In this azure tutorial, we will discuss about Azure best practices. Apart from this, we will also discuss on below topics
- Azure security best practices
- Azure Key Vault best practices
- Azure DevOps best practices
- Azure resource group best practices
- Azure monitoring best practices
- Azure Ad connect best practices
- Azure subscription best practices
- Azure RBAC best practices
Table of Contents
- Azure best practices
- Azure security best practices
- Use multi-factor authentication
- Dedicated workstations
- Minimize administrator access and admin accounts
- Disable RDP/SSH Access to VM
- Use Azure virtual network appliances
- Minimize the use of password-based authentication
- Separation of Duties
- Manage with secure workstations
- Implement a centralized security management system
- Virtual disks and disk storage Encryption
- Azure Key Vault best practices
- Azure DevOps best practices
- Azure resource group best practices
- Azure monitoring best practices
- Azure Ad connect best practices
- Azure subscription best practices
- Azure rbac best practices
Azure best practices
Here, we will discuss what are the best practices we need to follow in case of each Azure component like in case of Security, key vault, resource group, architecture, monitoring, ad connect, RBAC, subscription, Blob Storage, etc.
One more important thing to note down here is Azure Advisor is one free service from Microsoft that helps you in the following ways
- Azure Advisor is an excellent service from Microsoft that analyzes your configurations and usage and guides you for the best practices.
- Recommends you the way to optimize your Azure resources for high availability after the analysis of your configurations at free of cost.
Azure security best practices
There are some Microsoft Azure security best practices that need to be followed in case of Azure security while designing, deploying, and managing your cloud applications.
Use multi-factor authentication
- It is always recommended to use multi-factor authentication. This provides strong authentication with several checks phone calls, SMS, mobile application notification.
- Since this multi-factor authentication mechanism undergoes multiple stages of security aspect so the risk of a cyber attack will be less always.
- Also, multi-factor authentication requires the users to present a minimum of two separate forms of authentication before he or she gets the access.
Dedicated workstations
- It is recommended to use dedicated workstations.
- Dedicated workstations provide an operating system that dedicates to sensitive tasks and which protects against external attacks. Using separate workstations provides a high protection against phishing attacks, operating system vulnerabilities.
Minimize administrator access and admin accounts
Better to minimize the number of admin accounts and administrator access. That helps you for the confidentiality and integrity of your data.
The more the number of admin accounts and administrator access, the risk of cyberattacks, phishing attacks is more.
Disable RDP/SSH Access to VM
You can connect your virtual machines using Remote Desktop Protocol (RDP) and secure shell (SSH) protocol. This way you can able to manage your virtual machines from remote locations.
The risk of using these protocols over the internet will help the attackers to access your virtual machines and the other machines in your network.
Use Azure virtual network appliances
You should deploy Azure virtual network appliances in your network that provide you with Application Control, Vulnerability management, Antivirus, Firewalling, Network-based anomaly detection, Intrusion detection, etc.
Azure network security appliances can deliver you better security.
Minimize the use of password-based authentication
It is always better to minimize the use of password-based authentication. Password-based authentications are a very weak way of authentication. There is a chance that by mistake you will share your credentials with others which will create a huge risk for you and for the Organization.
Instead, you can use Azure AD integrated authentication. You can use single sign-on authentication using Windows credentials. Federate AD domain with Azure AD and you can use Integrated Windows authentication.
There are some cases where you might not able to avoid the usage of passwords in that case store user passwords and application secrets in Azure Key Vault and manage access through the Key Vault access policies.
Below are a few best practices for using Key Vault.
- You should give access to users, groups, and applications at a particular scope.
- You should store your certificates in the Key Vault. You can set appropriate access policies for the key vault so that you will come to know who is accessing the certificate.
Separation of Duties
You should implement separation of duties, For example
- You should use different accounts for the development environment, test environment, and production environment.
- Instead of assigning permission to individual users, it’s better to create roles. Roles can be database roles or server roles.
- You should always make sure to have an Audit trail for all security-related stuffs and you should always encrypt the data while storing in the database which will restrict the DBA and DB owners from viewing the actual data.
Manage with secure workstations
- When you have sensitive data, accounts, and tasks, you should keep those in a secure workstations (Privileged Access Workstations).
- Privileged Access Workstations are the workstations that provide a dedicated operating system for sensitive tasks that is protected from Internet attacks and locked down workstation designed to provide high security for sensitive accounts and tasks.
- You should enforce security policies across all devices that are used to consume data.
- If You want to secure email, documents, and sensitive data that you want to share outside from your organization, you can use Azure Information protection which is a cloud-based solution that helps the organization to secure email, documents, and sensitive data.
Implement a centralized security management system
- You can use Azure Security Center which is a centralized security management system that continuously monitors the security status of your Azure resources.
