Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Subscription with dev/test
- Consider primarily using burstable VMs
- Virtual network per environment - separate networks for store/corp?
- Use Network Security Groups to restrict access to ports (https://docs.microsoft.com/en-us/azure/virtual-network/security-overview)
- -NSGs can be shared between NICs on the same virtual network
- -Use as few NSGs as possible (don't create duplicates)
- -Carefully consider which NSGs a VM needs.
- -For instance, have an NSG that allows all HTTPS traffic, and then a second NSG to restrict HTTPS traffic for the internal services server
- Consider using Azure Front Door for external facing sites (https://azure.microsoft.com/en-us/services/frontdoor/)
- -Allows use of Web Application Firewalls
- -Better security and performance
- For remote access, consider implementing one of the following concepts:
- -Jump Box (middle-man server that allows you to jump to other machines on the remote network, restricting direct access to them - this solution works for both RDP and SSMS)
- -Azure Bastion/Terminal Services Gateway (https://azure.microsoft.com/en-us/services/azure-bastion/)
- -Just-in-time access (https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time)
- Make a template for each machine that we deploy, or at the very least a base image (https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authoring-templates)
- -Easy recreation and deployment to new environments, spinning up a new store, etc
- Consider using Update Management in Azure Automation to keep patching up to date (https://docs.microsoft.com/en-us/azure/automation/automation-update-management)
- Consider using Azure Backup as the backup solution for VMs (https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm)
- Make extensive use of Azure Security Center (https://docs.microsoft.com/en-us/azure/security-center/security-center-intro)
- -Provides a huge amount of insight into the status of your VMs and makes recommendations
- Make extensive use of Azure Monitor (https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-platform)
- Implement Azure Disk Encryption (https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview) for all disks, ideally using key encryption keys and storing them in the key vault.
- The only port that should ever have unrestricted access from anywhere on the internet ("Source: ANY") is 443 (HTTPS)
- Anything else covered in:
- -https://docs.microsoft.com/en-us/azure/security/fundamentals/iaas
- -https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
- -https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/secure-vnet-dmz
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement