Observability with Azure Monitor
When you have critical applications in your environment, you want to monitor those resources for the performance and availability. Azure offers a full-stack monitoring service that allows you to quickly identify issues, bottlenecks, and areas of improvement.
Azure Monitor is responsible for collecting, analyzing, and responding to telemetry data from your cloud and on-premises environments.
Key Features
- Monitor and visualize Metrics: Numerical values collected from existing resources, for example: VM CPU usage over time.
- Query and analyze logs: Azure Monitor logs generate activity logs, diagnostic logs, and telemetry information. These logs can be queried using KQL.
- Setup Alerts and actions: This feature allows you to set up alerts based on a metric or logs, for example sending an email when CPU utilization is over 90%.
Azure Monitor holds the logs and metrics in the Data Store, and provides additional tools such as:
Insights: Application Insights is a feature available in many services in Azure. It is used to monitor application performance and gather trace logging data and it can be accessed via Azure Application Insights extension.
Visualize: Many options are available to interpret and analyze logs and metrics. Power BI can be used with Azure Workbooks to generate dashboards.
Analyze: You can query the logs (Log Analytics) using KQL or use Azure Monitor Metrics.
Respond: You can set up alerts to send notifications about logs or metrics when it matches the defined query or criteria.
Integrate: It is possible to export the logs to external applications. For example you can send the logs to the Event Hub and have a third-party SIEM (Security information and event management software to ingest and analyze.
Azure Security Tips
1. Encrypt Data at Rest and in-flight
If an attacker gets access to your database, let’s say Azure SQL, you still can protect your data with Transparent Data Encrypt (which is enabled by default). Azure by default manages the encryption keys, but you can also have your own encryption key stored in the Azure Key Vault. For data in transit let’s use Azure Storage Account as example, in this case you have enable the option “Secure Transfer Required” to force the use of TLS.
2. Restrict Access to your database
You only want people and services that you allow to access your database.
For that you can configure the Azure Firewall to block IP`s that are not allowed to access it, this works well for development and testing when you don’t have the database behind a Private Endpoint.
For the Production environment you should set up a Private Endpoint to bring the Database to your VNET and disable public access.
3. Restrict Access to your VMs
Usually, to connect to VMs the RPD or SSH port is opened, but it creates security vulnerabilities.
Instead of opening these Ports you can use Azure Bastion to connect to your VMs, with Azure Bastion you don’t need a public IP to access the VM.
Another option is to use Microsoft Defender for Cloud’s just-in-time (JIT) access to protect your Azure virtual machines (VMs) from unauthorized network access.
4. Protect your application Secrets
Protect your secrets using Azure Key Vault, with Azure Key Vault you can store Secrets, Keys and Certificates.
You can securely connect to Azure Key Vault using Managed Identities.
You can leverage RBAC to give the application identity the right permissions and remember to use the principle of the least privileges, in other words, just give the minimum permissions required to do the work.
Another good practice is to create a private endpoint as we mentioned for Azure SQL.
5. Use a separate subscription for Production
It is a good practice to isolate the production environment from the DEV and Test environment.
With this approach you can apply different policies and permissions (RBAC) to each environment.
Use RBAC to control which people have access to resources.
6. Implement Web Application Firewall (WAF)
Azure Front Door or Application Gateway can protect you against attacks, these resources detect attacks and block them, for example, SQL Injection attacks.
These resources have many pre-set policies to protect your environment.
7. Use Azure Security Center
This tool provides you with a dashboard with meaningful information about your security statuses like security vulnerabilities and how to deal with it.