- This also provides an analysis of the configuration of the infrastructure, such as the network configuration and the use of virtual appliances.
- It helps configuring network security groups (NSG) and the set of rules to control traffic to the virtual machines (VM).
- This system will check if any system updates is missing, It will deploy those updates.
- One more important thing is, this system will fix the issue of the operating system if in case it will find any.
Virtual disks and disk storage Encryption
- You can use Azure Disk Encryption that helps Administrators to encrypt the windows and Linux VM disks. This helps to eliminate the risks of data theft by moving the disk.
- Azure Disk Encryption is integrated internally with Key Vault to manage encryption keys.
- You can protect the data at rest with the help of the Azure storage services encryption.
Azure Key Vault best practices
- Azure Key Vault is a cloud service that provides encryption keys and secrets like certificates, connection strings, and passwords, etc. There are some best practices need to be followed
- It is recommended to enable soft delete that helps to recover the deleted vault objects.
- You should limit the number of users who have contribute access because they can access to the data pane and can miss utilize the data. So it is suggested to limit the number of users for those you are going to give the contribute access.
- You should enable the Diagnostics logs in Key Vault that help you to investigate easily in case of any service incidents.
- It is recommended to restrict who can access to your key vault logs, because they can miss utilize or delete the logs while investigating any of the service incidents.
- You should give limited access to the virtual networks that are used by all the solutions requiring the vault access.
- You should ensure that you should able to recover the Azure key Vault instances at the time of need.
Azure DevOps best practices
- You should ensure Application development teams using version control
- It is suggested that all the Stakeholders should actively participate in the development of process
- Automation testing should be implemented to test any of the applications developed by the team.
- The services used for developing the applications should be reusable.
- One of the key practices for DevOps is Continuous integration. It is basically referred to the building a project and validate it regularly.
- Application monitoring is one of the Azure DevOps best practices. You should optimize the application performance that is deployed on the local data center or the cloud platform with the help of Application monitoring which is one of the best practices of the Azure DevOps.
- Continuous Deployment is another best practice of the DevOps which is the extension of the Continuous integration that comes with many sub-processes, including creation, versioning, testing, deployment, etc. This process helps the developers to reduce the time between the identification of the new features and its deployment in production.
Azure resource group best practices
A resource group acts as a logical container into which Azure resources like web apps, storage accounts, and databases are deployed and managed. Below are a few best practices you need to consider while creating a resource group.
- It is recommended to create an Azure resource group per region where the resources will be located. In case of any issues, it will have a less impact on your overall Azure deployment
- There is a built-in policy that will report when the resource location doesn’t match the resource group location. As per the policy, the resource location and the resource group location should be the same and that is a great best practice.
Azure monitoring best practices
Monitoring all your Azure resources is an important factor that needs to be considered while you are using Azure as a service. Below are a few best practices that need to be followed in the case of Azure monitoring.
- You should make sure to enable monitoring for all your apps. This ensures that all your applications are working as expected. You can use Azure Monitor Application Insights SDKs in your code if you are working with code.
- Ensure to enable monitoring for your entire infrastructure. This will help you to observe the issue quickly in case of any potential failures.
- You should ensure to set up actionable alerts for all possible failure states. The alerts can be SMS, email, voice calls, or push notifications, etc.
Azure Ad connect best practices
There are a few best practices that need to be followed while using the Azure Ad connect.
- You should always make sure to install and upgrade to the latest Azure AD Connect version. Better you can configure the auto-upgrade.
- Ensure to encrypt the disks where ever possible.
- Minimize the number of admin access or admin accounts that are having access to Azure AD Connect.
- Make sure to update the latest security updates each month.
- The account password must be changed to a complex password.
Azure subscription best practices
It is recommended to follow some best practices while using the Azure subscriptions.
- You should make sure to keep subscriptions to a minimum to reduce the complexity.
- Do not create a subscription for each environment i.e Dev, Test, Prod.
- Avoid creating unnecessary multiple subscriptions if it is not really needed.
- Better to avoid creating additional subscriptions beyond your current resource limits.
Azure rbac best practices
Let’s discuss some best practices for using Azure role-based access control (Azure RBAC).
- You can grant only the amount of access to users that they need to perform their jobs. Do not give any extra access.
- You should limit the subscription owner maximum to 3. This can be monitored in Azure Security Center.
- You should use Azure Active Directory Privileged Identity Management (PIM) to protect privileged accounts from different cyber-attacks.
You may like the following Azure tutorials:
Conclusion
In this tutorial, we learned the below things:
- Azure best practices
- Azure security best practices
- Azure Key Vault best practices
- Azure DevOps best practices
- Azure resource group best practices
- Azure monitoring best practices
- Azure Ad connect best practices
- Azure subscription best practices
- Azure RBAC best practices