loading...

Create an Azure VM baseline

cheahengsoon profile image Eng Soon Cheah ・3 min read

Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies. For example, you can have a policy to allow only a certain SKU size of virtual machines in your environment. Once this policy is implemented, new and existing resources are evaluated for compliance. With the right type of policy, existing resources can be brought into compliance.

Azure networking security recommendations
Here are the security recommendations you should follow to set Virtual Machine (VM) policies on your Azure subscription. Included with each recommendation are the basic steps to follow in the Azure portal. You should perform these steps on your own subscription with your own resources to validate the security for each. Keep in mind that Level 2 options might restrict some features or activity, so carefully consider which security options you decide to enforce.

Ensure that OS disk are encrypted

Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. It uses the BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and data disks of Azure virtual machines (VMs). It is also integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets, and ensures that all data on the VM disks are encrypted at rest while in Azure storage. Azure Disk Encryption for Windows and Linux VMs is in General Availability in all Azure public regions and Azure Government regions for Standard VMs and VMs with Azure Premium Storage.

If you use Azure Security Center (recommended), you're alerted if you have VMs that aren't encrypted.

  1. In the Azure portal search for KeyVault.
  2. Select Key Vault and click Create.
  3. Enter the following details:

    • Resource Group: myResourceGroup
    • Key vault name: Enter something unique
    • Region: EastUS Alt Text
  4. Select the Access policy tab and select Azure Disk Encryption for volume encryption.
    Alt Text

  5. Click Review + create then click Create.

  6. Wait for the deployment to complete before continuing.

  7. In the Azure portal select Virtual machines.

  8. Select myVM virtual machine.

  9. Under the Settings section select Disks.

  10. Notice the disk is not encrypted.
    Alt Text

  11. Click Encryption.
    Alt Text

  12. Select OS & data disks to be encrypted.

  13. Click Select a key vault and key for encryption and select your vault and click Select.

  14. Click Save and click Yes to confirm.

Ensure only approved extensions are installed

Azure virtual machine (VM) extensions are small applications that provide post-deployment configuration and automation tasks on Azure VMs. For example, if a virtual machine requires software installation, anti-virus protection, or to run a script inside of it, a VM extension can be used. Azure VM extensions can be run with the Azure CLI, PowerShell, Azure Resource Manager templates, and the Azure portal. Extensions can be bundled with a new VM deployment, or run against any existing system.

  1. In the Azure portal select Virtual machines.
  2. Select myVM and then in the Settings section click Extensions.
  3. Ensure that the listed extensions are approved for use. Alt Text

Posted on by:

cheahengsoon profile

Eng Soon Cheah

@cheahengsoon

Pursuit my dreams working in U.S.

Discussion

pic
Editor guide