Follow us on https://kodekloud.com/ to learn more about us.

Provide a layered approach and multiple levels of protection.

Microsoft Defender for Cloud for SQL -and- Microsoft Defender for Cloud for Storage -and- Azure Information Protection.
Container Security.
Host Security.
Network Security Groups, Application Security Groups, Network Micro-Segmentation.
DDoS Azure Firewall.
Privileged Identity Management Conditional Access.
Botnets are collections of internet-connected systems controlled by individuals without their owners' knowledge used for
spamming, data storage, DDoS attacks, and other malicious activities.
DDoS attacks disrupt the availability of a target, rendering it inaccessible. Targeted systems include DNS, web services,
email, and various other applications accessible to hackers.
The goal is to overload the target's servers, making them unable to process legitimate traffic.
Forced tunneling is a crucial feature that allows you to redirect all outbound Internet traffic from your Azure Virtual
Machines (VMs) back to your on-premises location for thorough inspection and auditing. This capability is essential to meet
the stringent security requirements of most enterprise IT policies.
Without forced tunneling, Internet-bound traffic from your Azure VMs directly exits through the Azure network
infrastructure, bypassing inspection and auditing mechanisms. This lack of control exposes your organization to potential
risks such as information disclosure and security breaches.
The next hope can be a virtual network gateway, virtual network, internet, or virtual appliance.
Communication between VMs in the same subnet.
Communication between VMs in different subnets in the same virtual network.
Communication from VM to the Internet.
Communication via Site-to-Site and ExpressRoute connection while using VPN gateways.
Provide a layered approach and multiple levels of protection.
Microsoft Defender for Cloud for SQL -and- Microsoft Defender for Cloud for Storage -and- Azure Information Protection.
Container Security.
Host Security.
Network Security Groups, Application Security Groups, Network Micro-Segmentation.
DDoS Azure Firewall.
Privileged Identity Management Conditional Access.
NSG operate at layer 4 and allows us to filter the incoming and outgoing traffic from a virtual network.
NSG comprises a set of priority-based rules that can be used to allow or deny inbound or outbound traffic.
NSGs can be associated to subnets and network interfaces. You can associate multiple subnets and network interfaces to a
single NSG.
Rules applied at subnet and network interface level is evaluated separately. Traffic requires “allow” rule at both levels to be
admitted.
Rules are evaluated based on the priority. There is a set of default rules which cannot be modified or deleted. Nevertheless,
we can override these rules by creating rules with higher priority. Rules can be created based on the following attributes
besides the IP details:

Service: You can choose custom or predefined services such as HTTP, HTTPS, RDP, SSH etc to allow the respective ports.
Port range: You can configure ports or a port range
Priority: Lower the number higher the priority. Values range from 100-4096. Values in 65000 range is for
default rules.
Action: Allow or Deny
Streamlined Management Experience: The integration of ASGs and NSGs provides a unified management experience,
enabling efficient administration and configuration of network security policies. This consolidated approach simplifies the
overall security management process.
Enhanced Limits and Scalability: By leveraging ASGs and NSGs, organizations can benefit from increased limits across various
dimensions. This ensures scalability and accommodates growing network security requirements, allowing for seamless
expansion as needed.
Simplification of Security Measures: ASGs and NSGs contribute to a significant level of simplification in
network security implementation. They provide intuitive and user-friendly interfaces, making it easier to
define and enforce security rules and policies. This simplicity translates into improved operational efficiency
and reduced complexity for security administrators.
Seamless Integration with Architecture: ASGs and NSGs seamlessly integrate into your existing network
architecture, allowing for smooth adoption without major disruptions. Their compatibility with other Azure
services ensures a harmonious and cohesive security ecosystem, enabling comprehensive protection across
your entire infrastructure.
Access Azure services with better security
Leverages Microsoft backbone network
Ease of setup and management
Supported services include Azure Storage, Azure SQL Database, Azure Synapse Analytics, Azure Database for PostgreSQL
server, Azure Database for MySQL server, Azure Database for MariaDB server, Azure Cosmos DB, Azure Key Vault, Azure
Service Bus, Azure Event Hubs, ADLS Gen1, Azure App Service, Azure Cognitive Services, and Azure Container Registry
(preview)
Connect to Azure services via private connection
Seamless integration with on-premises and peered networks
Eliminates risk of data exfiltration
Direct availability in Azure VNets
Azure Load Balancer is a Layer 4 load balancer which supports Azure Virtual Machines and Azure Virtual Machine Scale Sets
as backend.
Load Balancer is offered in two SKUs: Standard and Basic SKU
Supports all TCP/UDP protocols
Security is managed with the help of Network Security Groups
Ideal for public facing workloads

Public load balancer will have public IP address

Incoming traffic’s public IP address and port number will be mapped to the private IP address and port number of the
backend servers.
With the help of load balancing rules, we can distribute the traffic across backend servers.
Used in all public facing workloads which require load balancing.
Ideal for internal workloads
Internal load balancer doesn’t have public IP address as frontend
Incoming traffic inside the virtual network or from a VPN can be distributed across the backend servers
This load balancer is never exposed to the internet, so the IP addresses and port numbers are not visible to the internet.
Used in internal resources that needs to be accessed from Azure or on-premises via VPN connection.
Layer 7 Load Balancer : Manages HTTP, HTTPS, HTTP/2, and WebSocket requests. Requests will be routed to the backend
pool. Web Application Firewall can be added to Application Gateway as an option component.

