Secure Azure Infrastructure
Question
I work in a small startup that is only hosted in Azure and I was wondering the best way to secure everything.
I use the below services
- Web Apps (public facing)
- Virtual machines - Running apps and services
- Sql Sever
- Service Bus
- Storage Account.
The web apps and the Vms need to communicate with the other three services.
Below is what we are currently doing. Is this correct and if not can you provide any resources to work from?
- Service bus - This is currently accessed using the connection string and is stored in the app settings of the web app and VM.
- Storage Account - This is currently accessed using the connection string and is stored in the app settings of the web app and VM.
- Sql server - This is currently using the firewall to Allow access to Azure Services plus restricting it to client machines that need to access the DB's through SSMS
- VM - this is restricted using Network Security Groups to only allow client machines to RDP on.
I would appreciate any help that can be provided.
Edit
Things that i am worried about are:
- Sql Server allow access to azure. I can turn this off but then the website will need to be added to the firewall and as i understand it the ip address is not static. Is it a security concern to leave this on?
- Storage accounts, the connection string allows unlimited access to the account. You can lock this down with SAS to ip addresses but it has the same issues as the sqlsvr when connecting from the website. Also the SAS is time based how is it renewed?
2 answers
solution1
0 ACCPTED 2016-10-13 11:45:19
Sql Server allow access to azure. I can turn this off but then the website will need to be added to the firewall and as i understand it the ip address is not static. Is it a security concern to leave this on?
By default, “Allow access to Azure services” is turned on, enabling this feature would allow any traffic from resources/services hosted in Azure to access the database.
Storage accounts, the connection string allows unlimited access to the account. You can lock this down with SAS to ip addresses but it has the same issues as the sqlsvr when connecting from the website. Also the SAS is time based how is it renewed?
A shared access signature can take one of two forms: Ad hoc SAS and SAS with stored access policy. We could re-specify the start time, expiry time, and permissions to get a new ad hoc SAS. When we associate a SAS with a stored access policy, the SAS inherits the constraints - the start time, expiry time, and permissions - defined for the stored access policy, we could modify the stored access policy to revoke the SAS or get a new SAS based on new stored access policy.
For more information about Shared Access Signatures (SAS), you could read this article .
solution2
0 2016-10-13 12:26:33
Regarding access to the SQL server from your web apps: They are using up to four outbound IP addresses when connecting to external services. You could limit the SQL server access to those. Read this article to find them.
That won't completely close down foreign access to the SQL server, other people's web apps are using the same four outbound IP addresses.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.