Securing you Azure Environment Part II / Hub n Spoke

So in my previous post I covered the basic concepts of Securing your cloud environment. In this post I want to dive a bit deeper into how we start implementing this process. First I would like to point out that this is kind of a default starter template. Every environment is different and requires specific tailoring to fit the needs of the client.

So to begin with I would like to introduce you to a concept called Hub n Spoke. This concept is nearly always used in enterprise cloud environments. The basics being that the network is segmented into multiple VNets, A single Hub Vnet and multiple Spoke VNets. So what’s a hub VNet you ask? Well a Hub Vnet is a central VNet that holds all shared resources mainly, but not only, from a networking perspective. In most cases the Hub will contain corporate Firewalls, WAF (Web Application Firewall), DDoS protection, Proxies and so on. In many cases the Hub will also contain Domain Controllers, Anti-Virus Servers, SIEM collectors and so on. The spokes will hold the actual workloads, these could range from a standard VM setup to AKS (Kubernetes) and even a mix of PaaS bases services such as webapps, Azure SQL and so on. The reasoning behind this is fairly simple.

1. On the one hand we want to allow different departments access to the cloud. We also would like to offer them a high degree of independence when using the cloud. However we still need to govern and secure these environments. Hence centralizing and isolating all security and shared resources to the hub allows us to have in-place controls while still delegating the spoke environments to the required departments.
2. Many companies are approaching the cloud from a hybrid perspective. They already have in-place on-prem solutions such as firewalls, Anti-Virus solutions etc. These companies have personnel with a high level of expertise on these solutions. It also wouldn’t necessarily make sense for them to use native cloud solutions as this would require them to manage multiple technologies (both on-prem and cloud) therefore the use of Marketplace solutions to deploy existing 3rd party solutions in to the cloud makes more sense to these companies.

So, how does it work. Lets take a look at the following diagram

On the left we have the Hub-VNet. The hub here contains both Firewalls, WAFs & some Virtual Machines. Each deployed to it’s own subnet, so we also have segmentation within the VNet itself. All of this is managed by IT staff. On the right we have the Spoke-VNet or in other words the actual workload which in this scenario is an AKS cluster. Now you can see between the two VNets that we have peering and a UDR. The peering effectively connects the Vnets together to allow for network data flow. The UDR (user defined route) will route all outbound traffic from the VNet to the firewalls in the Hub. So now we have full control of all traffic leaving the Vnet, similar to what we would expect in an on-prem environment. Finally we would implement an Azure policy to force the use of both peering and UDR. Finally we also make use of Private Endpoints. Private Endpoints allow us to use PaaS based services as if they were part of are VNet. While these services usually have only public endpoints, the used of a private link will assign them a private IP from are VNet range hence allowing us to restrict and control access to internal resources only. Once all of this is in place we can delegate control of the spoke VNet to the required department. Knowing that all traffic is flowing through are hub and that we have control and governance of the environment.

This is what I like to call a well architected approach

Stay tuned for the next post where we will discuss the use of Microsoft Defender for cloud

Azure Automanage

So we’ve all been there, we’ve setup a new Azure environment based on Windows Server and started configuring everything: Backup, Monitor, Log Analytics, Security Center, Updates…

Now to be honest configuring each of these services separately is a bit of a pain and also requires onboarding of each VM to each service. Just to make it worst, you may in the future add an additional VM and forget to configure one of the required services.

This is where the new Azure Automanage comes into play. Azure Automanage allows you to onboard your VM automatically to these services.

Azure Automanage will allow you to:

• Intelligently onboards virtual machines to select best practices Azure services
• Automatically configures each service per Azure best practices
• Monitors for drift and corrects for it when detected
• Provides a simple experience (point, click, set, forget)

Once onboarded, VM’s are automatically configured based on Best Practices from the Microsoft Cloud Adoption Framework. These include:

• VM Insights Monitoring
  Azure Monitor for VMs monitors the performance and health of your virtual machines, including their running processes and dependencies on other resources. Learn more.
• Backup
  Azure Backup provides independent and isolated backups to guard against unintended destruction of the data on your VMs. Learn more. Charges are based on the number and size of VMs being protected. Learn more.
• Azure Security Center
  Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers and provides advanced threat protection across your hybrid workloads in the cloud. Learn more. Automanage will configure the subscription where your VM resides to the free-tier offering of Azure Security Center. If your subscription is already onboarded to Azure Security Center, then Automanage will not reconfigure it.
• Microsoft Antimalware
  Microsoft Antimalware for Azure is a free real-time protection that helps identify and remove viruses, spyware, and other malicious software. It generates alerts when known malicious or unwanted software tries to install itself or run on your Azure systems. Learn more.
• Update Management
  You can use Update Management in Azure Automation to manage operating system updates for your virtual machines. You can quickly assess the status of available updates on all agent machines and manage the process of installing required updates for servers. Learn more.
• Change Tracking & Inventory
  Change Tracking and Inventory combines change tracking and inventory functions to allow you to track virtual machine and server infrastructure changes. The service supports change tracking across services, daemons software, registry, and files in your environment to help you diagnose unwanted changes and raise alerts. Inventory support allows you to query in-guest resources for visibility into installed applications and other configuration items. Learn more.
• Azure Automation Account
  Azure Automation supports management throughout the lifecycle of your infrastructure and applications. Learn more.
• Log Analytics Workspace
  Azure Monitor stores log data in a Log Analytics workspace, an Azure resource, and a container where data is collected, aggregated, and serves as an administrative boundary. Learn more.

Currently only available for Windows, and in preview, Linux support will be added in the future. Also joining the preview the service is offered at no additional cost.

Onboarding is pretty straight forward, just navigate to the Automanage Blade in the portal.

Click the enable on existing VM button and choose the VM’s you wish to onboard. You will also be offered a choice of profiles to choose from (currently Production or Dev/Test). You can of course customize the profile with your own preferences, allowing you to choose backup times & change Anti-malware configuration.

If you wish to automate this process for all future VM’s then you can use Azure Policy to assist.

Asset inventory experience in Azure Security Center

The new Azure security Asset inventory allows you to view all resources being monitored within security center. So now rather than just seeing alerts and to which resource the alert is associated you can see all asset being monitored and alerts associated with the asset.

As you can see in the screenshot, you can also see if the asset (resource) is covered by the the standard (paid) tier or just has the partial (free) coverage.

This should make it much easier to

• View resources covered by security center
• View coverage level (free vs paid) of resources
• investigate specific resource security status
• Filter resources that share a specific vulnerability

The service is currently in public preview, so we can expect more features to be added until the GA.