Azure-in-bullet-points

Security

Role based access control

• Provides fine-grained access to resources
• AAA
  • A -> Authentication (identity)
  • A -> Authorization (abilities)
  • A -> Accounting (auditing)
• Higher to lower granularity: Subscription -> Resource group -> Resource
• Roles
  • Reader: Observers
  • Resource-specific or custom role, contributor: Users managing resources
  • Owner: Admins
• Custom roles are defined in JSON
• RBAC focuses on user actions at differen scopes.
  • By contrast, Azure Policy focuses on resource properties during deployment
    • Policies e.g. Allowed virtual machine SKUs, Enforce automatic OS upgrade with app health checks on VMSS
• You can manage in Access Control (IAM) blade.

Storage Security

Storage Service Encryption

• Protects data at rest in storage account
• 128-bit AES encryption
• Azure manages encryption keys
  • 💡 You can manage them yourself with Azure Key Vault

Azure Disk Encryption

• BitLocker for Windows Server VMs
• DM-Crypt library for Linux VMs
• Protects OS and data disks
• Azure- or customer- managed disks
• Manage:
  • In VM blade -> Disks -> Add data disk
  • Use powershell
    1. Create key vault and vault key
    2. Create security principal (identity in Azure AD) that can take the key from key vault
    3. You run SetRmVMDiskEncryption to configure encryption

Network-level security

Network Security Group (NSG)

• Stateful firewalls
• Augmented security rules: Have inbound/outbound rules
• Can be bound to public addresses, load balancers, subnets and VMs.
• Traffic streams are identified with 5-tuple hash: Source, destination, port, protocol, IP addresses.
• Source can be service tags
  • In-built e.g. Internet
• Or custom (Application Security Group identifiers)
  • Simplifies NSG’s
  • Logically groups VM’s e.g. by role
    • Association is done through NICs
  • E.g. AppServers, DatabaseServers
  • Flow:
    1. Define ASGs
    2. Include ASGs in NSGs

Host Firewalls

• E.g. Windows Defender Firewall on Windows Server VM’s
• 💡 A range that’s whitelisted in NSG can be blocked by host firewalls.

Jumpbox Architecture

• Jumpbox is a pivot point VM in a VNet
• Good for auditing every administrative action
  • A shared jumpbox makes it easier to administrate the orchestration
• You can e.g. allow access to public IP and make sure it’s locked down to that endpoint.
• Or you can e.g. point to Site-to-Site VPN or point-to-site VPN.

Azure Security Center (ACS)

• Centralizes security policy management
• Continuous security assesment
• Actionable recommendations
• Prioritized alerts and incidents
• Integrated security solutions
  • E.g. recommends to deploy WAF

Just-in-Time (JIT) VM Access

• Normaly to access a VM, you need 3389 for RDP protocol, or 22 to SSH for linux, you open those ports 7/24.
  • Not so secure as they’re publically accesible if IP is public.
• JIT locks down inbound administrative port access
• Time-restricted access to specific IP address(es)
• Requires Azure Security Center standard

This site is open source. Improve this page.