Routing and features : Requests can be routed to the backend pool based on URL also known as path-based routing. Also,
we can host multiple sites behind an application gateway. Features includes URL Redirect, SSL termination, Rewrite HTTP
headers and Custom error pages.
59
Backend pools The web servers can be hosted in Azure Virtual Machines, Azure Virtual Machine Scale Sets,
Azure App Services, and even on-premises servers.
Path based routing: Based on the path in the URL, we can route the request to different backend pools. Ideal for routing
requests to different backend pools optimized for different paths.
Multiple-site routing: Multiple sites can be hosted behind a single application gateway. Based on the domain, the request
can be routed to the backend pool hosting the requested domain.
Layered Defense: Azure WAF operates at the application layer (Layer 7) of the network stack, enabling granular inspection
and filtering of HTTP and HTTPS traffic. By analyzing the application-level content, WAF can identify and block malicious
requests, protecting your web applications from common exploits and vulnerabilities.
Built-in Security Policies: Azure WAF offers a set of pre-configured security policies that align with industry best practices.
These policies are regularly updated to address emerging threats, ensuring that your applications benefit from the latest
security protections without the need for manual configuration.
Custom Rule Sets: In addition to the built-in policies, Azure WAF allows you to define custom rule sets
tailored to your specific application requirements. This flexibility enables you to enforce custom security
rules, mitigating application-specific vulnerabilities and ensuring a higher level of protection.
Threat Intelligence Integration: Azure WAF integrates with Microsoft Threat Intelligence, leveraging real-time
threat intelligence feeds to enhance its detection capabilities. By continuously monitoring and analyzing
global threat intelligence data, WAF can proactively identify and block traffic from known malicious IP
addresses and domains.
Logging and Monitoring: Azure WAF provides extensive logging and monitoring capabilities, allowing you to
gain insights into web application traffic, detected threats, and security events. This data enables proactive
incident response, security analysis, and compliance reporting.
Global Load Balancing: FrontDoor intelligently distributes incoming traffic across multiple backend servers located in
different regions. By utilizing Azure's global network, FrontDoor ensures optimal performance and availability for your web
applications, resulting in a seamless user experience.
Content Delivery Network (CDN) Integration: FrontDoor seamlessly integrates with Azure CDN, enabling efficient content
caching and delivery. By leveraging Azure CDN's extensive network of edge locations, FrontDoor ensures fast and reliable
content delivery to users around the world, reducing latency and improving performance.
Web Application Firewall (WAF): FrontDoor includes built-in Web Application Firewall capabilities, providing
robust protection against common web application attacks such as SQL injection, cross-site scripting (XSS),
and more. WAF helps safeguard your applications from emerging threats and ensures the integrity and
security of your data.
SSL/TLS Termination: FrontDoor handles SSL/TLS termination, offloading the resource-intensive encryption
and decryption process from your backend servers. This simplifies the configuration and management of SSL
certificates, improves performance, and reduces the overhead on your infrastructure.
Traffic Routing and URL Rewriting: FrontDoor enables flexible traffic routing based on various criteria, such as
geographic location, URL path, or custom routing rules. It also supports URL rewriting, allowing you to modify
URLs for branding, compliance, or other purposes, without impacting the backend application logic.
Health Monitoring and Failover: FrontDoor continuously monitors the health of your backend servers,
automatically routing traffic to healthy endpoints. In the event of a backend server failure, FrontDoor
seamlessly switches traffic to alternative healthy servers, minimizing downtime and ensuring high availability.
Private connectivity: ExpressRoute offers private connectivity between on-premises infrastructure and Microsoft
datacenters.
Partner network: Traffic is routed with the help of partner network and public internet is not used.
Features: Reliable, secure, low latency and high-speed connection.
Redundant L3 connectivity.
Within a geography, connectivity is available to all regions.
Bandwidth options vary from 50 Mbps to 100 Gbps.
ExpressRoute circuit is offered in Local, Standard and Premium SKUs.
In Local SKU, you will be charged under the Unlimited plan. In unlimited outbound data transfer is free.
With Standard and Premium SKU, you can select between a Metered or an Unlimited data plan. In metered, you will be
charged for outbound data transfer.
With the addition of premium add-on, you can get global connectivity.
Co-located at a cloud Exchange:
If your facility is already co-located with cloud exchange, then virtual cross connections to Microsoft cloud can be
provisioned through the co-location provider’s Ethernet exchange. L2 and managed L3 cross connections are supported.
Point-to-point Ethernet Connection: By leveraging point-to-point Ethernet links, you can connect your on-premises network
to Microsoft cloud. L2 or managed L3 connections are supported.
Any-to-any (IPVPN): With the integration of your WAN to Microsoft cloud, you can make it look like Microsoft cloud is one of
your branch offices. Supports managed L3 connectivity.
Direct Model: Establish connectivity by directly connecting to Microsoft’s global network at a peering location
nearby.
Provide a layered approach and multiple levels of protection.
Microsoft Defender for Cloud for SQL -and- Microsoft Defender for Cloud for Storage -and- Azure Information Protection.
Container Security.
Host Security.
Network Security Groups, Application Security Groups, Network Micro-Segmentation.
DDoS Azure Firewall.
Privileged Identity Management Conditional Access.
Antivirus and Antimalware: Azure Endpoint Protection provides advanced antivirus and antimalware capabilities, leveraging
industry-leading threat intelligence and machine learning algorithms. It continuously scans and detects malware, viruses,
and other malicious software, protecting your endpoints from infection and unauthorized access.
Behavioral Analysis: Endpoint Protection employs behavioral analysis techniques to identify suspicious activities and
anomalies on endpoints. By monitoring the behavior of applications and processes, it can detect and mitigate sophisticated
threats that evade traditional signature-based detection methods.
Real-time Threat Intelligence: Azure Endpoint Protection integrates with Microsoft's extensive threat
intelligence network, receiving real-time updates about emerging threats and vulnerabilities. This ensures
that your endpoints are equipped with the latest threat definitions and protection mechanisms, effectively
combating new and evolving cyber threats.
Automated Remediation: Endpoint Protection includes automated remediation capabilities, enabling swift
response to detected threats. It can quarantine and remove malicious files, block suspicious network
connections, and take proactive actions to mitigate the impact of security incidents, minimizing downtime
and reducing the risk of data breaches.
Centralized Management: Azure Endpoint Protection offers centralized management through a unified
console, allowing you to monitor, configure, and enforce security policies across your endpoints. This
streamlines administration, improves operational efficiency, and ensures consistent security posture across
your organization.
Integration with Microsoft Defender for Cloud: Endpoint Protection seamlessly integrates with Microsoft
Defender for Cloud, providing a holistic view of your security posture and enabling advanced threat detection
and response. The integration enhances visibility, simplifies security management, and provides actionable
insights for effective incident response.
Why are privileged access devices important | Microsoft Docs

This guidance is part of a complete privileged access strategy and is implemented as part of the Privileged access
deployment

End to end zero trust security for privileged access requires a strong foundation of device security upon which to build
other security assurances for the session. While security assurances may be enhanced in the session, they will
always be limited by how strong the security assurances are in the originating device. An attacker with control
of this device can impersonate users on it or steal their credentials for future impersonation. This risk
undermines other assurances on the account, intermediaries like jump servers, and on the resources
themselves. For more information, see clean source principle

The article provides an overview of security controls to provide a secure workstation for sensitive users
throughout its lifecycle.

Workflow to acquire and deploy a secure workstation

This solution relies on core security capabilities in the Windows 10 operating system, Microsoft Defender for
Endpoints, Azure Active Directory, and Microsoft Intune.

Who benefits from a secure workstation?

All users and operators benefit from using a secure workstation. An attacker who compromises a PC or device
can impersonate or steal credentials/tokens for all accounts that use it, undermining many or all other
security assurances. For administrators or sensitive accounts, this allows attackers to escalate privileges and
increase the access they have in your organization, often dramatically to domain, global, or enterprise
administrator privileges.

For details on security levels and which users should be assigned to which level, see Privileged access security
levels

Device Security Controls

The successful deployment of a secure workstation requires it to be part of an end to end approach including
devices, accounts, intermediaries, and security policies applied to your application interfaces. All elements of
the stack must be addressed for a complete privileged access security strategy.
Isolated Administrative Environment: PAWs are dedicated workstations specifically designed for performing privileged
tasks. They are isolated from regular user activities and serve as a secure environment for administrative tasks, reducing the
risk of credential theft, lateral movement, and unauthorized access.
Restricted Internet Access: PAWs have limited or no internet connectivity by default. This restriction minimizes exposure to
external threats, such as malicious websites, drive-by downloads, and phishing attacks. It ensures that administrative
activities are performed within a controlled and trusted network environment.
Strong Access Controls: PAWs enforce strict access controls, allowing only authorized personnel to log in and
perform administrative tasks. Multi-factor authentication (MFA), strong password policies, and privileged
identity management (PIM) solutions add layers of security to prevent unauthorized access to privileged
accounts.
Application Whitelisting: PAWs implement application whitelisting, which allows only approved applications
to run on the workstation. By limiting the execution of unauthorized or untrusted software, PAWs mitigate
the risk of malware infections and prevent the execution of malicious code.
Enhanced Monitoring and Auditability: PAWs enable enhanced monitoring and auditing capabilities, providing
detailed logs and visibility into administrative activities. This ensures accountability, allows for forensic
analysis in case of security incidents, and aids in compliance with regulatory requirements.
Regular Patching and Updates: PAWs are kept up-to-date with the latest security patches and software
updates to address known vulnerabilities. Regular maintenance ensures that the workstation's operating
system and applications are fortified against emerging threats
Standardized Deployments: Virtual Machine Templates enable the creation of standardized, pre-configured VM images that
include the operating system, applications, and desired configurations. This ensures consistent deployments across multiple
environments, reducing errors and simplifying management.
Customizable and Repeatable: Templates can be customized to include specific configurations, applications, and security
settings. Once configured, they can be repeatedly deployed to create identical VM instances, eliminating the need for
manual setup and reducing deployment time.
Infrastructure as Code: Virtual Machine Templates are based on Infrastructure as Code (IaC) principles.
