Best Practices for IaaS Workloads in Azure
The best practices are based on a consensus, and they work with current Azure platform capabilities and feature sets. Because opinions and technologies can change over time, this article will be updated to reflect those changes.
In most infrastructure as a service (IaaS) scenarios, Azure virtual machines (VMs) are the main workload for organizations that use cloud computing. This fact is evident in hybrid scenarios where organizations want to slowly migrate workloads to the cloud. In such scenarios, follow the general security considerations for IaaS, and apply security best practices to all your VMs.
Protect VMs by using authentication and access control.
- The first step in protecting your VMs is to ensure that only authorized users can set up new VMs and access VMs
- Best practice:Control VM access
Protect against malware
- You should install antimalware protection to help identify and remove viruses, spyware, and other malicious software. You can install Microsoft Antimalware or a Microsoft partner’s endpoint protection solution (Trend Micro, Broadcom, McAfee, Windows Defender, and System Center Endpoint Protection)
- Microsoft Antimalware includes features like real-time protection, scheduled scanning, malware remediation, signature updates, engine updates, samples reporting, and exclusion event collection. For environments that are hosted separately from your production environment, you can use an antimalware extension to help protect your VMs and cloud services.
- You can integrate Microsoft Antimalware and partner solutions with Microsoft Defender for Cloud for ease of deployment and built-in detections (alerts and incidents).
- Best practice:Install an antimalware solution to protect against malware.
Manage your VM updates
- Azure VMs, like all on-premises VMs, are meant to be user managed. Azure doesn't push Windows updates to them. You need to manage your VM updates.
- Best practice:your VMs current.
Manage your VM security posture
- Cyberthreats are evolving. Safeguarding your VMs requires a monitoring capability that can quickly detect threats, prevent unauthorized access to your resources, trigger alerts, and reduce false positives.
- To monitor the security posture of your Windows and Linux VMs, use Microsoft Defender for Cloud. In Defender for Cloud, safeguard your VMs by taking advantage of the following capabilities:
- Apply OS security settings with recommended configuration rules.
- Identify and download system security and critical updates that might be missing.
- Deploy recommendations for endpoint antimalware protection.
- Validate disk encryption.
- Assess and remediate vulnerabilities.
- Detect threats.
Monitor VM performance
- Resource abuse can be a problem when VM processes consume more resources than they should.
- Best practice:Use a key encryption key (KEK) for an additional layer of security for encryption keys. Add a KEK to your key vault.
Encrypt your virtual hard disk files
- We recommend that you encrypt your virtual hard disks (VHDs) to help protect your boot volume and data volumes at rest in storage, along with your encryption keys and secrets
- Azure Disk Encryption for Linux VMs and Azure Disk Encryption for Windows VMs helps you encrypt your Linux and Windows IaaS virtual machine disks. Azure Disk Encryption uses the industry-standard DM-Crypt feature of Linux and the BitLocker feature of Windows to provide volume encryption for the OS and the data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets in your key vault subscription. The solution also ensures that all data on the virtual machine disks are encrypted at rest in Azure Storage.
- Best practice:Enable encryption on VMs.
- Best practice:Use a key encryption key (KEK) for an additional layer of security for encryption keys. Add a KEK to your key vault
- Best practice:Take a snapshot and/or backup before disks are encrypted. Backups provide a recovery option if an unexpected failure happens during encryption.
- Best practice:To make sure the encryption secrets don’t cross regional boundaries, Azure Disk Encryption needs the key vault and the VMs to be located in the same region
Restrict direct internet connectivity.
- Monitor and restrict VM direct internet connectivity. Attackers constantly scan public cloud IP ranges for open management ports and attempt “easy” attacks like common passwords and known unpatched vulnerabilities. The following table lists best practices to help protect against these attacks:
- Best practice:Prevent inadvertent exposure to network routing and security.