In Chapter 7 of the book, we discussed Amazon cloud security, learned the cloud security concepts, and looked at a case study about auto threat detection and remediation in the AWS cloud. In Chapter 11 of the book, we explored Google Cloud security measurements and practices, highlighting GCP Security Command Center, which is the most comprehensive security service/tool in Google Cloud. Now, based on our knowledge of cloud security and the Azure cloud, we will go a level up and discuss some advanced cloud security topics related to the Azure cloud. We will first summarize the best practices in Azure cloud security, then discuss the reference architecture of Azure cloud security, and finally, conduct an Azure security case study.

In this chapter, we will cover the following topics:

• Azure cloud security best practices, including Azure cloud security center, Identity Access Management (IAM), Virtual Machine (VM) protection, network protection...

Azure cloud security includes security of the cloud, which is the service provider’s responsibility, and security in the cloud, which is the consumer’s responsibility. We will summarize Azure cloud security best practices, including Azure Security Center, IAM, VM security, vNet security, data security, encryption, and privacy.

Azure Security Center

Azure Security Center provides a unified view of Azure cloud resources and offers security recommendations to help you strengthen your security posture. It should be enabled for all Azure subscriptions and resources. We recommend the following Azure Security Center best practices:

• Regularly review and implement Azure Security Center recommendations, which are based on security industry best practices and, thus, can help you address cloud security vulnerabilities and misconfigurations.
• Regularly review Security Center alerts and apply the latest patches and updates to Azure...

A security reference architecture suggests the optimal delivery of specific technologies to solve certain problems. There are many solution architectures for Azure cloud security, and we will focus on two subjects – Azure hybrid infrastructure, Azure SIEM and SOAR.

Azure hybrid cloud infrastructure

The Azure hybrid cloud infrastructure architecture is a framework provided by Microsoft to guide organizations in designing and implementing a hybrid cloud environment. It combines the capabilities of on-premises infrastructure with Azure cloud services, enabling seamless integration, scalability, and flexibility. Figure 15.1 shows an Azure hybrid cloud infrastructure:

Figure 15.1 – Azure hybrid cloud infrastructure

The key components and concepts are the following:

• On-premises infrastructure includes existing data centers, servers, networking equipment, and other resources of an on-premises...

Company XYZ currently has a small number of applications in Azure, and they are planning a significant expansion of the Azure cloud to meet their business needs. To support the large-scale environment, they are building a flexible backbone network to support the connectivity between the Azure cloud and on-prem resources, with a robust security solution to partition internet-facing networks from an intranet environment. In this case study of Company XYZ’s cloud deployment project, we will focus on two aspects – cloud infrastructure security and network security.

Organizational infrastructure security

Based on the customer environment, we will architect an organization infrastructure hierarchy of Azure management groups and subscriptions.

Management groups

The Azure management group is at the top of the Azure resource management hierarchy. Permissions and policies applied at a management group will flow to all objects below...

In this chapter, we summarized the Azure cloud security best practices to use IAM services and Azure Security Center, manage VMs and vNets, and secure cloud data. We focused on two Azure security reference architectures – the Azure hybrid cloud infrastructure, and the Azure SIEM and SOAR framework. Finally, we conducted a case study where we designed and implemented a VWAN security architecture, with Palo Alto virtual appliances separating the trusted and untrusted traffic.

This chapter ends the third part of the book, Azure Cloud. In this part, we covered the Azure cloud by exploring its foundation services of compute, storage, and network; the data services of databases and big data; the ML services of the Azure ML workspace and cognitive services; and the cloud security services. Since we already discussed the AWS and Google clouds in Part 1 and Part 2 of the book, we discussed more advanced cloud services and complicated case studies in this third part, aiming...

1. What is Azure Security Center primarily designed for?

A. Secure network traffic encryption

B. Data loss prevention

C. Threat detection and security posture management

D. Physical data center security

2. Which service provides secure access management and single sign-on for Azure resources?

A. AAD

B. Azure Security Center

C. Azure Key Vault

D. Azure Information Protection

3. Which Azure service offers managed encryption keys to protect data at rest?

A. Azure Key Vault

B. Azure Security Center

C. Azure Information Protection

D. Azure Monitor

4. The Azure DDoS Protection standard provides protection against which type of attacks?

A. Application-layer attacks

B. Phishing attacks

C. Insider threats

D. Social engineering attacks

5. Which Azure service helps to scan and assess the security vulnerabilities of VMs?

A. Azure Security Center

B. AAD

C. Azure Sentinel

D. Azure Firewall

6. Which Azure...

1. C

2. A

3. A

4. A

5. A

6. D

7. A

8. D

9. C

10. A

For further insights into what you’ve learned in this chapter, refer to the following links:

• https://azure.microsoft.com/en-us/products/category/identity
• https://azure.microsoft.com/en-us/products/active-directory
• https://learn.microsoft.com/en-us/azure/storage/blobs/data-protection-overview
• https://learn.microsoft.com/en-us/azure/security/fundamentals/virtual-machines-overview
• https://learn.microsoft.com/en-us/azure/security/fundamentals/network-overview
• https://learn.microsoft.com/en-us/training/modules/use-microsoft-cybersecurity-reference-architecture-azure-security-benchmarks/
• https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
• https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-wan-security-baseline