Templates are defined using declarative language, such as Azure Resource Manager (ARM) templates or
HashiCorp Terraform, allowing for version control, collaboration, and automation of deployment processes.
Rapid Scalability: By using templates, you can quickly scale your deployments by creating multiple VM
instances based on the same template. This enables efficient provisioning of VMs, whether it's for scaling up
during peak periods or deploying new environments.
Consistent Configuration and Compliance: Virtual Machine Templates help enforce consistent configurations
and compliance requirements. By incorporating desired settings and security configurations into the
template, you can ensure that each deployed VM adheres to organizational policies and regulatory standards.
Versioning and Updates: Templates support versioning, allowing you to manage updates and changes over
time. You can easily modify and update templates to incorporate new patches, security updates, or
application changes, ensuring that new VM instances are always up to date.
Direct RDP and SSH in Azure Portal
No need to deploy or download SSH and RDP clients to your computer, you can RDP/SSH from browser.

Public IP is not required

Since we are connecting via Bastion Host, there is no need to main public IP addresses for our virtual machines
No need to tweak NSGs
No need to manage and write complex rules in your NSG as Bastion is connecting to private IP address

Port scanning protection

Since we are not exposing any public IPs, attackers cannot perform port scanning.

Hardening
Bastion is a platform managed service and hardening in one place only.

Basic and Standard SKUs

Basic SKU provides base functionality as in direct RDP/SSH access. The Standard SKU enables premium
features that allow Azure Bastion to manage remote connectivity at a larger scale.
Update Management

The following diagram illustrates how Update Management assesses and applies security updates to all connected Windows
Server and Linux servers.

Update Management integrates with Azure Monitor Logs to store update assessments and update deployment results as
log data, from assigned Azure and non-Azure machines. To collect this data, the Automation Account and Log
Analytics workspace are linked together, and the Log Analytics agent for Windows and Linux is required on
the machine and configured to report to this workspace.

Update Management supports collecting information about system updates from agents in a System Center
Operations Manager management group connected to the workspace. Having a machine registered for
Update Management in more than one Log Analytics workspace (also referred to as multihoming) isn't
supported.
Encrypt disks
Using ADE, we can encrypt OS and Data Disks of Windows and Linux virtual machines. ADE uses BitLocker for Windows and
DM-Crypt for Linux to encrypting the disks. Encryption keys are stored in Azure Key Vault.

Restrict access
Since the disk is encrypted, only the VM owner will be able to retrieve the data stored in the VM. If anyone downloads the
VHD and attaches to another VM, without the keys, they will not be able to read the data.

Encrypted backup
When you are using Azure Backup, the encryption keys are backed up to the recovery service vault. Also, the
backups are encrypted. ASE uses AES 256-bit encryption.

Considerations
If you are encrypting both OS and Data disk, there will be a small performance impact due to the encryption
and decryption activity. The impact is very minimal, however, if your application is CPU intensive then you can
skip the OS disk and encrypt data disk only to enhance performance.
Managed disk encryption options

There are several types of encryption available for your managed disks, including Azure Disk Encryption (ADE), Server-Side
Encryption (SSE) and encryption at host.

Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance
commitments. ADE provides volume encryption for the OS and data disks of Azure virtual machines (VMs)
through the use of feature DM-Crypt of Linux or the BitLocker feature of Windows. ADE is integrated with
Azure Key Vault to help you control and manage the disk encryption keys and secrets. For full details, see
Azure Disk Encryption for Linux VMs or Azure Disk Encryption for Windows VMs.

Server-Side Encryption (also referred to as encryption-at-rest or Azure Storage encryption) automatically

encrypts data stored on Azure managed disks (OS and data disks) when persisting it to the cloud. For full
details, see Server-side encryption of Azure Disk Storage.

