Tip #01- Enablement Of Ping On Windows VM
Ping is widely used to communicate from one VM to another. It uses the Internet Control Message Protocol (ICMP), which is denied through the Windows Firewall, by default. you can enable the Internet Control Message Protocol (ICMP) through the Windows firewall so that you can ping the second server.Below is the powershell command to achieve he same-
Tip #02- Deny All To InternetNew-NetFirewallRule -DisplayName "Allow ICMPv4-In"-Protocol ICMPv4
Most of the times you might hear Architects designing their Security layers by Denying all traffic to the Internet( In case of Azure through NSG) though this will ensure the security of your network from data leakage or malware, but at times it can lead to frustration and can break things which are suppose to function smoothly. Some times your VM's do need access to Azure IP addresses(Service like Azure Storage, Azure SQL Database, etc..).Now as these IPS also falls under the Internet tag, When you are blocking the internet unknowingly you are blocking access to these services as well. There is very good solution for such scenario by Microsoft’s Keith Mayer, you can refer his Article to have more comprehensive approach for this.
Tip #03- Storage Account Key Rotation
Tip #03- Storage Account Key Rotation
Any storage account creation automatically generates the Shared Key(Pair), this shared access key has proven to be a commonly used option to access Aforementioned Storage account. VNET integration with Storage account allows for access to this via VNET Service Endpoints. But this option has its operation radius which at times are limited to IaaS space only. In cases when an Azure Storage Account is accessible over the Internet (PaaS) it will make use of shared access key for accessibility.
Under given situation when an individual possessing these keys goes out of organization, it can leave them vulnerable & exposed.To mitigate this, Azure best practice warrants us to adopt robust key rotation policy, which means rotate them periodically.
When it comes Shared Access Keys they come in Pair, for enterprise grade key rotation solution, we shall integrate the Rotation policy with Azure Automation, Log Analytics and Key Vault.
- Regenerate Key-2 for Given Storage Account
- Wait for acceptable time period to ensure Key-2 is active
- Update the secret in Azure Key Vault (with new value of Key-2)
- Repeat exact steps for Key-1 Regeneration
