With hundreds of products and cloud services, Microsoft Azure Cloud offers significant capabilities, but it can be a formidable task to keep them all configured properly. However, there are a few things you can do right now to ensure the health and safety of your infrastructure.
As with most things cloud native, not everything is created equal. So, we evaluated configuration issues based on multiple factors, including the popularity of a service, security exposure risk, interactions with other controls and services, and our experience drawn from performing hundreds of thousands of configuration audits.
Since knowing about possible problems ahead of time provides organizations a strategic advantage, we believe that understanding Azure settings and how to govern them properly is a distinct advantage. We’ve prepared the following list of common configuration issues to help you better manage and secure your infrastructure.
For the full list of configurations across Azure services, you can download the entire white paper The 10 Most Common Azure Configuration Challenges.
Network Security Groups (NSGs)
NSGs are one of the most fundamental security resources on Azure. A network security group filters network traffic to and from resources in an Azure virtual network. Most Azure services, such as Redis Cache, Azure Functions, and Azure Container Instances, can be deployed into a virtual network service. The security groups that are created contain the security rules that determine what inbound traffic is allowed or denied to and from several types of Azure resources.
Default security group: This ensures that default security groups, which are launched without a defined security group, block all traffic by default. Setting the default rules to block all traffic will prevent accidental exposure.
| Configuration quick fix: Update the rules for the default security group to deny all traffic by default. |
Azure Kubernetes Service (AKS)
AKS is designed to provide a highly available, secure, and fully managed Kubernetes service. With AKS, Azure provides its users a way to deploy faster and manage containerized applications easier. In addition to serverless Kubernetes, Azure AKS integrates with popular CI/CD, security, and governance tools. The service provides one platform for your development and operations teams to help smooth out and accelerate the build and deployment of your applications.
Kubernetes RBAC enabled: RBAC in AKS can be based on roles in Azure AD and turning it on will ensure that the right teams and users have the right access to each part of AKS.
| Configuration quick fix: Allow RBAC authentication for all Azure Kubernetes clusters. |
Azure Blob Storage
Blob storage from Azure provides scalable, secure object storage for unstructured data, allowing data consistency and access flexibility without the need to deploy different database systems. Blob storage is useful alongside a host of other Azure cloud-native, platform as a service (PaaS), and other services. It uses Azure AD roles, allowing consistent user permissions across all relevant services.
- Blob container private access: Enable this configuration to ensure that blob containers require authentication. Blob containers set with public access enable anonymous users to read blobs in a publicly accessible container without authentication.
| Configuration quick fix: Configure each blob container to restrict anonymous access. |
Conclusion
If you’d like to learn more about how to properly configure your infrastructure, we’ve compiled a list of 10 of the most common configuration issues — including detailed remediation steps.