Encryption at host ensures that data stored on the VM host is encrypted at rest and flows encrypted to the
Storage service. Disks with encryption at host enabled are not encrypted with SSE; instead, the server hosting
your VM provides the encryption for your data, and that encrypted data flows into Azure Storage.
There are key security features that are included with Windows 10, and Windows Server 2016, Windows Server 2019. They
are Windows Defender Credential Guard, Device Guard, and Windows Defender Application Control.

Credential Guard uses virtualization-based security enhancement to isolate secrets so that only privileged system software
can access them. Unauthorized access to these secrets might lead to credential theft attacks, such as Pass-the-Hash or pass-
the-ticket attacks. Windows Defender Credential Guard helps prevent these attacks by helping protect Integrated Windows
Authentication (NTLM) password hashes, Kerberos authentication ticket-granting tickets, and credentials that
applications store as domain credentials.

The configuration state of Windows Defender Device Guard was originally designed with a specific security
idea in mind. Although no direct dependencies existed between the two main OS features of the Windows
Defender Device Guard configuration—that is, between configurable code integrity and Hypervisor-
protected code integrity (HVCI)—the discussion intentionally focused on the Windows Defender Device
Guard lockdown state that can be achieved when they’re deployed together.

Windows Defender Application Control helps mitigate these types of threats by restricting the applications
that users can run and the code that runs in the system core, or kernel. Policies in Windows Defender
Application Control also block unsigned scripts and MSIs, and Windows PowerShell runs in Constrained
language mode.
Protect your machines and applications - https://docs.microsoft.com/en-us/azure/security-center/security-center-virtual-
machine-protection

A security policy defines the set of controls which are recommended for resources within the specified subscription or
resource group. Before enabling security policy, you must have data collection enabled, Security Center collects data from
your virtual machines in order to assess their security state, provide security recommendations, and alert you to threats. In
Security Center, you define policies for your Azure subscriptions or resource groups according to your
company’s security needs and the type of applications or sensitivity of the data in each subscription.

Security Center analyzes the security state of your Azure resources. When Security Center identifies potential
security vulnerabilities, it creates recommendations. The recommendations guide you through the process of
configuring the needed controls.

After setting a security policy, Security Center analyzes the security state of your resources to identify
potential vulnerabilities. The recommendations are shown in a table format where each line represents one
recommendation. ASC will monitor and analyze the enable security policies to identify potential
vulnerabilities.

Proactive Security Guidance: Microsoft Defender for Cloud continuously analyzes your cloud environment and
generates proactive security recommendations based on industry best practices, compliance standards, and
Microsoft's security expertise. These recommendations help you identify and address potential security risks
and vulnerabilities before they can be exploited.
Customized Security Controls: The recommendations provided by Microsoft Defender for Cloud are tailored
to your specific cloud environment and workload configurations. They take into account factors such as
network architecture, identity management, data protection, and access controls. This ensures that the
security controls align with your unique requirements and provide maximum effectiveness.
Prioritized Risk Mitigation: Microsoft Defender for Cloud categorizes recommendations based on risk
severity, enabling you to prioritize and focus on addressing the most critical security gaps first. This approach
helps optimize resource allocation and ensures that you are effectively mitigating the highest-risk
vulnerabilities and threats in your cloud environment.
Automation and Integration: Microsoft Defender for Cloud recommendations seamlessly integrate with your
existing security tools and workflows. The recommendations can be automated, allowing for continuous
monitoring, analysis, and enforcement of security controls. Integration with other Azure services and third-
party solutions enhances overall security visibility and response capabilities.
Compliance and Audit Readiness: Following Microsoft Defender for Cloud recommendations helps
organizations maintain compliance with industry standards and regulatory requirements. By aligning with
recommended security practices, you can demonstrate adherence to security frameworks and ensure audit
readiness.
Continuous Improvement: Microsoft continually updates and expands the recommendations provided by
Defender for Cloud, incorporating insights from threat intelligence, security research, and customer
feedback. This ensures that you stay ahead of emerging threats and benefit from the latest security
measures.
Azure Security Benchmark - Azure Security Benchmark Introduction | Microsoft Docs
The Azure Security Benchmark includes a collection of high-impact security recommendations you can use to help secure
the services you use in Azure:
Security controls: These recommendations are generally applicable across your Azure tenant and Azure services. Each
recommendation identifies a list of stakeholders that are typically involved in planning, approval, or implementation of the
benchmark.
Service baselines: These apply the controls to individual Azure services to provide recommendations on that
service’s security configuration.

Center for Internet Security (CIS) Benchmarks - https://azure.microsoft.com/resources/cis-microsoft-azure-

foundations-security-benchmark

Microsoft's cybersecurity group in conjunction with the Center for Internet Security (CIS) developed best
practices to help establish security baselines for the Azure platform.

