Events
Take the Microsoft Learn Challenge
Nov 19, 11 PM - Jan 10, 11 PM
Ignite Edition - Build skills in Microsoft security products and earn a digital badge by January 10!
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Note
Upcoming Livestream Join the Azure FastTrack team as they discuss this article. 23 October, 2024 | 10:00 AM - 11:00 AM (UTC-07:00) Pacific Time (US & Canada). Register here.
Summary: To apply Zero Trust principles to Azure IaaS components and infrastructure, you must first understand the common reference architecture and the components of Azure storage, virtual machines, and spoke and hub virtual networks.
This series of articles help you apply the principles of Zero Trust to your workloads in Microsoft Azure IaaS based on a multi-disciplinary approach to applying the Zero Trust principles. Zero Trust is a security strategy. It isn't a product or a service, but an approach in designing and implementing the following set of security principles:
Implementing the Zero Trust mindset to "assume breach, never trust, always verify" requires changes to cloud infrastructure, deployment strategy, and implementation.
These initial series of five articles (including this introduction) show you how to apply Zero Trust approach to a common IT business scenario based on infrastructure services. The work is broken into units that can be configured together as follows:
For more information, see Apply Zero Trust principles to Azure Virtual Desktop.
Note
Additional articles will be added to this series in the future, including how organizations can apply a Zero Trust approach to applications, networking, data, and DevOps services based on real IT business environments.
Important
This Zero Trust guidance describes how to use and configure several security solutions and features available on Azure for a reference architecture. Several other resources also provide security guidance for these solutions and features, including:
To describe how to apply a Zero Trust approach, this guidance targets a common pattern used in production by many organizations: a virtual-machine-based application hosted in a VNet (and IaaS application). This is a common pattern for organizations migrating on-premises applications to Azure, which is sometimes referred to as "lift-and-shift." The reference architecture includes all components necessary to support this application, including storage services and a hub VNet.
The reference architecture reflects a common deployment pattern in production environments. It isn't based on the enterprise-scale landing zones recommended in the Cloud Adoption Framework (CAF), although many of the best practices in CAF are included in the reference architecture, such as using a dedicated VNet to host components that broker access to the application (hub VNet).
If you're interested in learning about the guidance recommended in the Cloud Adoption Framework Azure landing zones, see these resources:
The following figure shows the reference architecture for this Zero Trust guidance.
This architecture contains:
This series of articles walk through the recommendations for implementing Zero Trust for the reference architecture by addressing each of these larger pieces hosted in Azure, as shown here.
The diagram outlines the larger areas of the architecture that are addressed by each article in this series:
It’s important to note that the guidance in this series of articles is more specific for this type of architecture than the guidance provided in the Cloud Adoption Framework and Azure landing zone architectures. If you applied the guidance in either of these resources, be sure to also review this series of articles for additional recommendations.
The reference architecture diagram provides a topological view of the environment. It’s also valuable to see logically how each of the components can be organized within the Azure environment. The following diagram provides a way to organize your subscriptions and resource groups. Your Azure subscriptions might be organized differently.
In this diagram, the Azure infrastructure is contained within a Microsoft Entra ID tenant. The following table describes the different sections shown in the diagram.
Azure subscriptions
You can distribute the resources in more than one subscription, where each subscription may hold different roles, such as network subscription, or security subscription. This is described in the Cloud Adoption Framework and Azure Landing Zone documentation previously referenced. The different subscriptions may also hold different environments, such as production, development, and tests environments. It depends on how you want to separate your environment and the number of resources you'll have in each. One or more subscriptions can be managed together using a Management Group. This gives you the ability to apply permissions with role based access control (RBAC) and Azure policies to a group of subscriptions instead of setting up each subscription individually.
Microsoft Defender for Cloud and Azure Monitor
For each Azure subscription, a set of Azure Monitor solutions and Defender for Cloud is available. If you manage these subscriptions through a Management Group, you're able to consolidate in a single portal for all the functionality of Azure Monitor and Defender for Cloud. For example, Secure Score, provided by Defender for Cloud, are consolidated for all your subscriptions, using a Management Group as the scope.
