Showing Page:
The best practices are based on a consensus of opinion, and they work with current Azure
platform capabilities and feature sets. Because opinions and technologies can change over time,
this article will be updated to reflect those changes.
In most infrastructure as a service (IaaS) scenarios, Azure virtual machines (VMs) are the main
workload for organizations that use cloud computing. This fact is evident in hybrid scenarios
where organizations want to slowly migrate workloads to the cloud. In such scenarios, follow the
general security considerations for IaaS, and apply security best practices to all your VMs.
Protect VMs by using authentication and access control:
The first step in protecting your VMs is to ensure that only authorized users can set up new VMs
and access VMs.
Best practice: Control VM access.
Detail: Use Azure policies to establish conventions for resources in your organization and create
customized policies. Apply these policies to resources, such as resource groups. VMs that belong
to a resource group inherit its policies.
If your organization has many subscriptions, you might need a way to efficiently manage access,
policies, and compliance for those subscriptions. Azure management groups provide a level of
scope above subscriptions. You organize subscriptions into management groups (containers) and
apply your governance conditions to those groups. All subscriptions within a management group
automatically inherit the conditions applied to the group. Management groups give you
enterprise-grade management at a large scale no matter what type of subscriptions you might
Best practice: Reduce variability in your setup and deployment of VMs.
Detail: Use Azure Resource Manager templates to strengthen your deployment choices and
make it easier to understand and inventory the VMs in your environment.
Best practice: Secure privileged access.
Detail: Use a least privilege approach and built-in Azure roles to enable users to access and set
up VMs:
Virtual Machine Contributor: Can manage VMs, but not the virtual network or storage
account to which they are connected.
Classic Virtual Machine Contributor: Can manage VMs created by using the classic
deployment model, but not the virtual network or storage account to which the VMs are
Security Admin: In Security Center only: Can view security policies, view security states,
edit security policies, view alerts and recommendations, dismiss alerts and
DevTest Labs User: Can view everything and connect, start, restart, and shut down VMs.
Showing Page:
Your subscription admins and coadmins can change this setting, making them administrators of
all the VMs in a subscription. Be sure that you trust all of your subscription admins and
coadmins to log in to any of your machines.
We recommend that you consolidate VMs with the same lifecycle into the same resource group.
By using resource groups, you can deploy, monitor, and roll up billing costs for your resources.
Organizations that control VM access and setup improve their overall VM security.
Use multiple VMs for better availability
If your VM runs critical applications that need to have high availability, we strongly recommend
that you use multiple VMs. For better availability, use an availability set or availability zones.
An availability set is a logical grouping that you can use in Azure to ensure that the VM
resources you place within it are isolated from each other when they’re deployed in an Azure
datacenter. Azure ensures that the VMs you place in an availability set run across multiple
physical servers, compute racks, storage units, and network switches. If a hardware or Azure
software failure occurs, only a subset of your VMs are affected, and your overall application
continues to be available to your customers. Availability sets are an essential capability when
you want to build reliable cloud solutions.
Protect against malware
You should install antimalware protection to help identify and remove viruses, spyware, and
other malicious software. You can install Microsoft Antimalware or a Microsoft partner’s
endpoint protection solution (Trend Micro, Broadcom, McAfee, Windows Defender, and System
Center Endpoint Protection).
Microsoft Antimalware includes features like real-time protection, scheduled scanning, malware
remediation, signature updates, engine updates, samples reporting, and exclusion event
collection. For environments that are hosted separately from your production environment, you
can use an antimalware extension to help protect your VMs and cloud services.
You can integrate Microsoft Antimalware and partner solutions with Azure Security Center for
ease of deployment and built-in detections (alerts and incidents).
Best practice: Install an antimalware solution to protect against malware.
Detail: Install a Microsoft partner solution or Microsoft Antimalware
Best practice: Integrate your antimalware solution with Security Center to monitor the status of
your protection.
Detail: Manage endpoint protection issues with Security Center
Showing Page:
Manage your VM updates
Azure VMs, like all on-premises VMs, are meant to be user managed. Azure doesn't push
Windows updates to them. You need to manage your VM updates.
Best practice: Keep your VMs current.
Detail: Use the Update Management solution in Azure Automation to manage operating system
updates for your Windows and Linux computers that are deployed in Azure, in on-premises
environments, or in other cloud providers. You can quickly assess the status of available updates
on all agent computers and manage the process of installing required updates for servers.