Microsoft initially partnered with CIS for the development of an off-the-shelf hardened Azure VM. An
initiative then began to use the CIS Benchmarks (their term for best practices) with Azure sec
Level 1:
Ensure that OS disk are encrypted
Ensure only approved extensions are installed
Ensure that the OS patches for the VMs are applied
Provide a layered approach and multiple levels of protection.
Microsoft Defender for Cloud for SQL -and- Microsoft Defender for Cloud for Storage -and- Azure Information Protection.
Container Security.
Host Security.
Network Security Groups, Application Security Groups, Network Micro-Segmentation.
DDoS Azure Firewall.
Privileged Identity Management Conditional Access.
Faster startup
Unlike Virtual Machines, containers can startup in seconds

Host internet facing applications

ACI supports Public IP and DNS name which is ideal for exposing your container apps to the internet.
Isolation
Containers are isolated from each other even if they are deployed on the same container host.

Scalability
You can choose custom sizes as per your resource requirements.

Persistent storage
Container storage is ephemeral, using Azure Files we can create persistent storage for ACI.

OS and VNet
ACI can be directly deployed to virtual networks. Both Windows and Linux containers are supported by ACI.
Azure Container Registry - Service Tiers

Azure Container Registry is available in multiple service tiers (also known as SKUs). These tiers provide predictable pricing
and several options for aligning to the capacity and usage patterns of your private Docker registry in Azure.

The Basic, Standard, and Premium tiers all provide the same programmatic capabilities. They also all benefit from image
storage managed entirely by Azure. Choosing a higher-level tier provides more performance and scale. With
multiple service tiers, you can get started with Basic, then convert to Standard and Premium as your registry
usage increases.

Privilege Escalation and Repository Validation: Understanding and implementing proper governance for
privilege escalation, repository validation, and image signing are essential in container environments. These
practices mitigate the risks associated with unauthorized access and the use of compromised or untrusted
container images.

Networking Security: Containers have open network traffic across services and share the host's kernel, raising
security concerns. While containers can reduce the attack surface compared to traditional virtual machines
(VMs), it is crucial to address networking security, such as implementing network segmentation, secure
communication channels, and proper access controls, to protect against unauthorized access and potential
data breaches.

Kernel Exploits: Containers share the underlying kernel with the host. It is vital to keep the kernel up to date
with the latest security patches to mitigate the risk of kernel vulnerabilities being exploited. Regular updates
and monitoring for security advisories help maintain a secure container deployment.

Denial-of-Service (DoS) Attacks: Shared kernel resources in container deployments make them susceptible to
DoS attacks. An attacker can monopolize critical resources, leading to performance degradation or complete
unavailability for legitimate users. Implementing resource limits, monitoring for abnormal resource usage,
and implementing rate limiting mechanisms can help mitigate DoS attacks in container deployments.

Container Breakouts: Container breakouts occur when an attacker gains access to a container and then
leverages that access to compromise other containers or the underlying host. Proper container isolation and
security measures, such as utilizing appropriate container runtimes and employing user namespaces, are
crucial to prevent container breakouts and limit the impact of privilege escalation attacks.
Image Trust and Security: Ensuring the integrity and authenticity of container images is critical. Verifying
image sources, regularly updating images to address known vulnerabilities, and utilizing trusted image
registries help protect against the deployment of poisoned or tampered images. Implementing image
scanning tools and adhering to image hygiene best practices further enhance the security of container-based
systems.
Registry

A container registry is a service that stores and distributes container images and related artifacts. Docker Hub is an example
of a public container registry that serves as a general catalog of Docker container images. Azure Container Registry provides
users with direct control of their container content, with integrated authentication, geo-replication supporting global
distribution and reliability for network-close deployments, virtual network configuration with Private Link, tag locking, and
many other enhanced features.

In addition to Docker-compatible container images, Azure Container Registry supports a range of content
artifacts including Helm charts and Open Container Initiative (OCI) image formats.

Repository

A repository is a collection of container images or other artifacts in a registry that have the same name, but
different tags. For example, the following three images are in the acr-helloworld repository:

acr-helloworld:latest
acr-helloworld:v1
acr-helloworld:v2

Repository names can also include namespaces. Namespaces allow you to identify related repositories and
artifact ownership in your organization by using forward slash-delimited names. However, the registry
manages all repositories independently, not as a hierarchy. For example:

marketing/campaign10-18/web:v2
marketing/campaign10-18/api:v3
marketing/campaign10-18/email-sender:v2
product-returns/web-submission:20180604
product-returns/legacy-integrator:20180715

Repository names can only include lowercase alphanumeric characters, periods, dashes, underscores, and
forward slashes.

https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro
Docker overview and About registries, repositories, and images.
Container Registry (cont’d)

Artifact

A container image or other artifact within a registry is associated with one or more tags, has one or more layers, and is
identified by a manifest. Understanding how these components relate to each other can help you manage your registry
effectively.

