Security Considerations and Best Practices for Azure Resource Manager

This post comes from George Moore, Principal Program Manager Lead, Azure Compute.

When working with Azure Resource Manager (ARM) and ARM templates for deploying IaaS resources, you want to make sure to bake in enterprise-grade security by considering security best practices. Key security issues to consider when using ARM templates include options and best practices centering around:

• Handling keys and secrets
• Assigning appropriate permissions through Role-Based Access Control (RBAC)
• Defining network access controls for traffic coming into and leaving Azure Virtual Networks

This is where Security Considerations for Azure Resource Manager can help you.

In this white paper, you’ll learn:

• How Azure Key Vault can help protect your keys and secrets
• Why compartmentalizing templates helps division of responsibility to enhance security
• How to use a combination of service principals and RBAC for cross-subscription interactions
• What to consider when configuring network access controls using Network Security Groups
• When to use custom routes and IP forwarding to support virtualized network appliances

This article is a part of a broader series entitled Best practices for designing Azure Resource Manager templates which covers deployment topologies with t-shirt sizing for different workload demands, RBAC, tagging, etc.  Other documents in this series cover more advanced scenarios:

• Contextual examples of best practices for implementing templates
• Sharing state in Azure Resource Manager templates

We hope you enjoy Security Considerations for Azure Resource Manager and find it useful in your planning, design and implementation phases.

George Moore
Principal Program Manager Lead, Azure Compute

==================================================

Thanks George! We’re looking forward to hearing about more great things from you and your team!

I (Tom Shinder) also want to let you know that I’m back in the security community again, after taking off from a 15 year stint in security and then changing focus to work on private cloud and then hybrid cloud architecture. In the coming months you’ll see more posts in the Azure Security Blog about Azure and cloud security. We have a heady lineup in store and we’re looking forward to getting the information you want out to you. If there are any topics in Azure and cloud security that you’re particularly interested in, let me know and we’ll make sure we get those on the list. Just click on my name below.

Thanks!
Tom

Tom Shinder
Program Manager, Azure Security Engineering