Azure Service guides are intended to help you in decision-making for individual Azure components within a workload. Each guide highlights the core features and capabilities essential for achieving a state of excellence. They are not configuration guides or exhaustive lists of all features and capabilities, but rather emphasize the usefulness of features from the perspective of the Well-Architected pillars.
This post is showing you not only best practice based on WAF (Well-Architected Framework), but also from other resources.
Note: https://learn.microsoft.com/en-us/azure/well-architected/service-guides/?product=popular
Microsoft Security Service Map – Microsoft Cloud Security Benchmark
- Reliability
- Deploy Azure Firewall in hub virtual networks or as part of Azure Virtual WAN hubs.
- Leverage Availability Zones resiliency.
- Create Azure Firewall Policy structure.
- Review the Known Issue list.
- Monitor Azure Firewall health state.
- Security
- Determine if you need Forced Tunneling.
- Create rules for Policies based on least privilege access criteria.
- Leverage Threat Intelligence.
- Enable Azure Firewall DNS proxy.
- Direct network traffic through Azure Firewall.
- Determine if you want to use third-party security as a service (SECaaS) providers.
- Protect your Azure Firewall public IP addresses with DDoS.
- Cost optimization
- Select the Azure Firewall SKU to deploy.
- Determine if some instances don’t need permanent 24×7 allocation.
- Determine where you can optimize firewall use across workloads.
- Monitor and optimize firewall instances usage to determine cost-effectiveness.
- Review and optimize the number of public IP addresses required and Policies used.
- Review logging requirements, estimate cost and control over time.
- Operational excellence
- Maintain inventory and backup of Azure Firewall configuration and Policies.
- Leverage diagnostic logs for firewall monitoring and troubleshooting.
- Leverage Azure Firewall Monitoring workbook.
- Regularly review your Policy insights and analytics.
- Integrate Azure Firewall with Microsoft Defender for Cloud and Microsoft Sentinel.
- Performance efficiency
- Regularly review and optimize firewall rules.
- Review policy requirements and opportunities to summarize IP ranges and URLs list.
- Assess your SNAT port requirements.
- Plan load tests to test auto-scale performance in your environment.
- Do not enable diagnostic tools and logging if not required.
Azure SQL Database
- Azure SQL Database and reliability
- Use Active Geo-Replication to create a readable secondary in a different region.
- Use Auto Failover Groups that can include one or multiple databases, typically used by the same application.
- Use a Zone-Redundant database.
- Monitor your Azure SQL Database in near-real time to detect reliability incidents.
- Implement Retry Logic.
- Back up your keys.
- Azure SQL Database and security
- Understand logical servers and how you can administer logins for multiple databases when appropriate.
- Enable Microsoft Entra authentication with Azure SQL. Microsoft Entra authentication enables simplified permission management and centralized identity management.
- Azure SQL logical servers should have a Microsoft Entra administrator provisioned.
- Verify contact information email address in your Azure Subscription for service administrator and co-administrators is reaching the correct parties inside your enterprise. You don’t want to miss or ignore important security notifications from Azure!
- Review the Azure SQL Database connectivity architecture. Choose the
Redirect
orProxy
connection policy as appropriate. - Review Azure SQL Database firewall rules.
- Use virtual network rules to control communication from particular subnets in virtual networks.
- If using the Azure Firewall, configure Azure Firewall application rules with SQL FQDNs.
- Azure SQL Database and cost optimization
- Optimize queries.
- Evaluate resource usage.
- Fine-tune backup storage consumption.
- Evaluate Azure SQL Database serverless.
- Consider reserved capacity for Azure SQL Database.
- Consider elastic pools for managing and scaling multiple databases.
- Azure SQL Database and operational excellence
- Use Active Geo-Replication to create a readable secondary in a different region.
- Use Auto Failover Groups that can include one or multiple databases, typically used by the same application.
- Use a Zone-Redundant database.
- Monitor your Azure SQL Database in near-real time to detect reliability incidents.
- Implement retry logic.
- Back up your keys.
- Azure SQL Database and performance efficiency
- Review resource limits. For specific resource limits per pricing tier (also known as service objective) for single databases, refer to either DTU-based single database resource limits or vCore-based single database resource limits. For elastic pool resource limits, refer to either DTU-based elastic pool resource limits or vCore-based elastic pool resource limits.
- Choose the right deployment model for your workload, vCore or DTU. Compare the vCore and DTU-based purchasing models.
- Microsoft recommends the latest vCore database standard-series or premium-series hardware. Older Gen4 hardware has been retired.
