Azure security baseline for VPN Gateway

This security baseline applies guidance from the Azure Security Benchmark version 2.0 to VPN Gateway. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to VPN Gateway.

You can monitor this security baseline and its recommendations using Microsoft Defender for Cloud. Azure Policy definitions will be listed in the Regulatory Compliance section of the Microsoft Defender for Cloud dashboard.

When a section has relevant Azure Policy Definitions, they are listed in this baseline to help you measure compliance to the Azure Security Benchmark controls and recommendations. Some recommendations may require a paid Microsoft Defender plan to enable certain security scenarios.

Note

Controls not applicable to VPN Gateway, and those for which the global guidance is recommended verbatim, have been excluded. To see how VPN Gateway completely maps to the Azure Security Benchmark, see the full VPN Gateway security baseline mapping file.

Network Security

For more information, see the Azure Security Benchmark: Network Security.

NS-1: Implement security for internal traffic

Guidance: Create or use an existing virtual network to deploy Azure VPN Gateway resources, Make sure all Azure virtual networks follow an enterprise segmentation principle that aligns with business risks. Isolate any high-risk system within its own virtual network.

Secure the virtual network with a network security group (NSG) and/or Azure Firewall. Recommend NSG configurations based on external network traffic rules. Use Microsoft Defender for Cloud adaptive network hardening to limit ports and source IPs.

Use NSG rules to restrict or allow traffic between internal resources. Base the rules on your applications and enterprise segmentation strategy. For specific, well-defined applications like three-tier apps, these rules can be a highly secure deny by default.

Azure infrastructure communication requires the ports, which aren't published. Azure certificates protect and lock down the ports. Without proper certificates, external entities, including the gateway customers, can't affect those endpoints.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require an Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Network:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
All Internet traffic should be routed via your deployed Azure Firewall Microsoft Defender for Cloud has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists, Disabled 3.0.0-preview
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0

NS-2: Connect private networks together

Guidance: Use Azure ExpressRoute or Azure VPN to create private connections between Azure datacenters and on-premises infrastructure in a colocation environment. ExpressRoute connections don't go over the public internet. ExpressRoute offers more reliability, faster speeds, and lower latencies than typical internet connections.

For point-to-site and site-to-site VPN, you can connect on-premises devices or networks to a virtual network using any combination of these VPN options and Azure ExpressRoute.

To connect two or more virtual networks in Azure, use virtual network peering. Network traffic between peered virtual networks is private and stays on the Azure backbone network.

Responsibility: Shared

NS-3: Establish private network access to Azure services

Guidance: Azure VPN supports standard IPsec/IKE protocols:

  • UDP ports 500 and 4500
  • ESP protocol

Point-to-site VPN uses TCP port 443 for secure TLS-based connections.

VPN Gateway doesn't allow its management endpoints to secure to a private network with Private Link.

VPN Gateway can't configure Azure Virtual Network service endpoints.

Responsibility: Shared

NS-4: Protect applications and services from external network attacks

Guidance: Protect your VPN Gateway resources against attacks from external networks. External attacks can include distributed denial of service (DDoS), application-specific attacks, and unsolicited and potentially malicious internet traffic.

Use Azure Firewall to protect applications and services against potentially malicious traffic from the internet and other external locations. Protect your assets against DDoS attacks by enabling Azure DDoS Standard protection on your Azure virtual networks. Use Microsoft Defender for Cloud to detect misconfiguration risks to your network resources.

VPN Gateway doesn't run web applications, so you don't need to configure any settings or deploy any network services to protect from external attacks that target web applications.

Responsibility: Shared

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require an Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Network:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
All Internet traffic should be routed via your deployed Azure Firewall Microsoft Defender for Cloud has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists, Disabled 3.0.0-preview
Azure DDoS Protection Standard should be enabled DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. AuditIfNotExists, Disabled 3.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Web Application Firewall (WAF) should be enabled for Application Gateway Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 1.0.1
Web Application Firewall (WAF) should be enabled for Azure Front Door Service service Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 1.0.1

Identity Management

For more information, see the Azure Security Benchmark: Identity Management.

