Running mishmash io on Azure allows you to fully utilize Azure's built-in security mechanisms and best practices.
All mishmash io cluster nodes use an Azure Managed Identity to access other Microsoft Azure resources (like storage, for example) and to authenticate each other, when communicating internally.
This Managed Identity is by default limited to only allow access to mishmash io own resources, but as it is actually an Azure Resource - you can also apply additional policies to it, audit, etc.
Cluster nodes need to communicate with each other and this, by default, happens on a dedicated, own Virtual Network, isolating network access to other networks, including the Internet.
Internal traffic betwen mishmash io cluster nodes is authenticated (see above) and also encrypted.
During a deployment this network will be created automatically for you, and later you can apply additional security policies and use additional Microsoft Azure security services - like Microsoft Defender for Cloud, for example.
When your apps connect to mishmash io they will go through an Azure Load Balancer. During a deployment, this Load Balancer will be configured as an 'internal' Load Balancer, not accessible from the public internet. This is the recommended approach.
Once the deployment completes - it's up to you to decide (and configure accordingly) which other networks (Azure Virtual Networks, Company VPNs, the public Internet) should have access to the Load Balancer's endpoint.