- When using elastic pools, familiarize yourself with resource governance.
- Review the default max degree of parallelism (MAXDOP) and configure as needed based on a migrated or expected workload.
- Consider using read-only replicas of critical database to offload read-only query workloads.
- Review the Performance Center for SQL Server Database Engine and Azure SQL Database.
- Applications connecting to Azure SQL Database should use the latest connection providers, for example the latest OLE DB Driver or ODBC Driver.
Blob Storage
Note: https://learn.microsoft.com/en-us/azure/storage/blobs/security-recommendations
To see how Storage completely maps to the Microsoft cloud security benchmark, see the full Storage security baseline mapping file.
Data protection
Recommendation | Comments | Defender for Cloud |
---|---|---|
Use the Azure Resource Manager deployment model | Create new storage accounts using the Azure Resource Manager deployment model for important security enhancements, including superior Azure role-based access control (Azure RBAC) and auditing, Resource Manager-based deployment and governance, access to managed identities, access to Azure Key Vault for secrets, and Microsoft Entra authentication and authorization for access to Azure Storage data and resources. If possible, migrate existing storage accounts that use the classic deployment model to use Azure Resource Manager. For more information about Azure Resource Manager, see Azure Resource Manager overview. | – |
Enable Microsoft Defender for all of your storage accounts | Microsoft Defender for Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts. Security alerts are triggered in Microsoft Defender for Cloud when anomalies in activity occur and are also sent via email to subscription administrators, with details of suspicious activity and recommendations on how to investigate and remediate threats. For more information, see Configure Microsoft Defender for Storage. | Yes |
Turn on soft delete for blobs | Soft delete for blobs enables you to recover blob data after it has been deleted. For more information on soft delete for blobs, see Soft delete for Azure Storage blobs. | – |
Turn on soft delete for containers | Soft delete for containers enables you to recover a container after it has been deleted. For more information on soft delete for containers, see Soft delete for containers. | – |
Lock storage account to prevent accidental or malicious deletion or configuration changes | Apply an Azure Resource Manager lock to your storage account to protect the account from accidental or malicious deletion or configuration change. Locking a storage account does not prevent data within that account from being deleted. It only prevents the account itself from being deleted. For more information, see Apply an Azure Resource Manager lock to a storage account. | |
Store business-critical data in immutable blobs | Configure legal holds and time-based retention policies to store blob data in a WORM (Write Once, Read Many) state. Blobs stored immutably can be read, but cannot be modified or deleted for the duration of the retention interval. For more information, see Store business-critical blob data with immutable storage. | – |
Require secure transfer (HTTPS) to the storage account | When you require secure transfer for a storage account, all requests to the storage account must be made over HTTPS. Any requests made over HTTP are rejected. Microsoft recommends that you always require secure transfer for all of your storage accounts. For more information, see Require secure transfer to ensure secure connections. | – |
Limit shared access signature (SAS) tokens to HTTPS connections only | Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of eavesdropping. For more information, see Grant limited access to Azure Storage resources using shared access signatures (SAS). | – |
Disallow cross-tenant object replication | By default, an authorized user is permitted to configure an object replication policy where the source account is in one Microsoft Entra tenant and the destination account is in a different tenant. Disallow cross-tenant object replication to require that the source and destination accounts participating in an object replication policy are in the same tenant. For more information, see Prevent object replication across Microsoft Entra tenants. | – |
Identity and access management
Recommendation | Comments | Defender for Cloud |
---|---|---|
Use Microsoft Entra ID to authorize access to blob data | Microsoft Entra ID provides superior security and ease of use over Shared Key for authorizing requests to Blob storage. For more information, see Authorize access to data in Azure Storage. | – |
Keep in mind the principle of least privilege when assigning permissions to a Microsoft Entra security principal via Azure RBAC | When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data. | – |
Use a user delegation SAS to grant limited access to blob data to clients | A user delegation SAS is secured with Microsoft Entra credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. For more information, see Grant limited access to Azure Storage resources using shared access signatures (SAS). | – |
Secure your account access keys with Azure Key Vault | Microsoft recommends using Microsoft Entra ID to authorize requests to Azure Storage. However, if you must use Shared Key authorization, then secure your account keys with Azure Key Vault. You can retrieve the keys from the key vault at runtime, instead of saving them with your application. For more information about Azure Key Vault, see Azure Key Vault overview. | – |
Regenerate your account keys periodically | Rotating the account keys periodically reduces the risk of exposing your data to malicious actors. | – |