IM-1: Standardize Azure Active Directory as the central identity and authentication system

Guidance: Azure VPN uses Azure Active Directory (Azure AD) as its default identity and access management service. Standardize Azure AD to govern your organization's identity and access management in:

  • Microsoft Cloud resources. Resources include:

    • The Azure portal

    • Azure Storage

    • Azure Linux and Windows virtual machines

    • Azure Key Vault

    • Platform-as-a-service (PaaS)

    • Software-as-a-service (SaaS) applications

  • Your organization's resources, such as applications on Azure or your corporate network resources.

Securing Azure AD should be a high priority for your organization's cloud security practice. Azure AD provides an identity secure score to help you compare your identity security posture to Microsoft's best practice recommendations. Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture.

Note: Azure AD supports external identities that allow users without a Microsoft account to sign in to their applications and resources.

Azure Point-to-Site (P2S) VPN supports Azure AD authentication. Customers can also configure P2S VPN to use either native, certificate-based authentication, or RADIUS-based authentication.

Responsibility: Customer

IM-3: Use Azure AD single sign-on (SSO) for application access

Guidance: VPN Gateway uses Azure AD to provide identity and access management to Azure resources, cloud applications, and on-premises applications. Azure AD manages enterprise identities like employees, and external identities like partners, vendors, and suppliers. Azure AD enables single sign-on (SSO) to manage and secure access to your organization's on-premises and cloud data and resources.

Connect all your users, applications, and devices to Azure AD. Azure AD offers seamless, secure access, and greater visibility and control.

Responsibility: Customer

Privileged Access

For more information, see the Azure Security Benchmark: Privileged Access.

PA-6: Use privileged access workstations

Guidance: Secured, isolated workstations are critical for security of sensitive roles like administrator, developer, and critical service operator. Use highly secured user workstations and Azure Bastion for administrative tasks.

Use Azure AD, Microsoft Defender Advanced Threat Protection (ATP), or Microsoft Intune to deploy a secure and managed user workstation. You can manage secured workstations centrally to enforce a security configuration that includes:

Responsibility: Customer

PA-7: Follow the least privilege principle for administration

Guidance: integrates with Azure RBAC to manage its resources. With RBAC, you manage Azure resource access through role assignments. You can assign roles to users, groups, service principals, and managed identities. Certain resources have pre-defined, built-in roles. You can inventory or query these roles through tools like Azure CLI, Azure PowerShell, or the Azure portal. Limit the privileges you assign to resources through Azure RBAC to what the roles require. This practice complements the just-in-time (JIT) approach of Azure AD PIM. Review roles and assignments periodically.

Use built-in roles to allocate permissions, and only create custom roles when required.

Responsibility: Customer

Data Protection

For more information, see the Azure Security Benchmark: Data Protection.

DP-4: Encrypt sensitive information in transit

Guidance: Site-to-site VPN uses IPsec/IKE. The data path protocol is Encapsulating Security Payload (ESP).

Use encryption to protect data in transit against out-of-band attacks like traffic capture. Encryption ensures that attackers can't easily read or modify the data. VPN Gateway supports data encryption in transit with Transport Layer Security (TLS) v1.2 or greater.

This requirement is optional for traffic on private networks, but critical for traffic on external and public networks. For HTTP traffic, make sure any clients that connect to your Azure resources can use TLS v1.2 or greater.

For remote management, use secure shell (SSH) for Linux or remote desktop protocol (RDP) and TLS for Windows. Don't use an unencrypted protocol. Disable weak ciphers and obsolete SSL, TLS, and SSH versions and protocols.

Azure encrypts data in transit between Azure data centers by default.

Responsibility: Customer

Asset Management

For more information, see the Azure Security Benchmark: Asset Management.

AM-1: Make sure the security team has visibility into asset risks

Guidance: Make sure to grant security teams Security Reader permissions in your Azure tenant and subscriptions, so they can monitor for security risks by using Microsoft Defender for Cloud.

