1 / 30

Building a secure and flexible infrastructure with Microsoft Azure

Building a secure and flexible infrastructure with Microsoft Azure. Jesper Fütterer Jensen Consultant, solvo it @ jefutte Cloudpuzzles.net. BRK3262 . Learnings from customer projects. Identity Networking Virtual Machines Backup. Identity. Tools. Role Based Access Control

jswain
Download Presentation

Building a secure and flexible infrastructure with Microsoft Azure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Building a secure and flexible infrastructure with Microsoft Azure Jesper Fütterer Jensen Consultant, solvo it @jefutte Cloudpuzzles.net BRK3262 

  2. Learnings from customerprojects • Identity • Networking • Virtual Machines • Backup

  3. Identity

  4. Tools • Role Based Access Control • Define specific roles • Privileged Identity Management • Control access in an easy way • MFA • Because there is no reason not to! • Not just Azure access, Office 365, RDP, VPN etc.

  5. Custom RBAC role { "Name": "Virtual Machine Operator", "Id": "88888888-8888-8888-8888-888888888888", "IsCustom": true, "Description": "Can monitor and restart virtual machines.", "Actions": [ "Microsoft.Storage/*/read", "Microsoft.Network/*/read", "Microsoft.Compute/*/read", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Authorization/*/read", "Microsoft.Resources/subscriptions/resourceGroups/read", ], "AssignableScopes": [ "/subscriptions/{subscriptionId1}", "/subscriptions/{subscriptionId2}", "/subscriptions/{subscriptionId3}/resourceGroups/{resourceGroup1}" ] }

  6. Azure AD Privileged Identity Management Who What Why When • Who need’s access? • Users • Groups • External consultants • What do they need access to? • Subscription • Resource Group • Resource • What are they doing? • Create/change • Read information • Delete • Why do they need access? • Project XYZ • Troubleshooting • Support Case #123456 • Change Request • Etc.. • For how long do they need access? • 1 hour • 8 hours • 12 hours • 24 hours • Find you own limits. • 8 hours = work day • 24 hours = critical issue

  7. Demo: Privileged Identity Management

  8. Multi Factor Authentication • Where to use? • Everywhere! • At least for youradmins! • It’sfree for Global Admins • NPS Extension opens up a lot of doors! • RDS • Client VPN • Anything RADIUS

  9. AAD MFA NPS Extension

  10. Azure AD: Global Admins • Theycan do everything! • Azure AD • Office 365 • Azure subscriptions – withoutsubscriptionownerknowledge!

  11. Network Security

  12. Just in time VM Access • Azure Security Center feature • Time limitedaccess to a specific port on a specific VM • RBAC enabled

  13. Network and Application Security Groups • NSG + ASG = Secure infrastructure • ASG’s are just a logicalgroup of servers • NSG rulesareapplied to all servers in an ASG

  14. ARM: Create ASG { "comments": "Application Security Group", "name": "[variables('asgName')]", "type": "Microsoft.Network/applicationSecurityGroups", "apiVersion": "2018-02-01", "location": "[parameters('location')]", "properties": {} }

  15. ARM: Attach ASG to NIC { "name": "[concat(parameters('vmName'),'-NIC')]", "type": "Microsoft.Network/networkInterfaces", "location": "[parameters('location')]", "apiVersion": "2017-09-01", "properties": { "ipConfigurations": [ { "name": "ipconfig1", "properties": { "privateIPAllocationMethod": "Dynamic", "subnet": { "id": "[variables('subnet2Id')]" }, "applicationSecurityGroups": [ { "id": "[variables('asg1Id')]" }, { "id": "[variables('asg2Id')]" } ] } } ] } }

  16. ARM: NSG rules { "name": "AllowRDP", "properties": { "description": "Allow RDP traffic", "sourceAddressPrefix": "*", "sourcePortRange": "*", "direction": "Inbound", "access": "Allow", "priority": 200, "protocol": "Tcp", "destinationPortRange": "3389", "destinationApplicationSecurityGroups": [ { "id": "[variables('asgId')]" } ] } }

  17. Demo: Application Security Groups Jesper Fütterer Jensen

  18. Virtual Machine Security

  19. Disk Encryption • Supported for • Windows Server 2008 R2 and later • Windows 8 & 10 • Ubuntu, RHEL, CentOS, openSUSE, SLES • Easy to getstarted with Azure PowerShell • ADEPrereqScript.ps1 • Set-AzureRmVmDiskEncryptionExtension -ResourceGroupName ”RG" -VMName ”VM" ` -DiskEncryptionKeyVaultId ”KeyVaultID" -DiskEncryptionKeyVaultUrl ”KeyVaultUrl"

  20. VM Extensions • Extensions can do stuffinsideVMs - privileged • Wouldyou trust everyone with thisaccess? • At leastuse PIM with approval • Example: Azure Automation DSC • Applyconfig to create new user (local or domain) • Change security settings (firewalls etc) • Traceablethrough audit logs

  21. DSC – Create User xADUserMadAdmin { DomainName = 'company.com' UserName = 'MadAdmin' Password = 'SecurePw123' Ensure = 'Present' } xADGroupDomainAdmins { GroupName = 'Domain Admins' MembersToInclude = 'MadAdmin' }

  22. Secure Backups

  23. Azure Backup Security features • These features areenabled by default on new vaults • Works with MARS agent, MABS & DPM • Extra Authentication • Pin required for critical actions • Alerting • Subscription ownersarealertedthroughemail • Recovery • Deleted data is kept for 14 days

  24. Secure Backups Jesper Fütterer Jensen

  25. Please evaluate this sessionYour feedback is important to us! Please evaluate this session through MyEvaluations on the mobile appor website. Download the app:https://aka.ms/ignite.mobileApp Go to the website: https://myignite.techcommunity.microsoft.com/evaluations

More Related