Tag - The tag for an image or other artifact specifies its version. A single artifact within a repository can be
assigned one or many tags and may also be "untagged." That is, you can delete all tags from an image, while
the image's data (its layers) remain in the registry.

The repository (or repository and namespace) plus a tag defines an image's name. You can push and pull an
image by specifying its name in the push or pull operation. The tag latest is used by default if you don't
provide one in your Docker commands.

How you tag container images is guided by your scenarios to develop or deploy them. For example, stable
tags are recommended for maintaining your base images, and unique tags for deploying images. For more
information, see Recommendations for tagging and versioning container images.

Layer - Container images and artifacts are made up of one or more layers. Different artifact types define
layers differently. For example, in a Docker container image, each layer corresponds to a line in the Dockerfile
that defines the image:

Artifacts in a registry share common layers, increasing storage efficiency. For example, several images in
different repositories might have a common ASP.NET Core base layer, but only one copy of that layer is
stored in the registry. Layer sharing also optimizes layer distribution to nodes, with multiple artifacts sharing
common layers. If an image already on a node includes the ASP.NET Core layer as its base, the subsequent pull
of a different image referencing the same layer doesn't transfer the layer to the node. Instead, it references
the layer already existing on the node.

To provide secure isolation and protection from potential layer manipulation, layers are not shared across
registries.

Manifest - Each container image or artifact pushed to a container registry is associated with a manifest. The
manifest, generated by the registry when the content is pushed, uniquely identifies the artifacts and specifies
the layers.

https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro

Docker overview and About registries, repositories, and images.

Centralized Container Image Management:
Azure Container Registry serves as a centralized repository for storing and managing container images. It provides a secure
and scalable solution to store, organize, and version control your container images, making them readily available for
deployment across your infrastructure.

Secure Image Storage and Access Control:

Container images stored in Azure Container Registry are protected with industry-standard encryption,
ensuring the confidentiality and integrity of your images. Access to the registry can be controlled using Azure
Active Directory (Azure AD) authentication, role-based access control (RBAC), and fine-grained permissions,
providing robust security for your images.

High Availability and Scalability:

Azure Container Registry offers high availability and scalability, ensuring that your container images are
accessible and performant. It leverages Azure's global infrastructure to replicate images across multiple
regions, reducing latency and enabling fast image retrieval for deployment in various locations.

Integration with Azure Services:

Azure Container Registry seamlessly integrates with other Azure services, such as Azure Kubernetes Service
(AKS) and Azure DevOps. This integration simplifies the deployment and management of containerized
applications, enabling efficient CI/CD pipelines and seamless integration into your existing workflows.

Container Image Lifecycle Management:

Azure Container Registry provides tools and capabilities for managing the lifecycle of container images. This
includes versioning, image promotion between different environments, image scanning for vulnerabilities,
and automated image builds using tasks, allowing you to maintain a streamlined and secure image
management process.

Geo-replication and Content Delivery:

Azure Container Registry supports geo-replication of container images, enabling you to replicate images to
different Azure regions for enhanced redundancy and disaster recovery. Additionally, it integrates with Azure
Content Delivery Network (CDN) to accelerate image distribution and improve image retrieval performance
globally.
Azure Container Registry - Service Tiers

Azure Container Registry is available in multiple service tiers (also known as SKUs). These tiers provide predictable pricing
and several options for aligning to the capacity and usage patterns of your private Docker registry in Azure.

The Basic, Standard, and Premium tiers all provide the same programmatic capabilities. They also all benefit from image
storage managed entirely by Azure. Choosing a higher-level tier provides more performance and scale. With
multiple service tiers, you can get started with Basic, then convert to Standard and Premium as your registry
usage increases.

BASIC: A cost-optimized entry point for developers learning about Azure Container Registry. Basic registries
have the same programmatic capabilities as Standard and Premium (such as Azure Active Directory
authentication integration, image deletion, and webhooks). However, the included storage and image
throughput are most appropriate for lower usage scenarios.

STANDARD: Standard registries offer the same capabilities as Basic, with increased included storage and
image throughput. Standard registries should satisfy the needs of most production scenarios.