Storage resource group (1)
The storage account is contained in a dedicated resource group. You can isolate each storage account in a different resource group for more granular permission control. Azure storage services are contained within a dedicated storage account. You can have one storage account for each type of storage workload, for example an Object Storage (also called Blob storage) and Azure Files. This provides more granular access control and can improve performance.
Virtual machines resource group (2)
Virtual machines are contained in one resource group. You can also have each virtual machine type for workload tiers such as front end, application, and data in different resource groups to further isolate access control.
Spoke (3) and hub (4) VNet resource groups in separate subscriptions
The network and other resources for each of the VNets in the reference architecture are isolated within dedicated resource groups for spoke and hub VNets. This organization works well when responsibility for these live on different teams. Another option is to organize these components by putting all network resources in one resource group and security resources in another. It depends on how your organization is set up to manage these resources.
Microsoft Defender for Cloud is an extended detection and response (XDR) solution that automatically collects, correlates, and analyzes signal, threat, and alert data from across your environment. Defender for Cloud is intended to be used together with Microsoft Defender XDR to provide a greater breadth of correlated protection of your environment, as shown in the following diagram.
In the diagram:
For more information about configuring management groups and enabling Defender for Cloud, see:
Zero Trust involves applying multiple disciplines of security and information protection together. In this series of articles, this multi-discipline approach is applied to each of the units of work for infrastructure components as follows:
Apply Zero Trust principles to Azure storage
Apply Zero Trust principles to virtual machines in Azure
Apply Zero Trust principles to a spoke VNet in Azure
Apply Zero Trust principles to a hub VNet in Azure
These illustrations are replicas of the reference illustrations in these articles. Download and customize these for your own organization and customers. Replace the Contoso logo with your own.
Item | Description |
---|---|
Download Visio Updated October 2024 |
Apply Zero Trust principles to Azure IaaS Use these illustrations with these articles: - Overview - Azure storage - Virtual machines - Azure spoke virtual networks - Azure hub virtual networks |
Download Visio Updated October 2024 |
Apply Zero Trust principles to Azure IaaS — One page poster A one-page overview of the process for applying the principles of Zero Trust to Azure IaaS environments. |
For additional technical illustrations, see Zero Trust illustrations for IT architects and implementers.
The following are the recommended training modules for Zero Trust.
Training | Describe Azure management and governance |
---|---|
The Microsoft Azure Fundamentals training is composed of three learning paths: Microsoft Azure Fundamentals: Describe cloud concepts, Describe Azure architecture and services, and Describe Azure management and governance. Microsoft Azure Fundamentals: Describe Azure management and governance is the third learning path in Microsoft Azure Fundamentals. This learning path explores the management and governance resources available to help you manage your cloud and on-premises resources. This learning path helps prepare you for Exam AZ-900: Microsoft Azure Fundamentals. |
Training | Configure Azure Policy |
---|---|
Learn how to configure Azure Policy to implement compliance requirements. In this module, you learn how to: |
Training | Manage Security operation |
---|---|
Once you have deployed and secured your Azure environment, learn to monitor, operate, and continuously improve the security of your solutions. This learning path helps prepare you for Exam AZ-500: Microsoft Azure Security Technologies. |
Training | Configure Storage security |
---|---|
Learn how to configure common Azure Storage security features like storage access signatures. In this module, you learn how to: |
Training | Configure Azure Firewall |
---|---|
You will learn how to configure the Azure Firewall including firewall rules. After completing this module, you will be able to: |
For more training on security in Azure, see these resources in the Microsoft catalog:
Security in Azure | Microsoft Learn
See these additional articles for applying Zero Trust principles to Azure:
See these additional articles for applying Zero Trust principles to Azure networking:
Refer to the following links to learn about the various services and technologies mentioned in this article.
Events
Take the Microsoft Learn Challenge
Nov 19, 11 PM - Jan 10, 11 PM
Ignite Edition - Build skills in Microsoft security products and earn a digital badge by January 10!
Register now