Windows Azure Virtual Machine (34) protects Azure VMS

Windows Azure Platform Family of articles Catalog

　　Please note: The virtual machines that we create on Azure are accessible through the public IP address. (directly via the virtual machine's IP address: PIP, or via the load Balancer's IP address: VIP)

But there will always be malicious hackers who attack these VMs. So it's important to protect azure virtual machines.

　　In the case of a Linux virtual machine, I strongly recommend using SSH key to access the Azure Linux virtual machine while protecting the key and private key

Windows Azure Virtual Machine (25) log in to Azure Linux virtual machines using SSH

　　

Here I'll give you a brief account of several customer stories and share how they protect virtual machines on azure.

Company A is using third-party VPN software to protect the azure virtual machine

-a company's NAT device, with several fixed public network egress IP addresses

-Supplier and project manager, when visiting a company's virtual machine, first need to dial through the VPN software, access to a company's intranet, and then access to the virtual machine on Azure

-The port of the virtual machine on Azure, all set the client Access IP address (ASM virtual machine with acl,arm virtual machine with NSG, Network Security Group). You can access virtual machines on azure only by dialing via VPN, or by site office a company

-Advantages: Through the VPN software, you can set user access permissions

-Disadvantage: For office environment requirements comparison, generally only enterprise-class customers have fixed public IP address and NAT device.

-Reference: Windows Azure Virtual Network (10) Setting Client access permissions using the Azure Access Control List (ACL)

Company B is protecting the azure virtual machine by Point-to-site VPN mode.

-Create 1 VPN Gateway when Company B creates a new Azure virtual machine network

-Vendor and project manager to access virtual machines on Azure by installing Azure VPN software in the local Windows Server R2 and Win7 (or above operating systems)

-Advantage: Azure virtual machine has 2 IP addresses, public IP address (PIP, VIP) or intranet IP address (Dynamic IP, DIP).

By Point-to-site VPN, you can directly access to the Azure virtual machine's intranet IP address dip to manage, the virtual machine on Azure will not expose any public access port

-Cons: Creating an Azure VPN gateway will incur some cost. In addition, Azure VPN software can only support Windows client, Mac or Linux temporarily not supported.

C Company is to protect the azure virtual machine by the way of the springboard machine

There are a lot of documents about the Fortress machine, which I don't elaborate here.

In addition to the above several access methods, we also need to pay attention to the following points:

1. One user and one account, do not use public accounts

2. The user's access log must be turned on

3.Linux VMS must be accessed via SSH key

4. Protect a virtual machine with Azure backup service and roll back from a backup when a problem occurs

Azure Backup (3) Use Azure recovery services to back up Azure virtual machines

5. The database recommends the use of data encryption (symmetric encryption, asymmetric encryption, transparent data encryption, etc.) to protect the database services

Windows Azure Virtual Machine (34) protects Azure VMS