Monitoring for security risks could be the responsibility of a central security team or a local team, depending on how you structure responsibilities. Always aggregate security insights and risks centrally within an organization.

You can apply Security Reader permissions broadly to an entire tenant's Root Management Group, or scope permissions to specific management groups or subscriptions.

Note: Visibility into workloads and services might require more permissions.

Responsibility: Customer

AM-2: Make sure the security team can access asset inventory and metadata

Guidance: Make sure that security teams have access to a continuously updated inventory of assets on Azure, like VPN Gateway. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input to continuous security improvements. Create an Azure AD group to contain your organization's authorized security team. and assign it read access to all VPN Gateway resources. You can simplify the process with a single high-level role assignment in your subscription.

Apply tags to your Azure resources, resource groups, and subscriptions to logically organize them into a taxonomy. Each tag consists of a name and value pair. For example, you can apply the name "Environment" and the value "Production" to all the resources in production.

Use Azure Virtual Machine Inventory to automate collecting information about software on virtual machines (VMs). Software Name, Version, Publisher, and Refresh Time are available from the Azure portal. To access install dates and other information, enable guest-level diagnostics and import the Windows Event Logs into a Log Analytics workspace.

Azure VPN doesn't allow running an application or installing software on its resources.

Responsibility: Customer

AM-3: Use only approved Azure services

Guidance: Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within subscriptions. You can also use Azure Monitor to create rules that trigger alerts when they detect an unapproved service.

Responsibility: Customer

Logging and Threat Detection

For more information, see the Azure Security Benchmark: Logging and Threat Detection.

LT-1: Enable threat detection for Azure resources

Guidance: VPN Gateway doesn't provide native capabilities to monitor security threats related to its resources.

Forward VPN Gateway logs to your security information and event management (SIEM) system. You can use your SIEM to set up custom threat detections.

Make sure to monitor different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts, to reduce false positives for analysts to sort through. You can source alerts from log data, agents, or other data.

Responsibility: Customer

LT-2: Enable threat detection for Azure identity and access management

Guidance: Azure AD provides the following user logs. You can view the logs in Azure AD reporting. You can integrate with Azure Monitor, Microsoft Sentinel, or other SIEM and monitoring tools for sophisticated monitoring and analytics use cases.

  • Sign-ins - Provides information about managed application usage and user sign-in activities.

  • Audit logs - Provides traceability through logs for all changes made by various Azure AD features. Audit logs include changes made to any resource within Azure AD. Changes include adding or removing users, apps, groups, roles, and policies.

  • Risky sign-ins - An indicator for sign-in attempts by someone who might not be the legitimate owner of a user account.

  • Users flagged for risk - An indicator for a user account that might be compromised.

Microsoft Defender for Cloud can also alert you about certain suspicious activities, like an excessive number of failed authentication attempts. Deprecated accounts in the subscription can also trigger alerts.

In addition to basic security hygiene monitoring, Microsoft Defender for Cloud's Threat Protection module can collect more in-depth security alerts from:

  • Individual Azure compute resources like VMs, containers, and app service

  • Data resources like Azure SQL Database and Azure Storage

  • Azure service layers

This capability gives you visibility into account anomalies in individual resources.

Responsibility: Customer

LT-3: Enable logging for Azure network activities

Guidance: Enable and collect network security group (NSG) resource logs, NSG flow logs, Azure Firewall logs, and Web Application Firewall (WAF) logs for security analysis. Logs support incident investigations, threat hunting, and security alert generation. You can send the flow logs to an Azure Monitor Log Analytics workspace and use Traffic Analytics to provide insights.

VPN Gateway logs all network traffic that it processes for customer access. Enable the NSG flow log capability in your deployed VPN gateway.

VPN Gateway doesn't produce or process DNS query logs.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require an Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Network:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0

LT-4: Enable logging for Azure resources

Guidance: Activity logs are available automatically. The logs contain all PUT, POST, and DELETE, but not GET, operations for VPN Gateway resources. You can use activity logs to find errors when troubleshooting, or to monitor how users modified resources.

