Harden VMs in Azure

Lab Overview:

This hands-on lab provides an Azure administrator with an understanding of how to set up the required resources to establish a minimal security level around your Azure resources, such as a public-facing web server. You will create a virtual network with a network and application security group, a server for hosting a web-site that is only accessible via web ports and has encryption enabled to protect its data. These skills are essential for Azure administrators and cloud-security experts.

Understand the scenario

You are a system administrator for a company that is migrating its primary web apps from its on-premises data center to Microsoft Azure. You need to create and deploy an Azure virtual machine and harden the virtual machine from a security point of view, using best practices. You will test the configuration, as a proof of concept. You are provided with an Azure resource group that initially contains no resources. You will create the necessary resources to complete the challenge.

Create an Azure virtual network using a network security group:

You are provided an empty Azure resource group. Your first task is to set up a virtual network, create a subnet within it, and create and assign that subnet to a network security group. These resources give you the networking capacity to now host a web service.

Deploy an Azure virtual machine for a web app using an application security group:

For this task, you will set up an application security group that can be associated with a web server that you will build. Once your application security group is created, you will learn how to install a virtual machine (Windows server) within your resource group. After the VM is created, you will associate the server with the previously created application security group. This will ensure that the appropriate virtual network rules will apply to your server and its web site.

Enable web connectivity using an application security group:

In this section, you will update your network security group by configuring two rules. One rule will allow access to your web server on ports 80 and 443 (HTTP and HTTPS). The other rule is temporary for remotely administering the server via remote desktop protocol (RDP), so you can initiate the IIS service and confirm configuration settings. When you configure the RDP rule, consider how you could make it very secure. By default, the instructor will guide you to allow any internet IP address to access RDP on your server. How could you make it more secure? (Hint: what’s your IP address?)

Enable Azure Disk Encryption:

Now that your web server is set up, you will learn how to enable disk encryption via the Azure Cloud Shell. You will learn the PowerShell commands required to create an Azure Key Vault, enable disk encryption on a target server, and verify that encryption is enabled. Furthermore, to confirm that the configuration is applied appropriately, you will remotely connect to the server again and use Microsoft Disk Management to review your hard drive configuration. You should see that the drives have been encrypted with BitLocker and that a BitLocker Encryption Key (Bek) volume has been created.

Lab Summary Conclusion:

In this hands-on virtual lab, you will learn how to harden an Azure virtual machine by configuring network and application security groups with rules that limit access to the systems within your virtual network. You will also learn how to use Azure to set up disk encryption on a Windows server VM. These skills are essential for an Azure administrator and cloud-security experts.

Other Challenges in this series

• Guided Challenge - Configure Security Using the Azure Kubernetes Service (AKS)
• Guided Challenge – Create Microsoft Azure Resource Locks on a WebApp