How DNS-Layer Security Can Improve Cloud Workloads

More organizations are adopting the public cloud for their enterprise workloads. Gartner has forecasted1 that by 2020, less than 5% of enterprise workloads will be running in true on-premises private clouds. As workloads move to public clouds, it is crucial that security architectures evolve to protect those workloads, wherever they are.

Like with on-premises applications, a layered security approach works better than point solutions for cloud workloads. But the security challenges in the cloud are different. Without a physical data center in which you build your security stack to protect your data, it’s difficult to know if you’re fully protected everywhere your enterprise data is exposed.

That’s where DNS-layer security comes in. Since DNS is built into the foundation of the Internet, security at the DNS-layer can be simple to deploy and highly effective, whether your enterprise uses on-premises architecture or the public cloud. Cisco Umbrella provides DNS-based security that blocks requests to malware, phishing, and botnets before a connection is even established. It can prevent cloud workloads from being leveraged for malicious cryptomining by blocking requests to suspicious domains. Content category blocking can also be configured to prevent cloud workloads from being used by employees to circumvent on-premises content filtering rules.

One of the simplest approaches to enable DNS-based security for cloud-native workloads is to point the DNS server used by these workloads to Cisco Umbrella. This enables DNS-level blocking of malicious domains and provides an added layer of security. However, since most cloud workloads tend to access the Internet through an ephemeral public IP address, it is difficult to define policy or to view reporting of DNS activity in the public cloud.

Another approach is to deploy the Cisco Umbrella Virtual Appliance in a Virtual Private Cloud (VPC) in the public cloud. Workloads in that VPC can use the Virtual Appliance as their DNS server. The Virtual Appliance forwards DNS requests for external domains to Umbrella and includes the source IP of the requesting workload in the DNS metadata. Virtual Appliances include a customer identifier in each outgoing DNS request, which enables them to be used for environments with ephemeral public IP addresses. With the Virtual Appliance approach, subnet-based content filtering policies can be defined for cloud workloads. Umbrella can also provide visibility into the source of malicious domain requests, allowing administrators to quickly remediate these workloads.

The Cisco Umbrella Virtual Appliance now supports deployment in the three major public cloud platforms: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). With many organizations now adopting a multi-cloud strategy2, deploying Umbrella Virtual Appliances in the respective public cloud VPCs can provide a highly effective added layer of security for workloads deployed in any of these platforms, as well as improved visibility into activity.

What are you waiting for? Sign up for a free trial of Cisco Umbrella, and start leveraging the power of DNS-layer security to protect your cloud workloads.

  1. Modernize IT infrastructure in a hybrid world, Gartner, Mar 2019. Retrieved from
  2. Why organizations choose a Multicloud strategy, Gartner, May 2019. Retrieved from

Source :