Enable Azure resource logs for VPN Gateway. You can use Microsoft Defender for Cloud and Azure Policy to enable resource logs and log data collecting. These logs can be critical for investigating security incidents and for forensic exercises.

Responsibility: Customer

LT-6: Configure log storage retention

Guidance: For storage accounts or Log Analytics workspaces that store VPN Gateway logs, set a log retention period that meets your organization's compliance regulations.

Responsibility: Customer

Posture and Vulnerability Management

For more information, see the Azure Security Benchmark: Posture and Vulnerability Management.

PV-1: Establish secure configurations for Azure services

Guidance: Use Azure Blueprints to automate deployment and configuration of services and application environments. A single blueprint definition can include Azure Resource Manager templates, RBAC controls, and policies.

You can configure custom cryptographic policies for VPN Gateway by using the Azure portal, PowerShell, or Azure CLI.

Responsibility: Customer

PV-2: Sustain secure configurations for Azure services

Guidance: You can configure custom IPsec/IKE policies for VPN Gateway by using the Azure portal, PowerShell, or Azure CLI.

Responsibility: Customer

PV-3: Establish secure configurations for compute resources

Guidance: Use Microsoft Defender for Cloud and Azure Policy to establish secure configurations on all compute resources, including VMs and containers.

Responsibility: Customer

PV-6: Perform software vulnerability assessments

Guidance: Not applicable. Microsoft does vulnerability management on the underlying systems that support VPN Gateway.

Responsibility: Microsoft

PV-8: Conduct regular attack simulation

Guidance: Conduct penetration testing or red team activities on your Azure resources as needed, and ensure remediation of all critical security findings.

Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests don't violate Microsoft policies. Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests don't violate Microsoft policies. Use Microsoft's Red Teaming strategy and execution. Do live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

Responsibility: Microsoft

Endpoint Security

For more information, see the Azure Security Benchmark: Endpoint Security.

ES-2: Use centrally managed, modern antimalware software

Guidance: Protect your VPN Gateway or its resources with centrally managed, modern antimalware software.

  • Use a centrally managed endpoint antimalware solution capable of real-time and periodic scanning.

  • Use Antimalware for Azure Cloud Services as the default antimalware solution for Windows VMs.

  • For Linux VMs, use a third-party antimalware solution.

  • Use Microsoft Defender for Cloud threat detection for data services to detect malware uploaded to Azure Storage accounts.

  • Use Microsoft Defender for Cloud to automatically:

    • Identify several popular antimalware solutions for your VMs
    • Report endpoint protection running status
    • Make recommendations

Responsibility: Microsoft

ES-3: Be sure to update antimalware software and signatures

Guidance: Make sure to update antimalware signatures rapidly and consistently.

Follow recommendations in Microsoft Defender for Cloud "Compute & Apps" to ensure all VMs and containers are up to date with the latest signatures.

For Windows, Microsoft Antimalware automatically installs the latest signatures and engine updates by default. For Linux, use third-party antimalware solution.

Responsibility: Microsoft

Backup and Recovery

For more information, see the Azure Security Benchmark: Backup and Recovery.

BR-1: Make sure to run regular automated backups

Guidance: Not applicable. VPN Gateway doesn't support data backup and has no need for data backup.

Responsibility: Microsoft

BR-2: Encrypt backup data

Guidance: VPN Gateway service uses Azure Storage automatic data replication for the system metadata it stores. VPN Gateway also uses Azure Storage encryption-at-rest features.

Responsibility: Microsoft

BR-3: Validate all backups, including customer-managed keys

Guidance: VPN Gateway uses Azure Storage replication features.

Responsibility: Microsoft

BR-4: Mitigate the risk of lost keys

Guidance: Make sure to have measures in place to prevent and recover from key loss. Enable soft delete and purge protection in Azure Key Vault to protect keys against accidental or malicious deletion.

VPN Gateway uses Azure Storage replication features.

Responsibility: Customer

Next steps