Azure zero trust security

This architecture deploys a comprehensive Azure Zero Trust security architecture following Microsoft's recommended practices for secure cloud infrastructure. ## Architecture Overview This infrastructure implements a **Hub-and-Spoke network topology** with multiple security layers designed around Zero Trust principles: - **Never trust, always verify**: All network traffic is inspected and authenticated - **Least privilege access**: Resources are granted minimal required permissions - **Assume breach**: Security controls are designed assuming potential compromise ### Key Components #### Hub Network (Central Security) - **Azure Virtual WAN**: Centralized connectivity and routing - **Azure Firewall**: Network-level traffic filtering and inspection - **Azure Bastion**: Secure RDP/SSH access without public IPs - **VPN Gateway**: Secure site-to-site and point-to-site connectivity #### Spoke Network (Workload Isolation) - **Virtual Machines**: Isolated Linux (Ubuntu 22.04 LTS) and Windows Server 2022 instances - **Network Security Groups**: Micro-segmentation and traffic control - **Application Security Groups**: Application-centric security grouping - **DDoS Protection**: Standard DDoS protection for network resources #### Security & Compliance - **Azure Key Vault**: Centralized secrets and certificate management - **Monitor Workspace**: Comprehensive logging and monitoring - **Secure Storage**: Encrypted storage accounts with controlled access ## Infrastructure Components ### Network Architecture ``` Hub VNet (Central Security) ├── Azure Bastion Subnet ├── Azure Firewall Subnet └── Virtual Hub (Virtual WAN) Spoke VNet (Workloads) ├── VM Subnet │ ├── Linux VMs (2x Ubuntu 22.04) │ └── Windows VMs (2x Server 2022) └── Network Security Groups ``` ### Security Controls | Component | Purpose | Zero Trust Principle | |-----------|---------|---------------------| | Azure Firewall | Network traffic inspection | Verify explicitly | | Network Security Groups | Micro-segmentation | Least privileged access | | Application Security Groups | Application-level grouping | Assume breach | | Azure Bastion | Secure remote access | Never trust, always verify | | Key Vault | Secrets management | Least privileged access | | DDoS Protection | Network attack mitigation | Assume breach | ## Prerequisites - **Terraform**: Version 1.0 or higher - **Azure Subscription**: With appropriate permissions - **Service Principal**: With Contributor access (or equivalent) ### Variable Descriptions | Variable | Type | Description | Default | |----------|------|-------------|---------| | `app_name` | string | Application name prefix | Required | | `env` | string | Environment identifier | Required | | `location` | string | Azure region | Required | | `hub_vnet_addr_space` | string | Hub VNet CIDR block | Required | | `spoke_vnet_addr_space` | string | Spoke VNet CIDR block | Required | | `vm_size` | string | Virtual machine SKU | Required | | `admin_username` | string | VM administrator username | Required | | `vms` | number | Number of VM password pairs | Required | | `tags` | map(string) | Resource tags | Required | ## Deployment Instructions ### 1. Initialize Terraform ```bash terraform init ``` ### 2. Plan Deployment ```bash terraform plan -var-file="terraform.tfvars" ``` ### 3. Deploy Infrastructure ```bash terraform apply -var-file="terraform.tfvars" ``` ### 4. Verify Deployment ```bash # Check resource groups az group list --query "[?contains(name, 'zerotrust')]" --output table # Verify Key Vault secrets az keyvault secret list --vault-name kv-zerotrust-prod-spoke --output table ``` ## Security Features ### Network Security - **Micro-segmentation**: Each workload tier has dedicated subnets and NSGs - **Traffic Inspection**: All traffic routed through Azure Firewall - **Secure Access**: No direct public IP access to VMs (Bastion only) - **DDoS Protection**: Standard protection for all public-facing resources ### Identity & Access Management - **Key Vault Integration**: VM passwords stored securely in Key Vault - **Managed Identities**: Service-to-service authentication without credentials - **RBAC**: Role-based access control for all resources - **Access Policies**: Granular permissions for Key Vault access ### Monitoring & Compliance - **Azure Monitor**: Centralized logging and metrics collection - **Security Baselines**: Following Azure Security Benchmark - **Audit Logging**: All administrative actions logged - **Compliance Tags**: Consistent tagging for governance ## Post-Deployment Configuration ### 1. Configure Firewall Rules ```bash # Example: Allow HTTP/HTTPS traffic az network firewall policy rule-collection-group create \ --resource-group rg-zerotrust-prod-hub \ --policy-name fw-policy-zerotrust-prod-hub \ --name "WebTrafficRules" \ --priority 100 ``` ### 2. Set Up Monitoring Alerts ```bash # Create availability alert for VMs az monitor metrics alert create \ --name "VM-Availability-Alert" \ --resource-group rg-zerotrust-prod-spoke \ --scopes /subscriptions/{subscription-id}/resourceGroups/rg-zerotrust-prod-spoke \ --condition "avg Percentage CPU > 80" ``` ### 3. Configure Backup ```bash # Enable backup for VMs az backup protection enable-for-vm \ --resource-group rg-zerotrust-prod-spoke \ --vault-name BackupVault \ --vm vm-zerotrust-prod-spoke-lin-1 ``` ## Maintenance and Operations ### Regular Tasks 1. **Security Updates**: Apply OS patches monthly 2. **Key Rotation**: Rotate Key Vault secrets quarterly 3. **Access Reviews**: Review RBAC assignments monthly 4. **Backup Verification**: Test backup restores quarterly 5. **Firewall Rules**: Review and audit rules monthly ### Monitoring Checklist - [ ] VM health and performance metrics - [ ] Network traffic patterns - [ ] Key Vault access logs - [ ] Firewall rule effectiveness - [ ] DDoS attack patterns - [ ] Storage account access patterns ## Troubleshooting ### Common Issues #### VM Access Problems ```bash # Check Bastion connectivity az network bastion show \ --resource-group rg-zerotrust-prod-hub \ --name bastion-zerotrust-prod-hub # Verify NSG rules az network nsg rule list \ --resource-group rg-zerotrust-prod-spoke \ --nsg-name nsg-zerotrust-prod-spoke-1 ``` #### Key Vault Access Issues ```bash # Check access policies az keyvault show \ --name kv-zerotrust-prod-spoke \ --query "properties.accessPolicies" # Verify permissions az keyvault secret list \ --vault-name kv-zerotrust-prod-spoke ``` ### Log Locations - **Activity Logs**: Azure Monitor → Activity Log - **NSG Flow Logs**: Storage Account → Containers - **Firewall Logs**: Monitor Workspace → Logs - **Key Vault Logs**: Monitor Workspace → KeyVault Logs ## Cost Optimization ### Estimated Monthly Costs (East US) | Component | Quantity | Est. Cost | |-----------|----------|-----------| | Virtual Machines (B2s) | 4 | $120 | | Azure Firewall | 1 | $80 | | Azure Bastion | 1 | $140 | | Key Vault | 2 | $2 | | Storage Account | 1 | $5 | | **Total** | | **~$347/month** | ### Cost Optimization Tips 1. Use **Azure Hybrid Benefit** for Windows VMs 2. Schedule VM **auto-shutdown** for non-production environments 3. Monitor **unused resources** with Azure Advisor 4. Use **reserved instances** for long-term workloads ## Security Best Practices ### Implemented Controls ✅ **Network Segmentation**: Hub-spoke topology with NSGs ✅ **Privileged Access**: Azure Bastion for secure remote access ✅ **Secrets Management**: Key Vault for password storage ✅ **Traffic Inspection**: Azure Firewall for all traffic ✅ **DDoS Protection**: Standard protection enabled ✅ **Monitoring**: Comprehensive logging and alerting ### Recommended Next Steps - [ ] Implement **Azure Sentinel** for SIEM capabilities - [ ] Configure **Conditional Access** policies - [ ] Enable **Just-In-Time** VM access - [ ] Set up **Azure Policy** for compliance enforcement - [ ] Implement **Azure Security Center** recommendations ## Support and Documentation ### Microsoft Documentation - [Azure Zero Trust Architecture](https://docs.microsoft.com/azure/security/fundamentals/zero-trust) - [Hub-Spoke Network Topology](https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke) - [Azure Firewall Documentation](https://docs.microsoft.com/azure/firewall/) - [Azure Bastion Documentation](https://docs.microsoft.com/azure/bastion/) ### Terraform Documentation - [Azure Provider Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs) - [Terraform Best Practices](https://www.terraform.io/docs/cloud/guides/recommended-practices/index.html) ## Maintainer(s) - Brainboard team.