In the cloud, it may be quite simple and quick to provision a basic service so that it is ready to use. However, there are a series of practices that can be used, alone or in combination, to provide additional security for our various resources.
The goal of this blog post is to give you some advice on some security services you can set in place in order to add thrust to the services you are using on the Cloud, allowing you to follow and implement some best practices and rules you want to apply for your company.
Azure Virtual Network
What are virtual networks?
Azure virtual networks enable Azure resources, such as VMs, web apps, and databases, to communicate with each other, with users on the internet, and with your on-premises client computers.
You can think of an Azure network as an extension of your on-premises network with resources that links other Azure resources. Azure virtual network allows you to create multiple isolated virtual networks.
When you set up a virtual network, you define a private IP address space by using either public or private IP address ranges. The public IP range only exists within the virtual network and is not internet routable. You can divide that IP address space into subnets and allocate part of the defined address space to each named subnet.
For name resolution, you can use the name resolution service that is built into Azure. You can also configure the virtual network to use an internal or an external DNS server.
Azure virtual networks provide the following key networking capabilities:
- Isolation and segmentation
- Internet Communications
- Communication between Azure resources
- Communication with on-premise resources
- Route network traffic
- Filter network traffic
- Connect virtual networks
Communicate between Azure resources
Azure resources communicate securely with each other in one of the following ways through:
- Virtual network: You can deploy and several types of Azure resources to a virtual network.
- Virtual network service endpoint: Extend your virtual network private address space and the identity of your virtual network to Azure service resources over a direct connection. Service endpoints allow you to secure your critical Azure service resources to only a virtual network.
- VNet Peering: You can link virtual networks together by using virtual network peering. Peering enables resources in each virtual network to communicate with each other. These virtual networks can be in separate regions, which allows you to create a global interconnected network through Azure.
Communicate with your network via VPN Gateway
Once you have a virtual network, if it doesn't have a public IP address, you can establish an encrypted connection using VPN Gateways.
VPNs use an encrypted tunnel within another network. They are typically deployed to connect two or more trusted private networks to one another over an untrusted network (typically the public internet). Traffic is encrypted while traveling over the untrusted network to prevent eavesdropping or other attacks.
A VPN gateway is a type of virtual network gateway. Azure VPN Gateway instances are deployed in a dedicated subnet of the virtual network and enable the following connectivity:
- Connect on-premises datacentres to virtual networks through a site-to-site connection.
- Connect individual devices to virtual networks through a point-to-site connection.
- Connect virtual networks to other virtual networks through a network-to-network connection.
Our advice about networking
From the development phase you can set up virtual networks to separate your different resources between them, and by adding a "VPN" it will also limit the possibility of external access because the configuration can be easily done on one or more machines thanks to "Point-to-site" configurations that do not require a dedicated hardware infrastructure.
The disadvantage of the VPN is that it generates a daily cost as soon as it is set up and cannot be turned off like a virtual machine, however the basic offer, largely sufficient for development, is very accessible.
The second element to consider with virtual private networks is that some basic services do not have the necessary option to be connected to them and it is then necessary to subscribe to a higher-level service to limit these network accesses.
Azure Policy is a service that enables you to create, assign, and manage policies to control or audit your resources. These policies enforce different rules over your resource configurations, so the configurations stay compliant with corporate standards.
Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity.
It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.
Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management.
Policy definitions for these common use cases are already available in your Azure environment as built-ins to help you get started.
Our advice on Azure Policy
Defining a set of rules may require some time to think about to define and stipulate all the possibilities.
On the other hand, this can be done over time and brings the advantage of completely restricting the implementation of services or uses that are made in the Cloud, such as safeguards that avoid mistakes such as: leave the way open to allow the creation of virtual machines but only allow them in certain regions for legal issues and/or in a limited range of products to avoid additional costs.
Azure Blueprints lets you define a repeatable set of governance tools and standard Azure resources that your organization requires.
A blueprint is a package related to the implementation of Azure cloud services, security, and design.
As a declarative way to orchestrate the deployment of various resource templates and other artifacts, a blueprint can be reused to maintain consistency and compliance, makes it possible for development teams to rapidly build and start up new environments with trust they are building within organizational compliance with a set of built-in components to speed up development and delivery.
Some of the features of Azure Blueprints:
- Can be used to scale governance practices across an organization.
- Orchestrates the deployment of various resource templates and other artifacts (Role Assignments, Policy Assignments, ARM Templates, Resource Groups, …).
- The relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved.
- Azure creates a record that associates a resource with the blueprint that defines it. This connection helps you track and audit your deployments.
How it's different from ARM templates
Nearly everything that you want to include for deployment in Azure Blueprints can be accomplished with an ARM template.
However, an ARM template is a document that does not exist natively in Azure - each is stored either locally or in source control or in Templates.
The template gets used for deployments of one or more Azure resources, but once those resources deploy there is no active connection or relationship to the template.
Integration of Azure Blueprints with Azure Policy
Azure Policy is a default allow and explicit deny system focused on resource properties for deployment and for already existing resources. Azure Policy supports cloud governance by validating that resources within a subscription adhere to requirements and standards.
You can include an Azure policy as an artifact in a blueprint definition. A policy in a blueprint enables the creation of the correct pattern or design during assignment of the blueprint. You can ensure that only approved or expected changes can be made to the environment and protect ongoing compliance according to the intent of the blueprint.
More information: https://learn.microsoft.com/en-us/azure/governance/blueprints/overview.
Our advice about Networking
Here too, a certain amount of planning must be thought out and done. The advantage of this service, which can include several concepts (ARM, Policy, ...), will be to have a complete vision on the parameters of the services that will be put in place, as an architect would do when he submits plans for the future construction. Unlike ARM templates which are a point-in-time definition model, this is thanks to a declarative/repeatable method to orchestrate deployments of your resources in the cloud.
Want to know more?
Let's talk about it!