Secure Azure Resources

TL;DR

This guide helps you find and fix publicly exposed resources in your Azure subscription to improve your cyber security. We’ll cover using the Azure Portal, Azure CLI, and some key settings to lock things down.

1. Understand Public Exposure

Resources are ‘publicly exposed’ if they can be accessed directly from the internet without needing a VPN or other secure connection. This is usually due to misconfigured network security rules or public IP addresses assigned directly to VMs or services.

2. Identify Exposed Resources using Azure Portal

1. Sign in to the Azure portal: Go to https://portal.azure.com and log in with your account.
2. Search for ‘Network Security Groups’: In the search bar at the top, type “Network security groups” and select it.
3. Review NSG rules: For each Network Security Group (NSG) associated with your VMs or subnets:
   • Click on an NSG to view its details.
   • Go to ‘Inbound security rules’.
   • Look for rules with Source set to “Any” or “*” and a Port range that’s open (e.g., 80, 443, 22). These are potential public access points.
4. Check Public IP addresses: Search for ‘Public IP addresses’. Review each one:
   • Click on a Public IP address to view its details.
   • Note which resource it’s associated with (e.g., VM, Load Balancer). If the resource doesn’t *need* public access, remove the IP address or change it to ‘Standard’ SKU and disable public access.

3. Identify Exposed Resources using Azure CLI

The Azure CLI lets you automate finding exposed resources.

1. Install the Azure CLI: If you haven’t already, install it following the instructions here.
2. Login to your Azure subscription: Open a terminal or command prompt and run:

   az login

3. List VMs with Public IPs: Use this command to find VMs directly exposed via public IP addresses:

   az vm list-ip-addresses --query '[].virtualMachine.networkProfile.networkInterfaces[].ipConfigurations[].publicIPAddress' -o table

4. List NSGs with open ports: This command shows NSG rules allowing access from ‘Any’ source:

   az network nsg rule list --query '[?sourceAddressPrefix == "*"].name' -o table

4. Secure Your Resources

1. Remove unnecessary Public IP addresses: If a VM doesn’t need direct internet access, delete its public IP address.
   • In the Azure portal, go to the Public IP address resource.
   • Click ‘Delete’.
2. Restrict NSG rules: Limit inbound traffic to only necessary sources and ports:
   • Instead of “Any”, specify specific IP addresses or CIDR blocks that need access.
   • Only open the ports required for your application (e.g., 80, 443 for web servers).
   • Use Service Tags where possible instead of hardcoded IPs.
3. Consider Azure Firewall: For more complex network security requirements, use Azure Firewall to control traffic centrally.
4. Use Application Security Groups (ASGs): ASGs allow you to group VMs and apply NSG rules based on application roles.
5. Disable Public Access where possible: Some services have settings to disable public access directly. Check the documentation for each service you use.
   • For example, Storage Accounts can be configured to block public access at the account or container level.

5. Regularly Review and Monitor

Cyber security is ongoing. Schedule regular reviews of your Azure resources and network configurations to identify and address any new potential exposures.