Computers that are managed by Update Management use the following configurations to
perform assessment and update deployments:
Microsoft Monitoring Agent (MMA) for Windows or Linux
PowerShell Desired State Configuration (DSC) for Linux
Automation Hybrid Runbook Worker
Microsoft Update or Windows Server Update Services (WSUS) for Windows computers
If you use Windows Update, leave the automatic Windows Update setting enabled.
Best practice: Ensure at deployment that images you built include the most recent round of
Windows updates.
Detail: Check for and install all Windows updates as a first step of every deployment. This
measure is especially important to apply when you deploy images that come from either you or
your own library. Although images from the Azure Marketplace are updated automatically by
default, there can be a lag time (up to a few weeks) after a public release.
Best practice: Periodically redeploy your VMs to force a fresh version of the OS.
Detail: Define your VM with an Azure Resource Manager template so you can easily redeploy
it. Using a template gives you a patched and secure VM when you need it.
Best practice: Rapidly apply security updates to VMs.
Detail: Enable Azure Security Center (Free tier or Standard tier) to identify missing security
updates and apply them.
Best practice: Install the latest security updates.
Detail: Some of the first workloads that customers move to Azure are labs and external-facing
systems. If your Azure VMs host applications or services that need to be accessible to the
internet, be vigilant about patching. Patch beyond the operating system. Unpatched
vulnerabilities on partner applications can also lead to problems that can be avoided if good
patch management is in place.
Best practice: Deploy and test a backup solution.
Detail: A backup needs to be handled the same way that you handle any other operation. This is
true of systems that are part of your production environment extending to the cloud.
Showing Page:
Test and dev systems must follow backup strategies that provide restore capabilities that are
similar to what users have grown accustomed to, based on their experience with on-premises
environments. Production workloads moved to Azure should integrate with existing backup
solutions when possible. Or, you can use Azure Backup to help address your backup
Organizations that don't enforce software-update policies are more exposed to threats that exploit
known, previously fixed vulnerabilities. To comply with industry regulations, companies must
prove that they are diligent and using correct security controls to help ensure the security of their
workloads located in the cloud.
Software-update best practices for a traditional datacenter and Azure IaaS have many
similarities. We recommend that you evaluate your current software update policies to include
VMs located in Azure.
Manage your VM security posture
Cyberthreats are evolving. Safeguarding your VMs requires a monitoring capability that can
quickly detect threats, prevent unauthorized access to your resources, trigger alerts, and reduce
false positives.
To monitor the security posture of your Windows and Linux VMs, use Azure Security Center. In
Security Center, safeguard your VMs by taking advantage of the following capabilities:
Apply OS security settings with recommended configuration rules.
Identify and download system security and critical updates that might be missing.
Deploy recommendations for endpoint antimalware protection.
Validate disk encryption.
Assess and remediate vulnerabilities.
Detect threats.
Security Center can actively monitor for threats, and potential threats are exposed in security
alerts. Correlated threats are aggregated in a single view called a security incident.
Security Center stores data in Azure Monitor logs. Azure Monitor logs provides a query
language and analytics engine that gives you insights into the operation of your applications and
resources. Data is also collected from Azure Monitor, management solutions, and agents
installed on virtual machines in the cloud or on-premises. This shared functionality helps you
form a complete picture of your environment.
Organizations that don't enforce strong security for their VMs remain unaware of potential
attempts by unauthorized users to circumvent security controls.
Monitor VM performance
Showing Page:
Resource abuse can be a problem when VM processes consume more resources than they should.
Performance issues with a VM can lead to service disruption, which violates the security
principle of availability. This is particularly important for VMs that are hosting IIS or other web
servers, because high CPU or memory usage might indicate a denial of service (DoS) attack. It’s
imperative to monitor VM access not only reactively while an issue is occurring, but also
proactively against baseline performance as measured during normal operation.
We recommend that you use Azure Monitor to gain visibility into your resource’s health. Azure
Monitor features:
Resource diagnostic log files: Monitors your VM resources and identifies potential issues
that might compromise performance and availability.
Azure Diagnostics extension: Provides monitoring and diagnostics capabilities on
Windows VMs. You can enable these capabilities by including the extension as part of
the Azure Resource Manager template.
Organizations that don't monitor VM performance can’t determine whether certain changes in
performance patterns are normal or abnormal. A VM that’s consuming more resources than
normal might indicate an attack from an external resource or a compromised process running in
the VM.
