct call to DB storage account table endpoint is refusedWe did alot
We started from a limited amount of resources

And by adding our requirements: nsg's, subnets, rules, dns zones, ... we ended with a lot of resources:

Bridge to Day 3
Today we reduced what is reachable. Day 3 focuses on DevSecOps and API security: integrating security into the development pipeline, protecting API endpoints, and implementing secure deployment practices.
Today: reduce the attack surface.
Tomorrow: secure the development lifecycle.Day 2 Challenge
If time allows we have a challenge: Click me!