PREMIUM: Premium registries provide the highest amount of included storage and concurrent operations,
enabling high-volume scenarios. In addition to higher image throughput, Premium adds features such as geo-
replication for managing a single registry across multiple regions, content trust for image tag signing, private
link with private endpoints to restrict access to the registry.
Scalability and Flexibility: AKS allows you to scale your applications seamlessly to meet changing demands. It automates the
provisioning and management of Kubernetes clusters, enabling effortless scaling of containerized workloads across a
dynamic and elastic infrastructure.
Simplified Management: AKS eliminates the need for manual cluster setup and management tasks. It handles critical
components such as Kubernetes control plane, node scaling, and load balancing, freeing up your time to focus on
application development and deployment.
High Availability and Resilience: AKS provides built-in high availability and fault tolerance for your
applications. It ensures that your workloads are distributed across multiple nodes and availability zones,
minimizing disruptions and providing resilience against failures.
Integrated DevOps Experience: AKS seamlessly integrates with other Azure DevOps services, enabling end-
to-end DevOps workflows for containerized applications. You can leverage tools like Azure DevOps, Azure
Container Registry, and Azure Pipelines to automate CI/CD pipelines and streamline application delivery.
Security and Compliance: AKS prioritizes security and offers robust features to protect your applications and
data. It integrates with Azure Active Directory for authentication and access control, supports encryption at
rest and in transit, and allows for network policies and firewall rules to enforce granular security controls.
Monitoring and Insights: AKS integrates with Azure Monitor and Azure Log Analytics, providing
comprehensive monitoring, logging, and diagnostics capabilities. You can gain insights into cluster health,
performance metrics, and application logs to troubleshoot issues, optimize performance, and ensure optimal
resource utilization.
Azure managed node
This node is created automatically when we create an AKS cluster. This node is not visible to the end user and run
Kubernetes master

Customer managed nodes

These nodes run your containerized applications and services. You only pay for the number of nodes.
kubelet
Receives requests from Azure managed node for scheduling containers

kube-proxy
Routes traffic and manages IP addresses of pods and services

Container Runtime
Allows containers to be created and interact with networking and storage components
ClusterIP
Facilitates internal communication with other apps in your cluster. There is no external access. ClusterIP is the default
Kubernetes service

NodePort
Open a specific port on the node and forward traffic to pod via the service. You can choose port numbers 30000-32767 and
number of services is limited to one service per port

LoadBalancer
Creates an Azure Load Balancer which will route the traffic from external to the service. This is the standard
way to expose your applications to the internet.
Volumes - Volumes can be used to store, retrieve, and persist data. Local storage is fast and easy to use, on the other hand,
Kubernetes treats pods as ephemeral. If needed, we can create persistent volume using Azure Files or Azure Managed Disk.

Persistent Volumes - Volume created along with pod is deleted when the pod is deleted. With the help of persistent volume
(PV) we can persist the storage even after deleting the pod.
Storage Class - While creating storage, we can use StorageClasses to define the tier of the storage required.
You can select Premium or Standard. With the help of reclaimPolicy parameter, we can define if the storage
needs to be persisted or not.

Persistent Volume Claims - Using PVC, we can request Azure Managed Disk or Azure File for a specific tier (via
StorageClass), access mode and size
Integrate Azure Active Directory with Azure Kubernetes Service - https://docs.microsoft.com/en-us/azure/aks/azure-ad-
integration
Service principals with Azure Kubernetes Service (AKS) - https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-
principal
Use managed identities in Azure Kubernetes Service - https://docs.microsoft.com/en-us/azure/aks/use-managed-identity
There are different ways to authenticate with and secure Kubernetes clusters. Using role-based access
controls (RBAC), you can grant users or groups access to only the resources they need. With Azure
Kubernetes Service (AKS), you can further enhance the security and permissions structure by using Azure
Active Directory. These approaches help you secure your application workloads and customer data.

Kubernetes service accounts

One of the primary user types in Kubernetes is a service account. A service account exists in, and is managed
by, the Kubernetes API. The credentials for service accounts are stored as Kubernetes secrets, which allows
them to be used by authorized pods to communicate with the API Server. Most API requests provide an
authentication token for a service account or a normal user account.
Normal user accounts allow more traditional access for human administrators or developers, not just services
and processes. Kubernetes itself doesn't provide an identity management solution where regular user
accounts and passwords are stored. Instead, external identity solutions can be integrated into Kubernetes.
For AKS clusters, this integrated identity solution is Azure Active Directory.

Azure Active Directory integration

The security of AKS clusters can be enhanced with the integration of Azure Active Directory (AD). Built on
decades of enterprise identity management, Azure AD is a multi-tenant, cloud-based directory, and identity
management service that combines core directory services, application access management, and identity
protection. With Azure AD, you can integrate on-premises identities into AKS clusters to provide a single
source for account management and security.

With Azure AD-integrated AKS clusters, you can grant users or groups access to Kubernetes resources within
a namespace or across the cluster. To obtain a kubectl configuration context, a user can run the az aks get-
credentials command. When a user then interacts with the AKS cluster with kubectl, they are prompted to
sign in with their Azure AD credentials. This approach provides a single source for user account management
and password credentials. The user can only access the resources as defined by the cluster administrator.
Azure AD authentication in AKS clusters uses OpenID Connect, an identity layer built on top of the OAuth 2.0
protocol. OAuth 2.0 defines mechanisms to obtain and use access tokens to access protected resources, and
OpenID Connect implements authentication as an extension to the OAuth 2.0 authorization process.
Follow us on https://kodekloud.com/ to learn more about us.