Encrypt your virtual hard disk files
We recommend that you encrypt your virtual hard disks (VHDs) to help protect your boot
volume and data volumes at rest in storage, along with your encryption keys and secrets.
Azure Disk Encryption helps you encrypt your Windows and Linux IaaS virtual machine disks.
Azure Disk Encryption uses the industry-standard BitLocker feature of Windows and the DM-
Crypt feature of Linux to provide volume encryption for the OS and the data disks. The solution
is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and
secrets in your key vault subscription. The solution also ensures that all data on the virtual
machine disks are encrypted at rest in Azure Storage.
Following are best practices for using Azure Disk Encryption:
Best practice: Enable encryption on VMs.
Detail: Azure Disk Encryption generates and writes the encryption keys to your key vault.
Managing encryption keys in your key vault requires Azure AD authentication. Create an Azure
AD application for this purpose. For authentication purposes, you can use either client secret-
based authentication or client certificate-based Azure AD authentication.
Best practice: Use a key encryption key (KEK) for an additional layer of security for encryption
keys. Add a KEK to your key vault.
Detail: Use the Add-AzKeyVaultKey cmdlet to create a key encryption key in the key vault.
You can also import a KEK from your on-premises hardware security module (HSM) for key
management. For more information, see the Key Vault documentation. When a key encryption
Showing Page:
key is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before
writing to Key Vault. Keeping an escrow copy of this key in an on-premises key management
HSM offers additional protection against accidental deletion of keys.
Best practice: Take a snapshot and/or backup before disks are encrypted. Backups provide a
recovery option if an unexpected failure happens during encryption.
Detail: VMs with managed disks require a backup before encryption occurs. After a backup is
made, you can use the Set-AzVMDiskEncryptionExtension cmdlet to encrypt managed disks
by specifying the -skipVmBackup parameter. For more information about how to back up and
restore encrypted VMs, see the Azure Backup article.
Best practice: To make sure the encryption secrets don’t cross regional boundaries, Azure Disk
Encryption needs the key vault and the VMs to be located in the same region.
Detail: Create and use a key vault that is in the same region as the VM to be encrypted.
When you apply Azure Disk Encryption, you can satisfy the following business needs:
IaaS VMs are secured at rest through industry-standard encryption technology to address
organizational security and compliance requirements.
IaaS VMs start under customer-controlled keys and policies, and you can audit their
usage in your key vault.
Restrict direct internet connectivity
Monitor and restrict VM direct internet connectivity. Attackers constantly scan public cloud IP
ranges for open management ports and attempt “easy” attacks like common passwords and
known unpatched vulnerabilities. The following table lists best practices to help protect against
these attacks:
Best practice: Prevent inadvertent exposure to network routing and security.
Detail: Use Azure RBAC to ensure that only the central networking group has permission to
networking resources.
Best practice: Identify and remediate exposed VMs that allow access from “any” source IP
Detail: Use Azure Security Center. Security Center will recommend that you restrict access
through internet-facing endpoints if any of your network security groups has one or more
inbound rules that allow access from “any” source IP address. Security Center will recommend
that you edit these inbound rules to restrict access to source IP addresses that actually need
Best practice: Restrict management ports (RDP, SSH).
Detail: Just-in-time (JIT) VM access can be used to lock down inbound traffic to your Azure
VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.
When JIT is enabled, Security Center locks down inbound traffic to your Azure VMs by creating
Showing Page:
a network security group rule. You select the ports on the VM to which inbound traffic will be
locked down. These ports are controlled by the JIT solution.
How Azure can benefit the company:
We touched on some basic benefits at the start, but it’s worth exploring them further as the Azure
ecosystem is rich in functionality of how it can benefit your business directly.
First, you want to consider cost. Microsoft will let you try out the service for free so you can
decide if you wish to adopt the platform. After your free trial account has expired, you can
choose a PAYG (pay as you go) plan or opt-in to an enterprise agreement. The free plan is a
good place to start to get a feel for the interface and features that ship with Azure.
You can also keep an eye on the cost from your dashboard and experiment with the online
calculators to predict how much adding new CPUs, RAM, databases, instances, and so on would
cost per month
Visual Studio and Continuous Integration
If you run a software development team or business, as you’d expect, Azure integrates nicely
with Microsoft Visual Studio. Adopting Continuous Integration to your software process can
help you build and ship more quickly which can boost profits.