Disallow Shared Key authorization | When you disallow Shared Key authorization for a storage account, Azure Storage rejects all subsequent requests to that account that are authorized with the account access keys. Only secured requests that are authorized with Microsoft Entra ID will succeed. For more information, see Prevent Shared Key authorization for an Azure Storage account. | – |
Keep in mind the principle of least privilege when assigning permissions to a SAS | When creating a SAS, specify only those permissions that are required by the client to perform its function. Limiting access to resources helps prevent both unintentional and malicious misuse of your data. | – |
Have a revocation plan in place for any SAS that you issue to clients | If a SAS is compromised, you will want to revoke that SAS as soon as possible. To revoke a user delegation SAS, revoke the user delegation key to quickly invalidate all signatures associated with that key. To revoke a service SAS that is associated with a stored access policy, you can delete the stored access policy, rename the policy, or change its expiry time to a time that is in the past. For more information, see Grant limited access to Azure Storage resources using shared access signatures (SAS). | – |
If a service SAS is not associated with a stored access policy, then set the expiry time to one hour or less | A service SAS that is not associated with a stored access policy cannot be revoked. For this reason, limiting the expiry time so that the SAS is valid for one hour or less is recommended. | – |
Disable anonymous read access to containers and blobs | anonymous read access to a container and its blobs grants read-only access to those resources to any client. Avoid enabling anonymous read access unless your scenario requires it. To learn how to disable anonymous access for a storage account, see Overview: Remediating anonymous read access for blob data. | – |
Networking
Recommendation | Comments | Defender for Cloud |
---|---|---|
Configure the minimum required version of Transport Layer Security (TLS) for a storage account. | Require that clients use a more secure version of TLS to make requests against an Azure Storage account by configuring the minimum version of TLS for that account. For more information, see Configure minimum required version of Transport Layer Security (TLS) for a storage account | – |
Enable the Secure transfer required option on all of your storage accounts | When you enable the Secure transfer required option, all requests made against the storage account must take place over secure connections. Any requests made over HTTP will fail. For more information, see Require secure transfer in Azure Storage. | Yes |
Enable firewall rules | Configure firewall rules to limit access to your storage account to requests that originate from specified IP addresses or ranges, or from a list of subnets in an Azure Virtual Network (VNet). For more information about configuring firewall rules, see Configure Azure Storage firewalls and virtual networks. | – |
Allow trusted Microsoft services to access the storage account | Turning on firewall rules for your storage account blocks incoming requests for data by default, unless the requests originate from a service operating within an Azure Virtual Network (VNet) or from allowed public IP addresses. Requests that are blocked include those from other Azure services, from the Azure portal, from logging and metrics services, and so on. You can permit requests from other Azure services by adding an exception to allow trusted Microsoft services to access the storage account. For more information about adding an exception for trusted Microsoft services, see Configure Azure Storage firewalls and virtual networks. | – |
Use private endpoints | A private endpoint assigns a private IP address from your Azure Virtual Network (VNet) to the storage account. It secures all traffic between your VNet and the storage account over a private link. For more information about private endpoints, see Connect privately to a storage account using Azure Private Endpoint. | – |
Use VNet service tags | A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change. For more information about service tags supported by Azure Storage, see Azure service tags overview. For a tutorial that shows how to use service tags to create outbound network rules, see Restrict access to PaaS resources. | – |
Limit network access to specific networks | Limiting network access to networks hosting clients requiring access reduces the exposure of your resources to network attacks. | Yes |
Configure network routing preference | You can configure network routing preference for your Azure storage account to specify how network traffic is routed to your account from clients over the Internet using the Microsoft global network or Internet routing. For more information, see Configure network routing preference for Azure Storage. | – |
Logging/Monitoring
Recommendation | Comments | Defender for Cloud |
---|---|---|
Track how requests are authorized | Enable logging for Azure Storage to track how requests to the service are authorized. The logs indicate whether a request was made anonymously, by using an OAuth 2.0 token, by using Shared Key, or by using a shared access signature (SAS). For more information, see Monitoring Azure Blob Storage with Azure Monitor or Azure Storage analytics logging with Classic Monitoring. | – |
Set up alerts in Azure Monitor | Configure log alerts to evaluate resources logs at a set frequency and fire an alert based on the results. For more information, see Log alerts in Azure Monitor. | – |
Storage Account design consideration based on WAF
note: https://learn.microsoft.com/en-us/azure/well-architected/service-guides/storage-accounts/reliability
- Reliability
- Turn on soft delete for blob data.
- Use Microsoft Entra ID to authorize access to blob data.
