Azure Virtual Machine Recommendations and best practices – This article describes security best practices for Azure VMs and operating systems. This recommendations are not limited to Azure but can also apply to other cloud platforms like AWS or GCP.
The best practices are based on Azure recommendations as well as my experience in Azure. Because technologies can change over time, there will be some additional recommendations and will try to update KB to reflect those changes. Azure have a set of best practices that are designed to help protect your workloads including virtual machines to keep them safe from constantly evolving threats. This blog will share the most important security best practices to help protect your virtual machines.
Recommendations:-
•Turn ON Diagnostic logging: – Enabling logging for Azure storage account to store all logs in to log analytics.
•No public ip on NIC – Disable public access to VM over public ip so that all ingress and egress traffic from VM will go through Firewall.
•Use domain joined functionality to apply all organization specific group policy.
•Use organization specific custom image to create vm with pre-installed security tools/agents like monitoring, patching, antivirus.
•Disable public RDP/SSH on all VM (or use Bastion in case required)
•Use NSG/ASG to allow only specific required port based on application requirement.
•Select data disk, Nic deletion with VM option so that all resources will get deleted with VM.
•Use auto shutdown or automation to stop vm during off business hours in dev/test to save cost.
•Appropriate Tags to identify owners, application, environment, BU, chargeback, requester, date created etc.
•Azure backup support backup of virtual machine + managed disk and recommended to enable it for production VM.
•Encryption – Enable encryption at host with customer managed key (CMK) and generate encryption key set in BU/application specific keyvault.
•Managed disk Redundancy – Locally-redundant storage (LRS – default) replicates your data three times within a single datacenter whereas ZRS creates three copies in Azure availability zones in the region. * ZRS is not supported in all regions
•Disaster Recovery – Azure recovery vault can be used to protect VM and deploy it in DR region in case of DR. recommended for all critical production VM.
•Patching/update – use Azure native update management or any traditional patching tool to update all AZ vm.
•Use Azure security center as guide to apply additional (security/performance) recommendations.
•Antimalware/Antivirus protection to help identify and remove viruses, spyware, and other malicious software.
•Enable Microsoft Defender for server
