Compute, storage, and network resources are key to the infrastructure of any cloud environment—and Azure is no different. Understanding these distinct but interrelated elements allows you to construct a solid and reliable base infrastructure. It can be difficult to secure these resources, but Azure’s native security offerings, combined with security best practices, will set your environment up for success.

In Cloud Security and Azure, Part 1, we discussed an overview of security on Microsoft’s platform. Although web security in Microsoft Azure can be automated using Reblaze, there are still important issues that must be carefully considered when using Azure cloud services.

Securing Compute Resources

While there are a number of Azure computer offerings, Azure virtual machines (VMs) are perhaps the most familiar type of compute resource. They provide on-demand and scalable virtualized computers with usage-based pricing and available for specific types of computing scenarios. Burstable VMs are the most economical choice, but VMs optimized for raw CPU, memory performance, and general purposes are also available. Both Windows and Linux VMs are also available for use in a wide variety of operating systems and versions.

Best practices for securing virtual machines generally fall into the following category:

• Role-based access control involves scoping just the right amount of access to an individual or group, and is essential for controlling who and what has access to your resources. Azure Resource Manager allows you to script the appropriate permissions for each group to the resources as needed to ensure appropriate access.
• Azure policies are defined configurations that are applied to your Windows or Linux VMs. They allow you to configure both internal machine configurations and restrictions to the Azure configuration itself.
• Disk encryption for Windows and Linux VMs is also available. Windows is encrypted using BitLocker, while Linux uses dm-crypt. Cryptographic keys are then stored in Azure Key Vault.
• Microsoft Antimalware for Azure is a free solution provided for Azure’s cloud services and VMs. It is built on the same platform as Microsoft Security Essentials and offers a comprehensive set of scanning and remediation services.
• Azure Key Vault is available for storing certificates, keys, and other credentials. Additionally, policies may be used to further limit and restrict user access to specific resources.

Containers

Azure has several containerization offerings, including Azure Kubernetes Service (AKS), Azure Service Fabric, and Azure Container Instances (ACI). All of these options offer the same core container functionality, but with varying degrees of integration, portability, and ease of management.

• Azure Kubernetes Service is Azure’s managed Kubernetes service. Kubernetes is a container orchestration framework that assists in the end-to-end management of containerized services.
• Azure Service Fabric is similar to Kubernetes, but it’s a Microsoft-created orchestration system. With tighter integration with Azure services, it offers additional benefits, but they come with an increased reliance on Microsoft and decreased portability to other container orchestration systems.
• Azure Container Instances is a basic container hosting service that allows for quick deployment of containers. If you don’t need a full orchestration system, but you don’t want to manage a container environment yourself, this is a great option.

When securing containers, it is extremely important to validate the source of your container images. To that end, Azure Container Registry allows you to create a private image registry of validated and tested images. However, you’ll still need to continuously scan your images for new vulnerabilities and issues. Using Container Monitoring in Log Analytics, you can take a comprehensive look at the commands that are being run within your containers, as well as their effects.

Storage and Security

Like any cloud service, storage underpins infrastructure. Azure offers a comprehensive set of solutions for your storage needs. However, you’ll still need to secure your data.

One of the most commonly used storage services is Azure Blob storage. This is an Amazon S3 API equivalent that provides REST-based object storage. Instead of being block based, like attached virtual disks, Blob storage is an API-accessible, data-storage medium. Policies can be set on “buckets” as a whole, or on individual files themselves.

A mistake many people make when working with Azure Blob storage is misconfiguring access policies, which leads to a publicly accessible bucket or a set of files that may contain privileged or protected information. Provided you make your bucket private, you have a few options for securing your resources.

For example, using a created storage account key, you can grant and share access to a resource. However, as Microsoft points out, this is essentially giving out the “keys to the kingdom,” since access is wide ranging. An alternative is using a shared access signature (SAS). An SAS is a generated token appended to a Blob storage object URI that grants limited-time access to a specific given resource. Using these methods will allow you to properly secure access to your Blob storage.

Although we have talked about Azure Blob storage, block storage is most commonly used within VMs—and it’s what the operating systems themselves reside on. Azure enables you to encrypt disks at rest within Windows or Linux. Many security standards rely on this ability, and, in general, it’s a well advised best practice to follow if you can.

Network Security and Connecting It All

The need to connect all of these services together and to the outside world underpins both storage and VMs. Azure uses the concept of an Azure Virtual Network (VNet), along with network security groups (NSGs), to protect and segment traffic as necessary.

When creating VNets, it’s recommended to:

• Create fewer large VNets, rather than many small ones, to avoid management overhead. This also decreases the possibility of management mistakes.
• Secure VNets using NSGs to define inbound and outbound traffic rules.

Utilizing NSGs, which are essentially groups of firewall rules, you can properly secure and segment traffic. You can even extend these rules into Application security groups, which bundle services together so you don’t need to know each and every IP as it works with Azure to understand your actual services.

For Internet-facing services, utilizing Azure DDoS Protection, Traffic Manager, and Load Balancer can help further protect and secure your applications from unexpected or malicious traffic spikes. With Azuze Bastion, you will be able to manage RDP and SSH access to your machines through the Azure portal without any external exposure.

Setting up proper networking within your environment is crucial to making sure that the resources you want to talk to each other are the only ones that do so. Furthermore, utilizing security groups to limit the available ports and the access they provide is an extremely effective way to protect your various resources (such as virtual machines).

Conclusion

Compute, storage, and network resources form the backbone of most cloud infrastructures. Making sure that you properly protect and secure them will ensure that you and your customers’ resources are well protected too.

In the final article in this series, we will explore what it takes to secure your web applications and keep your environment up to date with the comprehensive management tools that Azure offers.