API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 16th, 2019
141
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.70 KB | None | 0 0
raw download clone embed print report
  1. Subscription with dev/test
  2.  
  3. Consider primarily using burstable VMs
  4.  
  5. Virtual network per environment - separate networks for store/corp?
  6.  
  7. Use Network Security Groups to restrict access to ports (https://docs.microsoft.com/en-us/azure/virtual-network/security-overview)
  8. -NSGs can be shared between NICs on the same virtual network
  9. -Use as few NSGs as possible (don't create duplicates)
  10. -Carefully consider which NSGs a VM needs.
  11. -For instance, have an NSG that allows all HTTPS traffic, and then a second NSG to restrict HTTPS traffic for the internal services server
  12.  
  13. Consider using Azure Front Door for external facing sites (https://azure.microsoft.com/en-us/services/frontdoor/)
  14. -Allows use of Web Application Firewalls
  15. -Better security and performance
  16.  
  17. For remote access, consider implementing one of the following concepts:
  18. -Jump Box (middle-man server that allows you to jump to other machines on the remote network, restricting direct access to them - this solution works for both RDP and SSMS)
  19. -Azure Bastion/Terminal Services Gateway (https://azure.microsoft.com/en-us/services/azure-bastion/)
  20. -Just-in-time access (https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time)
  21.  
  22. Make a template for each machine that we deploy, or at the very least a base image (https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authoring-templates)
  23. -Easy recreation and deployment to new environments, spinning up a new store, etc
  24.  
  25. Consider using Update Management in Azure Automation to keep patching up to date (https://docs.microsoft.com/en-us/azure/automation/automation-update-management)
  26.  
  27. Consider using Azure Backup as the backup solution for VMs (https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm)
  28.  
  29. Make extensive use of Azure Security Center (https://docs.microsoft.com/en-us/azure/security-center/security-center-intro)
  30. -Provides a huge amount of insight into the status of your VMs and makes recommendations
  31.  
  32. Make extensive use of Azure Monitor (https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-platform)
  33.  
  34. Implement Azure Disk Encryption (https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview) for all disks, ideally using key encryption keys and storing them in the key vault.
  35.  
  36. The only port that should ever have unrestricted access from anywhere on the internet ("Source: ANY") is 443 (HTTPS)
  37.  
  38. Anything else covered in:
  39. -https://docs.microsoft.com/en-us/azure/security/fundamentals/iaas
  40. -https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
  41. -https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/secure-vnet-dmz
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!