- Consider the principle of least privilege when you assign permissions to a Microsoft Entra security principal through Azure RBAC.
- Use managed identities to access blob and queue data.
- Use blob versioning or immutable blobs to store business-critical data.
- Restrict default internet access for storage accounts.
- Enable firewall rules.
- Limit network access to specific networks.
- Allow trusted Microsoft services to access the storage account.
- Enable the Secure transfer required option on all your storage accounts.
- Limit shared access signature (SAS) tokens to
HTTPS
connections only. - Avoid and prevent using Shared Key authorization to access storage accounts.
- Regenerate your account keys periodically.
- Create a revocation plan and have it in place for any SAS that you issue to clients.
- Use near-term expiration times on an impromptu SAS, service SAS, or account SAS.
- Security
- Enable Azure Defender for all your storage accounts.
- Turn on soft delete for blob data.
- Use Microsoft Entra ID to authorize access to blob data.
- Consider the principle of least privilege when you assign permissions to a Microsoft Entra security principal through Azure RBAC.
- Use managed identities to access blob and queue data.
- Use blob versioning or immutable blobs to store business-critical data.
- Restrict default internet access for storage accounts.
- Enable firewall rules.
- Limit network access to specific networks.
- Allow trusted Microsoft services to access the storage account.
- Enable the Secure transfer required option on all your storage accounts.
- Limit shared access signature (SAS) tokens to
HTTPS
connections only. - Avoid and prevent using Shared Key authorization to access storage accounts.
- Regenerate your account keys periodically.
- Create a revocation plan and have it in place for any SAS that you issue to clients.
- Use near-term expiration times on an impromptu SAS, service SAS, or account SAS.
- Cost optimization
- Consider cost savings by reserving data capacity for block blob storage.
- Organize data into access tiers.
- Use lifecycle policy to move data between access tiers.
- Operation Excellence
- Enable Azure Defender for all your storage accounts.
- Turn on soft delete for blob data.
- Use Microsoft Entra ID to authorize access to blob data.
- Consider the principle of least privilege when you assign permissions to a Microsoft Entra security principal through Azure RBAC.
- Use managed identities to access blob and queue data.
- Use blob versioning or immutable blobs to store business-critical data.
- Restrict default internet access for storage accounts.
- Enable firewall rules.
- Limit network access to specific networks.
- Allow trusted Microsoft services to access the storage account.
- Enable the Secure transfer required option on all your storage accounts.
- Limit shared access signature (SAS) tokens to
HTTPS
connections only. - Avoid and prevent using Shared Key authorization to access storage accounts.
- Regenerate your account keys periodically.
- Create a revocation plan and have it in place for any SAS that you issue to clients.
- Use near-term expiration times on an impromptu SAS, service SAS, or account SAS.
Virtual Machines
Virtual Machines is an on-demand, scalable computing resource that gives you the flexibility of virtualization without having to buy and maintain physical hardware to run it.
- Reliability
- Review the SLAs for virtual machines.
- VMs should be deployed in a scale set using the Flexible orchestration mode.
- Deployed VMs across Availability Zones.
- Package and publish application artifacts with VM Applications and Azure Compute Gallery.
- Install applications on Ephemeral OS disks.
- Use Maintenance Configurations to control and manage updates for VMs.
- Security
- Review the Linux security baseline.
- Review the Windows security baseline.
- Manage authentication and access control by ensuring strong passwords, multi-factor authentication, and role-based access control are in place for your VMs.
- Protect against malicious actor scenarios: Implement security best practices such as firewalls, anti-virus software, and intrusion detection systems to protect against malware attacks, and DoS attacks
- Plan and implement managed updates: Test updates in a non-production environment before deploying them to production, and consider using Azure Update Management to automate the update process.
- Classify and configure encryption based on data sensitivity and include using Encryption at Host and SSL/TLS encryption.
- Cost optimization
- Shut down VM instances which aren’t in use.
- Use Spot VMs when appropriate.
- Choose the right VM size for your workload.
- Use Azure Bastion to secure operational access to the workload VMs.
- Use a Premium SSD v2 disk and, based on your workload patterns, programmatically adjust its performance to account for either higher or lower demand.
- For other disk types, size your disks to achieve your desired performance without the need for over-provisioning. Account for fluctuating workload patterns, and minimizing unused provisioned capacity.
- Use Zone to Zone disaster recovery for virtual machines.
- Prepay for reserved instances or an Azure savings plan for compute for significant azure-db-postgresqlvirtual-machinessavings.
- Use hybrid benefit licensing.
