Microsoft Azure IaaS, Virtual Machine security improvement.

Photo by Algi on Unsplash

Introduction

In this post , I’d like to summarize what you need to do to make your Azure virtual machine more secure. Below there are some factors to consider to make your Azure virtual machines more secure:

1. Secure privilege management
2. Virtual machine update management
3. AzureFirewall, NSG, Network Virtual Appliance
4. Bastion and Just in Time access
5. Adaptive application control
6. Disk encryption
7. File change monitoring
8. Other

Secure privilege management

Enable MFA on your portal The Azure portal is very versatile and allows you to configure and perform a variety of operations. It’s good at the time of verification, but I would like to improve security when performing production operation. So, in production production cases, enable MFA to improve security when accessing the Azure portal.

Enable Azure AD Multi-Factor Authentication

Properly control permissions using RBAC (Role Based Access Control). Properly deploy virtual machines by leveraging resource groups (RGs) and subscriptions. In Azure, where only the virtual machine administrator is given permission to access virtual machines in the first place, there are units called subscriptions and resource groups as units for managing resources. Access control can be applied to each unit. This is what we call RBAC. Give proper access to the right resources.

Virtual machine update management

Leverage the Update Management feature Azure provides a feature called Update Management that manages security patches. There is no way not to use this. Updates that have not been applied are displayed on the dashboard, and you can set what rules and when to apply updates. In addition, you can manage security patches for virtual machines that run outside of Azure.

Manage updates and patches for your VMs in Azure Automation

AzureFirewall, NSG, Network Virtual Appliance

It is necessary to properly control access between the external network, the internal network, and multiple networks. The Azure services that realize these are as follows.

• NSG (Network Security Group): Simple and versatile port filtering. You can set which port to pass or not to pass between the source and the destination.

Azure network security groups overview

• Azure Firewall: This is firewall service that offers even more advanced processing than NSG. It has L7 functionality, so you can filter traffic by FQDN.

What is Azure Firewall?

• WE have also option to deploy NVA on Azure provided by NVA (Network Virtual Appliance) 3rd Party. You can purchase from the marketplace.

Hybrid connection with 2-tier application

Bastion and Just in Time access

There are many possible ways to access a virtual machine securely. For example, you can use Express Route or VPN to connect with a private network. That said, line costs are high, but opening a port accessible from the Internet increases the risk of being attacked, which is usually not possible. In response to such problems, the actual solution so far has been to use a bastion server . However, if you use a bastion server, you will need to manage the operation of that server. Therefore, Azure Bastion provides the bastion server in a managed manner. You can access virtual machines that do not have a Bastion public IP address via Bastion. The route at this time is to access the virtual machine from the portal screen via a browser. Since the Bastion server is managed by Azure, there is no need for the user to manage it, and there is no need to set up NSG.

Tutorial: Create an Azure Bastion host: Windows VM: portal

Just in Time this is service that opens a port for access to a virtual machine that has a public IP address for a limited time.

Just-in-time virtual machine access in Azure Security Center

Adaptive application control

One of the features of Azure Security Center is adaptive application control. This feature allows you to use machine learning to analyze applications running in virtual machines and create application authorization lists.

Adaptive application controls in Azure Security Center

Disk encryption

Encrypt the Azure virtual machine disk. By encrypting the virtual disk, even if the virtual disk is leaked, the data inside is prevented from being accessed.

Enable Azure Disk Encryption for Linux VMs - Azure Virtual Machines

Enable Azure Disk Encryption for Windows VMs - Azure Virtual Machines

File change monitoring

You can track changes made to the virtual machine’s OS and software. Whether it’s intentional or not, it’s important to check for changes.

File integrity monitoring in Azure Security Center

Other

Evaluation of security score by Security Center

Let’s evaluate continuously by using the function of Security Center, not limited to IaaS. You can also evaluate the on-premise environment.

Backup

Make a backup in case of unforeseen circumstances. Azure Backup is recommended because it is easy and has many functions such as online backup acquisition and restore on a file-by-file or VM-by-VM basis, and it is easy to implement.

Use the latest virtual machine image as much as possible

Since the latest image is often updated and vulnerable, use the latest image as much as possible.

Adaptive Network

Would you like to open the NSG port in a slightly wider range just in case? If the security center function is different from the actual traffic used and the NSG rule, the machine learning algorithm will suggest a narrower rule.

Conclusion

Azure has a lot of security features to protect virtual machines, so please make good use of these features to ensure security.