With Azure, you can quickly setup Build Servers that integrate with Visual Studio and create
processes that automatically initiate a build, test, and release of your application when
developers check-in code!
With Visual Studio and Azure, you can easily add or remove build artifacts that compliment your
unique software delivery processes.
Scale on demand
Business requirements can change quickly, and so you need a platform that makes it easy to
adapt to your business needs as they evolve.
Receiving alerts that your database server is running out of disk space? Or how about an
increased spike on your corporate intranet due to a recent business acquisition?
With just a few mouse clicks, you can have server setup in minutes with the configuration of
your choice. Azure also ships with predefined server templates to help get you started. Your
server can be accessed just like a traditional server by supplying its IP address and credentials in
a Remote Desktop connection session.
Showing Page:
The IT landscape is continually shifting and to help your business keep abreast of technological
developments you need a platform that makes adapting easy. Microsoft Azure lets you do this
from a centralized dashboard with the click of a mouse.
With Azure, you can provision various Windows or Linux instances which gives your business
real flexibility regarding the applications it can run and support.
IoT (Internet of Things)
The IoT industry is growing exponentially. Mobile devices and watches all connect to and
exchange data with the cloud. Azure ships with support for the IoT and includes features that
allow you to build and deploy predictive analytics solutions as well as process data in real-time
from millions of IoT devices.
No Server Maintenance
One of the most significant advantages you gain by migrating your infrastructure to a cloud
provider such as Microsoft Azure is that you effectively outsource all hardware and platform
maintenance to Microsoft. It frees you up to focus on solving real business problems. In the rare
event that you need to debug or examine log files, you can do it all from the Microsoft Azure
YES, they make sense of using Azure.
Azure is recommended not only because it is popular, but because it makes sense for your
business. It has better security features and offers greater speed, reliability and scalability
compared to on-premise solutions. No only that, but it’s cheaper as well.
You don’t even have to worry about upkeep. Microsoft handles everything - Azure
infrastructure, security, physical servers, patching, redundancy and updates.
YES, this are best solution.
As a global technology leader, Microsoft knows it represents an attractive target for cyber
criminals and hackers. If they can exploit a weakness, they will. Keeping customers secure is a
top priority for Microsoft, which is why they invest $1 billion every year into security, which
includes protecting the Azure infrastructure.
Here are a few of the security precautions Microsoft takes to protect Azure customers:
Automatic encryption. Everything sent within the Azure environment is automatically
encrypted. The Azure network has automatic detection to prevent distributed denial-of-
service (DDoS) attacks, similar to some of the largest services on the Internet, such as
Xbox and Microsoft’s Office 365.
Showing Page:
Other safeguards include automated smart traffic monitoring and profiling. It is easier
to detect and deflect threats when systems know when something looks out of the
ordinary, reducing the risk any threats pose that may have breached external security
Smart access control. Management (admin) accounts are run over separate networks
than most team members. Managers can also control and restrict access to a limited time
period, device, or even a specific document.
Microsoft goes to great lengths to protect hardware and firmware, constantly
reviewing and revising code, even creating hardware that can automatically detect threats
before software is loaded and active. If anything malicious is detected, it can pause
software activity until the threat is removed.
Azure is the first cloud platform to support both software and hardware-based Trusted
Execution Environments (TEEs). TEEs ensure that encrypted data whether it is
stored, in transit or inactive is safe from unauthorised access and tampering.
Operational security is serious business. Microsoft employs 3,500 cybersecurity
experts, including 200 who continually look for weaknesses. Any that are found are
input into the operational security procedures Azure uses to improve against potential
external threats.
You don’t even need to worry if you are working off-site and need secure access. With
ExpressRoute, you can access to Azure through an encrypted Virtual Private Network
(VPN), wherever you are in the world.
Providing you are always sensible about password use and storage, Azure is one of the most
secure working environments that organisations could use for software, data storage and
numerous other uses. In fact, it may be more secure than your current on-premise IT
YES, it is cost effective.
Azure is the most cost-effective cloud for Windows Server workloads. If you are a Windows
Server customer with Software Assurance, you can combine Azure Reserved Instances (RIs)
with Azure Hybrid Benefits and save up to 82% compared to pay-as-you-go prices, and up to
67% compared to AWS RIs for Windows VMs. In addition, with Azure Hybrid Benefit for SQL
Server, customers with Software Assurance will be able to save even more.

Unformatted Attachment Preview

Name: Description: ...
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.