- Deploy Azure Monitor Agent (AMA) to collect monitoring data from the guest operating system.
- Operational excellence
- Monitor and measure health.
- Set up Azure Monitor alerts for detecting configuration changes in your environment. > – Use the Application Insights extension to proactively understand how an application is performing and reactively review application execution data to determine the cause of an incident.
- Automate tasks like provisioning and updating.
- Build a robust testing environment by having a separate testing environment that closely mirrors your production environment and test updates and changes before deploying to production.
- Manage your quota with monitoring resource usage and adjust your quota as needed to ensure that you have enough resources to meet your needs
- Optimize with managed disks for better scalability, availability, performance.
- Consider using Automatic VM Guest patching to keep your OS patched.
- Performance efficiency
- Reduce latency by deploying VMs closer together in proximity placement groups.
- Use premium SSD to improve the performance of your virtual machines, especially for I/O-intensive workloads.
- Utilize Premium SSD v2 effectively as it is a newer version of premium SSD that offers even better performance and scalability.
- Optimize with managed disks to improve scalability, availability, and performance, and simplify disk management tasks such as backup and restore.
- Consider locally attached NVMe or similar devices for high-performance use cases such as big data analytics, machine learning, and high-performance computing.
- Enable Accelerated Networking to improve network performance and latency.
- Right size your VMs by choosing the appropriate VM size based on your workload requirements and monitor resource utilization to ensure optimal performance and cost.
- Autoscale your Flexible scale sets to automatically increase or decrease the number of VM instances that run your application based on demand or a set schedule.
Identity
Note: https://learn.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices
Azure Security
Azure RBAC
- Centralized identity and access management
- Risk-based access policies
- Privileged access control
Policy management
- Management hierarchy
- Management group
Subscription
Resource group
Resources - Built-in policies
- enforce your organizational standards and evaluate
your compliance status. - Custom policies
- , if you have a niche security requirement that
cannot be met by these, you can create a custom policy. For example, you may need to enable
HTTPS access for storage accounts
Network protection
- Network segmentation & groups
- segregating resources in different VNets
- Network security groups (NSGs) control ingress and egress traffic to resources connected
to a VNet - Zero trust security
- explicitly denying all traffic and allowing only
required traffic using rules that have higher priority - permitting only required traffic between tiers even if the traffic is interna
- NSG flow logs
- For visibility into network traffic that flows in and out of your VNet, enable NSG flow logs that
capture this information.
Data encryption
- Key management
- Key Vault
- Azure Dedicated Hardware Security Module (HSM)
- For services where encryption keys are managed via Azure Key Vault, make sure that you
implement a key rotation policy for all the keys. Microsoft recommends that keys be rotated at
least every two years - Encryption of data at rest
- Encryption of data in transit
Operational security
- Multi-factor authentication
- Password management
- reset their passwords, you can use the from Microsoft Entra ID
- Make sure to review usage through the built-in reporting features of Microsoft Entra Password
Protection. These reports give you a view of the number of people registering for password resets,
the frequency of password resets, and any associated suspicious activities - You can enable Just-in-Time (JIT) access for your VMs as well, especially for admin accounts.
- IaC adoption
- Azure Resource Manager (ARM) templates: These are written in a declarative format to
deploy multiple resources and their dependenciesa - Azure DevOps: IaC in Azure DevOps lets you streamline the build and deploy process; it also
helps to avoid misconfigurations and eliminate security gapsa - Terraform: Hashicorp Terraform is a popular open-source IAC tool you can use across multiple
hybrid and multi-cloud environments. Azure supports the configuration of Azure resources,
Azure AD, and APIs, plus the integration with Azure DevOps through Terraform.
Application layer security
- Endpoint application security
- WAF
- Azure Firewall
Cloud Security Posture Management
- Microsoft Defender for Cloud
- Secure Score
Compliance
- Built-in benchmark assessment & dashboards
Optimize and correct security policies with configuration analyzer
Compare settings and apply recommendations
- Navigate to https://security.microsoft.com/configurationAnalyzer.
- Pick either Standard recommendations or Strict recommendations from the top menu based on the side-to-side comparison you’d like to make.
- Recommendations for policy changes will be displayed. (If applicable)
- You can then select a recommendation, note the recommended action, policy which the recommendation is applicable to, setting name & current configuration etc.
- With a recommendation selected, you can press Apply recommendation and then OK on the confirmation message that appears.
- If you wish to manually edit a policy, or confirm settings directly within the policy, you can press View policy instead of Apply recommendation which will load a new tab and take you directly to the affected policy for ease.