Skip to content

Latest commit

 

History

History
102 lines (80 loc) · 3.51 KB

5.4. Compute - Virtual machines (VMs) - Security.md

File metadata and controls

102 lines (80 loc) · 3.51 KB
Raw

Security

Role based access control

  • Provides fine-grained access to resources
  • AAA
    • A: Authentication (identity)
    • A: Authorization (abilities)
    • A: Accounting (auditing)
  • Higher to lower granularity
    • Management groups → Subscription → Resource group → Resource
  • Roles
    • Reader: Observers
    • Resource-specific or custom role, contributor: Users managing resources
    • Owner: Admins
  • Custom roles are defined in JSON
  • RBAC focuses on user actions at different scopes.
    • By contrast, Azure Policy focuses on resource properties during deployment
      • Policies e.g. Allowed virtual machine SKUs, Enforce automatic OS upgrade with app health checks on VMSS
  • You can manage in Access Control (IAM) blade.

Storage Security

Storage Service Encryption

  • Protects data at rest in storage account
  • 128-bit AES encryption
  • Azure manages encryption keys
    • 💡 You can manage them yourself with Azure Key Vault

Azure Disk Encryption

  • BitLocker for Windows Server VMs
  • DM-Crypt library for Linux VMs
  • Protects OS and data disks
  • Azure- or customer- managed disks
  • Manage:
    • In VM blade -> Disks -> Add data disk
    • Use PowerShell
      1. Create key vault and vault key
      2. Create security principal (identity in Azure AD) that can take the key from key vault
      3. You run SetRmVMDiskEncryption to configure encryption

Network-level security

Network Security Group (NSG)

  • Stateful firewalls
  • Augmented security rules: Have inbound/outbound rules
  • Can be bound to public addresses, load balancers, subnets and VMs.
  • Traffic streams are identified with 5-tuple hash: Source, destination, port, protocol, IP addresses.
  • Source can be service tags
    • In-built e.g. Internet
  • Or custom (Application Security Group identifiers)
    • Simplifies NSGs
    • Logically groups VMs e.g. by role
      • Association is done through NICs
    • E.g. AppServers, DatabaseServers
    • Flow:
      1. Define ASGs
      2. Include ASGs in NSGs

Host Firewalls

  • E.g. Windows Defender Firewall on Windows Server VMs
  • 💡 A range that's whitelisted in NSG can be blocked by host firewalls.

Jumpbox Architecture

  • Jumpbox is a pivot point VM in a VNet
  • Good for auditing every administrative action
    • A shared jumpbox makes it easier to administrate the orchestration
  • You can e.g. allow access to public IP and make sure it's locked down to that endpoint.
  • Or you can e.g. point to Site-to-Site VPN or point-to-site VPN.

Azure Security Center (ACS)

Azure Security Center Free Tier

  • Continuous security assessment
  • Actionable recommendations
  • Prioritized alerts and incidents
  • Integrated security solutions
    • E.g. recommends to deploy WAF

Azure Defender

  • Just-in-time VM Access
  • Threat protection for Azure VMs and non-Azure servers
  • Threat protection for PaaS services
  • Regulatory compliance dashboard and reports

Just-in-Time (JIT) VM Access

  • Allowed by Azure Defender for servers (formerly known as Azure Security Center Standard tier)
  • Normally to access a VM, you need 3389 for RDP protocol, or 22 to SSH for linux, you open those ports 7/24.
    • Not so secure as they're publicly accessible if IP is public.
  • JIT locks down inbound administrative port access
  • Time-restricted access to specific IP address(es)