Implement advanced security for compute resources, storage accounts, and Azure SQL databases.
Covers planning and implementing advanced security for compute including Azure Bastion, JIT VM access, AKS network isolation and authentication, container security monitoring, Azure Container Registry access, disk encryption options, and API Management security. Includes storage security such as access control, storage account keys, Azure Files and Blob access, data protection (soft delete, versioning, immutable storage), BYOK, and infrastructure encryption. Also covers Azure SQL Database and SQL Managed Instance security including Entra authentication, auditing, dynamic data masking, TDE, and Always Encrypted.
5 minutes
5 Questions
Secure compute, storage, and databases are fundamental pillars of Azure security that protect your cloud infrastructure and data assets.
**Secure Compute** involves protecting virtual machines, containers, and serverless functions. Key practices include implementing Azure Defender for servers, enabling just-in-time VM access to reduce attack surface, applying security baselines, and using Azure Confidential Computing for sensitive workloads. Regular patching through Azure Update Management and implementing endpoint protection are essential. For containers, use Azure Container Registry with vulnerability scanning and Azure Kubernetes Service (AKS) with pod security policies.
**Secure Storage** focuses on protecting data at rest and in transit. Azure Storage offers multiple security layers including storage account firewalls, virtual network service endpoints, and private endpoints for network isolation. Encryption is enabled by default using Microsoft-managed keys, but you can implement customer-managed keys via Azure Key Vault for enhanced control. Enable soft delete and versioning for blob storage to protect against accidental deletion. Shared Access Signatures (SAS) provide granular, time-limited access. Azure Defender for Storage detects unusual access patterns and potential threats.
**Secure Databases** encompasses protecting Azure SQL Database, Cosmos DB, and other database services. Implement Transparent Data Encryption (TDE) for data at rest encryption. Enable Advanced Threat Protection to detect anomalous activities and SQL injection attempts. Use Azure Active Directory authentication instead of SQL authentication when possible. Implement dynamic data masking to protect sensitive columns and row-level security for fine-grained access control. Enable auditing to track database activities and configure firewall rules to restrict network access.
**Cross-cutting concerns** include implementing Azure Policy for compliance enforcement, using Azure Security Center recommendations, enabling diagnostic logging, and applying the principle of least privilege through role-based access control (RBAC) across all resources.Secure compute, storage, and databases are fundamental pillars of Azure security that protect your cloud infrastructure and data assets.
**Secure Compute** involves protecting virtual machines, containers, and serverless functions. Key practices include implementing Azure Defender for servers, ena…