Azure
Table of contents
- Automate compliance in Azure using OpenAI
- Logical Storage Isolation
- Enable encryption at rest
- Encryption in transit
- Customer-Managed Keys
Automate compliance in Azure using OpenAI
- Azure Policy
Azure Policy is a service that enables you to create, assign, and enforce policies across your Azure environment. It helps you maintain compliance by defining and enforcing rules and regulations.
az policy assignment create --name <assignment-name> --scope <scope> --policy <policy-definition-id>
- Azure Security Center
Azure Security Center provides a unified view of security across your Azure resources. It offers recommendations and security alerts to help you identify and address security vulnerabilities and compliance issues.
az security assessment create --name <assessment-name> --resource-group <resource-group> --scopes <scopes> --standard-name <standard-name>
- Azure DevOps Pipelines
Azure DevOps Pipelines is a CI/CD platform that allows you to automate the build, test, and deployment processes of your applications and infrastructure.
- task: AzureCLI@2
displayName: 'Run compliance check'
inputs:
azureSubscription: '<subscription>'
scriptLocation: 'inlineScript'
inlineScript: |
# Run compliance check command here
Logical Storage Isolation
- Azure Storage Accounts
Azure Storage Accounts provide a scalable and secure storage solution in Azure. You can create multiple storage accounts to achieve logical isolation of your data.
az storage account create --name <storage-account-name> --resource-group <resource-group> --location <location> --kind StorageV2 --sku Standard_LRS
- Azure Virtual Networks
Azure Virtual Networks allow you to create isolated network environments within Azure. You can associate your storage accounts with specific virtual networks to achieve logical network isolation.
az network vnet create --name <virtual-network-name> --resource-group <resource-group> --location <location> --address-prefixes 10.0.0.0/16
- Azure RBAC (Role-Based Access Control)
Azure RBAC enables you to manage access to Azure resources. By assigning appropriate roles and permissions, you can control who has access to your storage accounts and enforce logical access controls.
az role assignment create --assignee <user-or-group-id> --role <role-name> --scope <scope>
Enable encryption at rest
- Azure Storage Service Encryption
Azure Storage Service Encryption automatically encrypts your data at rest in Azure Storage Accounts. It uses Microsoft-managed keys to provide seamless encryption without any additional configuration.
az storage account update --name <storage-account-name> --resource-group <resource-group> --encryption-services blob --encryption-key-type Account --encryption-key-source Microsoft
- Azure Disk Encryption
Azure Disk Encryption enables you to encrypt the OS and data disks of Azure Virtual Machines. It uses Azure Key Vault to securely store and manage the encryption keys.
az vm encryption enable --name <vm-name> --resource-group <resource-group> --disk-encryption-keyvault <key-vault-name> --volume-type all
- Azure Key Vault
Azure Key Vault is a centralized cloud service for managing and safeguarding cryptographic keys, certificates, and secrets. You can use Key Vault to manage encryption keys used for encryption at rest in Azure.
az keyvault create --name <key-vault-name> --resource-group <resource-group> --location <location>
Encryption in transit
- Azure Application Gateway
Azure Application Gateway is a web traffic load balancer that enables SSL termination at the gateway to ensure secure communication between clients and the backend servers.
az network application-gateway create --name <app-gateway-name> --resource-group <resource-group> --frontend-ip-name <frontend-ip-name> --http-settings-cookie-based-affinity Disabled --http-settings-protocol Https --frontend-port 443 --http-settings-port 443 --ssl-cert <ssl-cert-name> --servers <backend-server-ips> --sku Standard_v2 --public-ip-address <public-ip-name> --subnet <subnet-name> --vnet-name <vnet-name>
- Azure Load Balancer
Azure Load Balancer distributes incoming network traffic across multiple resources to improve availability and scale applications. You can configure a Load Balancer with SSL/TLS termination to enable encryption in transit.
az network lb create --name <load-balancer-name> --resource-group <resource-group> --frontend-ip-name <frontend-ip-name> --backend-pool-name <backend-pool-name> --public-ip-address <public-ip-name> --protocol Tcp --frontend-port 443 --backend-port 443 --enable-tcp-reset --sku Standard
- Azure Traffic Manager
Azure Traffic Manager enables you to distribute incoming traffic across multiple endpoints in different regions or Azure Availability Zones. It supports SSL/TLS termination at the Traffic Manager level to ensure secure communication.
az network traffic-manager profile create --name <tm-profile-name> --resource-group <resource-group> --routing-method Priority --unique-dns-name <unique-dns-name> --protocol Https --port 443 --path /
Customer-Managed Keys
- Azure Key Vault
Azure Key Vault is a cloud service that enables you to safeguard and control cryptographic keys, secrets, and certificates used by your applications and services.
az keyvault create --name <key-vault-name> --resource-group <resource-group> --location <location>
- Azure Disk Encryption
Azure Disk Encryption provides encryption at rest for virtual machine disks by using keys and secrets stored in Azure Key Vault.
az vm encryption enable --name <vm-name> --resource-group <resource-group> --disk-encryption-keyvault <key-vault-url> --volume-type [OS|Data] --volume-encryption-keyvault <key-vault-url>
- Azure Disk Encryption Set
Azure Disk Encryption Set is a grouping of Azure managed disks that share the same encryption settings and policies.
az disk encryption-set create --name <encryption-set-name> --resource-group <resource-group> --source-vault <key-vault-url> --encryption-key <encryption-key-url> --key-encryption-key <key-encryption-key-url>