Microsoft Azure IaaS, Virtual Machine security improvement.

Photo by Algi on Unsplash

Introduction

In this post , I’d like to summarize what you need to do to make your Azure virtual machine more secure. Below there are some factors to consider to make your Azure virtual machines more secure:

  1. Virtual machine update management
  2. AzureFirewall, NSG, Network Virtual Appliance
  3. Bastion and Just in Time access
  4. Adaptive application control
  5. Disk encryption
  6. File change monitoring
  7. Other

Secure privilege management

Enable MFA on your portal The Azure portal is very versatile and allows you to configure and perform a variety of operations. It’s good at the time of verification, but I would like to improve security when performing production operation. So, in production production cases, enable MFA to improve security when accessing the Azure portal.

Virtual machine update management

Leverage the Update Management feature Azure provides a feature called Update Management that manages security patches. There is no way not to use this. Updates that have not been applied are displayed on the dashboard, and you can set what rules and when to apply updates. In addition, you can manage security patches for virtual machines that run outside of Azure.

AzureFirewall, NSG, Network Virtual Appliance

It is necessary to properly control access between the external network, the internal network, and multiple networks. The Azure services that realize these are as follows.

Bastion and Just in Time access

There are many possible ways to access a virtual machine securely. For example, you can use Express Route or VPN to connect with a private network. That said, line costs are high, but opening a port accessible from the Internet increases the risk of being attacked, which is usually not possible. In response to such problems, the actual solution so far has been to use a bastion server . However, if you use a bastion server, you will need to manage the operation of that server. Therefore, Azure Bastion provides the bastion server in a managed manner. You can access virtual machines that do not have a Bastion public IP address via Bastion. The route at this time is to access the virtual machine from the portal screen via a browser. Since the Bastion server is managed by Azure, there is no need for the user to manage it, and there is no need to set up NSG.

Adaptive application control

One of the features of Azure Security Center is adaptive application control. This feature allows you to use machine learning to analyze applications running in virtual machines and create application authorization lists.

Disk encryption

Encrypt the Azure virtual machine disk. By encrypting the virtual disk, even if the virtual disk is leaked, the data inside is prevented from being accessed.

File change monitoring

You can track changes made to the virtual machine’s OS and software. Whether it’s intentional or not, it’s important to check for changes.

Other

Evaluation of security score by Security Center

Let’s evaluate continuously by using the function of Security Center, not limited to IaaS. You can also evaluate the on-premise environment.

Backup

Make a backup in case of unforeseen circumstances. Azure Backup is recommended because it is easy and has many functions such as online backup acquisition and restore on a file-by-file or VM-by-VM basis, and it is easy to implement.

Use the latest virtual machine image as much as possible

Since the latest image is often updated and vulnerable, use the latest image as much as possible.

Adaptive Network

Would you like to open the NSG port in a slightly wider range just in case? If the security center function is different from the actual traffic used and the NSG rule, the machine learning algorithm will suggest a narrower rule.

Conclusion

Azure has a lot of security features to protect virtual machines, so please make good use of these features to ensure security.

DevOps Consultant. I’m strongly focused on automation, security, and reliability.