Microsoft Azure IaaS, Virtual Machine security improvement.

Photo by Algi on Unsplash

Introduction

In this post , I’d like to summarize what you need to do to make your Azure virtual machine more secure. Below there are some factors to consider to make your Azure virtual machines more secure:

  1. Secure privilege management
  2. Virtual machine update management
  3. AzureFirewall, NSG, Network Virtual Appliance
  4. Bastion and Just in Time access
  5. Adaptive application control
  6. Disk encryption
  7. File change monitoring
  8. Other

Secure privilege management

Enable MFA on your portal The Azure portal is very versatile and allows you to configure and perform a variety of operations. It’s good at the time of verification, but I would like to improve security when performing production operation. So, in production production cases, enable MFA to improve security when accessing the Azure portal.

Properly control permissions using RBAC (Role Based Access Control). Properly deploy virtual machines by leveraging resource groups (RGs) and subscriptions. In Azure, where only the virtual machine administrator is given permission to access virtual machines in the first place, there are units called subscriptions and resource groups as units for managing resources. Access control can be applied to each unit. This is what we call RBAC. Give proper access to the right resources.

Virtual machine update management

Leverage the Update Management feature Azure provides a feature called Update Management that manages security patches. There is no way not to use this. Updates that have not been applied are displayed on the dashboard, and you can set what rules and when to apply updates. In addition, you can manage security patches for virtual machines that run outside of Azure.

AzureFirewall, NSG, Network Virtual Appliance

It is necessary to properly control access between the external network, the internal network, and multiple networks. The Azure services that realize these are as follows.

  • NSG (Network Security Group): Simple and versatile port filtering. You can set which port to pass or not to pass between the source and the destination.
  • Azure Firewall: This is firewall service that offers even more advanced processing than NSG. It has L7 functionality, so you can filter traffic by FQDN.
  • WE have also option to deploy NVA on Azure provided by NVA (Network Virtual Appliance) 3rd Party. You can purchase from the marketplace.

Bastion and Just in Time access

There are many possible ways to access a virtual machine securely. For example, you can use Express Route or VPN to connect with a private network. That said, line costs are high, but opening a port accessible from the Internet increases the risk of being attacked, which is usually not possible. In response to such problems, the actual solution so far has been to use a bastion server . However, if you use a bastion server, you will need to manage the operation of that server. Therefore, Azure Bastion provides the bastion server in a managed manner. You can access virtual machines that do not have a Bastion public IP address via Bastion. The route at this time is to access the virtual machine from the portal screen via a browser. Since the Bastion server is managed by Azure, there is no need for the user to manage it, and there is no need to set up NSG.

Just in Time this is service that opens a port for access to a virtual machine that has a public IP address for a limited time.

Adaptive application control

One of the features of Azure Security Center is adaptive application control. This feature allows you to use machine learning to analyze applications running in virtual machines and create application authorization lists.

Disk encryption

Encrypt the Azure virtual machine disk. By encrypting the virtual disk, even if the virtual disk is leaked, the data inside is prevented from being accessed.

File change monitoring

You can track changes made to the virtual machine’s OS and software. Whether it’s intentional or not, it’s important to check for changes.

Other

Evaluation of security score by Security Center

Let’s evaluate continuously by using the function of Security Center, not limited to IaaS. You can also evaluate the on-premise environment.

Backup

Make a backup in case of unforeseen circumstances. Azure Backup is recommended because it is easy and has many functions such as online backup acquisition and restore on a file-by-file or VM-by-VM basis, and it is easy to implement.

Use the latest virtual machine image as much as possible

Since the latest image is often updated and vulnerable, use the latest image as much as possible.

Adaptive Network

Would you like to open the NSG port in a slightly wider range just in case? If the security center function is different from the actual traffic used and the NSG rule, the machine learning algorithm will suggest a narrower rule.

Conclusion

Azure has a lot of security features to protect virtual machines, so please make good use of these features to ensure security.

 by the author.

--

--

--

DevOps Consultant. I’m strongly focused on automation, security, and reliability.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Chapter 17 Poor Man’s Search Engine

SDBS #10 | Essential qPoS RPC Commands and Their Implementation

How to construct a new payload using the existing payload?

Hacktoberfest: An opportunity for Data Science Beginners

Stop Wasting Your Time and Money on Programming Certifications

HARMAN Off Campus Drive 2022 | Freshers | Associate Engineer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Maciej

Maciej

DevOps Consultant. I’m strongly focused on automation, security, and reliability.

More from Medium

Deploying your app using Shipa and Azure Pipelines

Connect to Azure Kubernetes Service from your local

Grafana with Azure AD Authentication

Foundations in Azure DevOps YAML pipelines