Proper Azure Network Security for VM(s).
I'm a little overwhelmed with all the security features to help secure an Azure environment and VMs.
Our developers are creating a web app that, currently, will live on a single VM and we may have a few VMs. In the future as the application grows we will separate the services.
So far I have enabled the security center and I was thinking of enabling JIT Access and I found a PS script that will create an RBAC role where I can put specific users in and then another PS script so that they can enable ports for a specific time, but our developers use Linux and I don't know if that script will work even with powershell core installed on Ubuntu.
They have Rapid7 and Qualys end points for vulnerability scanning but I'm not sure if that is needed. I was trying to look for an IPS/IDS end point but I am not familiar with whats on Azure nor if it will be expensive.
I'm looking for practical solutions. I've read the Azure docs and they can get a little confusing.
Thank you,
Our developers are creating a web app that, currently, will live on a single VM and we may have a few VMs. In the future as the application grows we will separate the services.
So far I have enabled the security center and I was thinking of enabling JIT Access and I found a PS script that will create an RBAC role where I can put specific users in and then another PS script so that they can enable ports for a specific time, but our developers use Linux and I don't know if that script will work even with powershell core installed on Ubuntu.
They have Rapid7 and Qualys end points for vulnerability scanning but I'm not sure if that is needed. I was trying to look for an IPS/IDS end point but I am not familiar with whats on Azure nor if it will be expensive.
I'm looking for practical solutions. I've read the Azure docs and they can get a little confusing.
Thank you,
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Shaun,
We are using a CIS Hardened Ubuntu 18.04 VM as the server from the marketplace. Our developers log in and configure the server for their application and only allow ports 22 and 443. On my side (the Azure side) I am using NSG's and just in time access to help with network security.
But I am not sure if i need to install a vuln scanner and/or an IPS/IDS as well. Maybe thats all overkill for what we are doing?
We are using a CIS Hardened Ubuntu 18.04 VM as the server from the marketplace. Our developers log in and configure the server for their application and only allow ports 22 and 443. On my side (the Azure side) I am using NSG's and just in time access to help with network security.
But I am not sure if i need to install a vuln scanner and/or an IPS/IDS as well. Maybe thats all overkill for what we are doing?
PS/IDS maybe, vulnerability scanner periodically.
ASKER
My main concern is if I should be doing anything else on the network side besides NSG's? I was thinking of doing the Qualys/Rapid 7 vuln scanner and and IPS/IDS but I am not sure if that is overkill for our small implementation. Also need to consider cost. I did not create the Azure firewall as it doesnt seem to do anything other than stop outgoing FQDN's (for $1.25 and hour plus I think $0.003 a GB).
As mentioned earlier I did enable the security center for around $14 a month a server. This gives me the JIT Access so i can block access to port 22 and only allow when needed.