Īzure Cosmos DB accounts should have firewall rulesįirewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced.
Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.Īzure Cache for Redis should use private link Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. Īuthorized IP ranges should be defined on Kubernetes Services By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.Īpp Configuration should use private linkĪzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Īudit, Audit, deny, Deny, disabled, DisabledĪPI Management services should use a virtual networkĪzure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to.
: Storage account public access should be disallowedĪnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. Private link provides defense in depth protection against data exfiltration. Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. : Private endpoint should be configured for Key Vault Secure cloud services with network controls NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). Subnets should be associated with a Network Security Group
Learn more about controlling traffic with NSGs at Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Non-internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Internet-facing virtual machines should be protected with network security groups This can potentially enable attackers to target your resources. Inbound rules should not allow access from 'Any' or 'Internet' ranges. Network Security Establish network segmentation boundariesĪdaptive network hardening recommendations should be applied on internet facing virtual machinesĪzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceĪll network ports should be restricted on network security groups associated to your virtual machineĪzure Security Center has identified some of your network security groups' inbound rules to be too permissive. The associations between compliance domains, controls, and Azure Policyĭefinitions for this compliance standard may change over time. Therefore, compliance in Azure Policy is only a partial view of your InĪddition, the compliance standard includes controls that aren't addressed by any Azure Policyĭefinitions at this time. Themselves this doesn't ensure you're fully compliant with all requirements of a control. As such, Compliant in Azure Policy refers only to the policy definitions These policies may help you assess compliance with theĬontrol however, there often is not a one-to-one or complete match between a control and one or Each control below is associated with one or more Azure Policy definitions.
0 kommentar(er)
