Azure Virtual Machine Security
There are many services available to secure our virtual machine.
Azure Active Directory
- By using the Azure Active Directory, we can control access to our virtual machines to different users or groups of users. When we create a virtual machine, we can assign a user to it, and while we are assigning the user to the virtual machine, we will also associate a particular rule to them. That role defines the level of access that the user will have on our virtual machine.
- Users, groups, and applications from that directory can manage resources in the Azure subscription.
- It grants access by assigning the appropriate RBAC role to users, groups, and applications at a certain scope. The scope of a role assignment can be a subscription, a resource group, or a single resource.
- Azure RBAC has three essential roles that apply to all resource types:
- Owner: They have full access to all resources, including the right to delegate access to others.
- Contributor: They can create and manage all types of Azure resources but can't grant access to others.
- Reader: They can only view existing Azure resources.
Azure security center
The Azure security center identifies potential virtual machine (VM) configuration issues and targeted security threats. These might include VMs that are missing network security groups, unencrypted disks, and brute-force Remote Desktop Protocol (RDP) attacks.
We can customize the recommendations we would like to see from the Security Center using security policies.
- Set up data collection
- Set up security policies
- View VM configuration health
- Remediate configuration issues
- View detected threats
Managed Service Identity
It is newly introduced in Azure. Earlier, what used to happen was whenever we're deploying an application into a virtual machine, we generally have user id and password within a configuration file of a folder of that application. But if someone gets access to that virtual machine, they can be able to go to the configuration file and view that also. To further increase the security of our application code and safety of services that are being accessed by application code, we can use Managed Service Identity.
Other Security Features
- Network security group: To filter the traffic in and out of the virtual machine.
- Microsoft Antimalware for Azure: We can install on our Azure virtual machines to secure our machines against any malware.
- Encryption: We can enable Azure Disk Encryption.
- Key Vault and SSH Keys: we can use key vault to store the certificates or any sensitive key.
- Policies: All the security-related policies we can apply using it.