“There is no foolproof firewall on the Internet. The only way to completely protect is to unplug it.”
Yes. And that is why they ran totally separate VPN comm lines, globally, for the Intranet and Internet access and the “bridge” between them, anywhwre in the company, comprised 90% of the cyber security effort. Also, having the Inranet and restricted Internet access minimized that traffic as well.
Good. Again, these are services and practice that are always applied to you by the cloud vendor.
We’re not really disagree on the actual way the stuff works, just who has the most resources to provide it.
The Air Force doesn’t make its own airplanes, those are contracted out to vendors. Same with all manner of government data and communications systems.
For getting you critical and sensitive communications OFF the internet, you can also use ExpressRoute with Azure.
ExpressRoute enables you to extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. This connection is private. Traffic doesn’t go over the internet. With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure, Microsoft 365, and Dynamics 365.
This is NOT a routed (using TCPIP) connection. It relies on a third party—through a commercial communications provider—usually fiber from a business’s demarcation point to Microsoft’s physical internal network.
https://learn.microsoft.com/en-us/azure/expressroute/expressroute-introduction