| title | description | author | ms.service | ms.topic | ms.date | ms.author | ms.custom |
|---|---|---|---|---|---|---|---|
Azure security baseline for Azure Load Balancer |
The Azure Load Balancer security baseline provides procedural guidance and resources for implementing the security recommendations specified in the Azure Security Benchmark. |
msmbaldwin |
load-balancer |
conceptual |
09/28/2020 |
mbaldwin |
subject-security-benchmark |
The Azure Security Baseline for Microsoft Azure Load Balancer contains recommendations that will help you improve the security posture of your deployment. The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance. For more information, see Azure Security Baselines overview.
For more information, see the Azure Security Benchmark: Network security.
Guidance: Use internal Azure Load Balancers to only allow traffic to backend resources from within certain virtual networks or peered virtual networks without exposure to the internet. Implement an external Load Balancer with Source Network Address Translation (SNAT) to masquerade the IP addresses of backend resources for protection from direct internet exposure.
Azure offers two types of Load Balancer offerings, Standard and Basic. Use the Standard Load Balancer for all production workloads. Implement network security groups and only allow access to your application's trusted ports and IP address ranges. In cases where there is no network security group assigned to the backend subnet or NIC of the backend virtual machines, traffic will not be not allowed to these resources from the load balancer. With Standard Load Balancers, provide outbound rules to define outbound NAT with a network security group. Review these outbound rules to tune the behavior of your outbound connections.
Using a Standard Load Balancer is recommended for your production workloads and typically the Basic Load Balancer is only used for testing since the basic type is open to connections from the internet by default, and doesn't require network security groups for operation.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: The Load Balancer is a pass through service as it relies on the network security groups rules applied to backend resources and the configured outbound rules to control internet access.
Review the outbound rules configured for your Standard Load Balancer through the Outbound Rules blade of your Load Balancer and the Load Balancing Rules blade where you may have Implicit outbound rules enabled.
Monitor the count of your outbound connections to track how often your resources are reaching out to the internet.
Use Security Center and follow the network protection recommendations to help secure your Azure network resources.
Follow security recommendations for your backend resources and enable network security group flow logs and send the logs to an Azure Storage account for auditing.
Also send the flow logs to a Log Analytics workspace and then use Traffic Analytics to provide insights into traffic patterns in your Azure cloud. Advantages of Traffic Analytics include the ability to visualize network activity, identify hot spots and security threats, understand traffic flow patterns, and pinpoint network misconfigurations.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Explicitly define internet connectivity and valid source IPs through outbound rules and network security groups with your Load Balancer to use Microsoft's threat intelligence for protecting your web applications.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Enable Azure Distributed Denial of Service (DDoS) Standard protection on your Azure Virtual Network to guard against DDoS attacks.
Deploy Azure Firewall at each of the organization's network boundaries with threat intelligence-based filtering enabled and configured to "Alert and deny" for malicious network traffic.
Use Security Center threat protection to detect communications with known malicious IP addresses.
The Standard Load Balancer is designed to be secure by default and part of a private and isolated Virtual Network. It is closed to inbound flows unless opened by network security groups to explicitly permit allowed traffic, and to disallow known malicious IP addresses. Unless a network security group on a subnet or NIC of your virtual machine resource exists behind the Load Balancer, traffic is not allowed to reach this resource.
Deploy Azure Firewall at each of the organization's network boundaries with threat intelligence-based filtering enabled and configured to "Alert and deny" for malicious network traffic to prevent attacks from malicious IP addresses.
Implement guidance to integrate Azure Firewall with your Load Balancer.
Use Security Center threat protection features to detect communications with known malicious IP addresses.
Security Center (Standard Tier) provides just-in-time virtual machine access, and configures allowed source IP addresses to allow access only from approved IP addresses/ranges.
Use Security Center's Adaptive Network Hardening feature to recommend network security group configurations that limit ports and source IPs based on actual traffic and threat intelligence.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Enable Network Watcher packet capture to investigate anomalous activities.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Implement an offer from the Azure Marketplace that supports IDS/IPS functionality with payload inspection capabilities to the environment of your Load Balancer.
Use Azure Firewall threat intelligence If payload inspection is not a requirement. Azure Firewall threat intelligence-based filtering is used to alert on and/or block traffic to and from known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed.
Deploy the firewall solution of your choice at each of your organization's network boundaries to detect and/or block malicious traffic.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Explicitly define internet connectivity and valid source IPs through outbound rules and network security groups with your Load Balancer to use Microsoft's threat intelligence features to protect your web applications.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Use service tags in place of specific IP addresses when creating security rules. Specify the service tag name in the source or destination field of a rule to allow or deny the traffic for the corresponding service.
Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.
By default, every network security group includes the service tag AzureLoadBalancer to permit health probe traffic.
Refer to Azure documentation for all the service tags available for use in network security group rules.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Define and implement standard security configurations for network resources with Azure Policy.
Use Azure Blueprints to simplify large-scale Azure deployments by packaging key environment artifacts, such as Azure Resources Manager templates, Azure RBAC controls, and policies, in a single blueprint definition.
Apply the blueprint to new subscriptions, and fine-tune control and management through versioning.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Use resource tags for network security groups and other resources related to network security and traffic flow.
Use the "Description" field to document the rules that allow traffic to/from a network for individual network security group rules.
Implement any of the built-in Azure Policy definitions related to tagging, such as "Require tag and its value", which ensures that all resources are created with tags and to notify of any existing untagged resources.
Use Azure PowerShell or Azure CLI to look up or perform actions on resources based on their tags.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Use Azure Activity log to monitor resource configurations and detect changes to your Azure resources.
Create alerts in Azure Monitor to notify you when critical resources are changed.
Azure Security Center monitoring: Yes
Responsibility: Customer
For more information, see the Azure Security Benchmark: Logging and monitoring.
Guidance: Review changes to your outbound rules and network security groups for your Load Balancers by viewing the Activity Log in your subscriptions.
View the internal host logs to ensure your backend resources are secure.
Export these logs to Log Analytics or another storage platform. In Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use Azure Storage accounts for long term and archival storage.
Enable and on-board this data to Azure Sentinel or a third-party SIEM based on your organizational business requirements.
-
How to collect Azure Virtual Machine internal host logs with Azure Monitor
-
How to get started with Azure Monitor and third-party SIEM integration
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Review the Control and Management Plane logging and audit information captured with Activity logs for the Basic Load Balancer. These capture settings are enabled by default.
Use Activity logs to monitor actions on resources to view all activity and their status.
Determine what operations were taken on the resources in your subscription with activity logs:
-
who started the operation
-
when the operation occurred
-
the status of the operation
-
the values of other properties that might help you research the operation
Retrieve information from the activity log through Azure PowerShell, the Azure Command Line Interface (CLI), the Azure REST API, or the Azure portal.
Implement Multi-dimensional diagnostic for the Standard Load Balancer configurations capabilities with Azure Monitor. These include available metrics for security include information on Source Network Address Translation (SNAT) connections, ports. Additional metrics on SYN (synchronize) packets and packet counters are also available.
Retrieve multi-dimensional metrics programmatically via APIs and write them to a storage account via the 'All Metrics' option.
Use the Azure Audit Logs content pack with Microsoft Power BI to analyze your data with pre-configured dashboards, or to customize the views based on your requirements.
Stream logs to an event hub or a Log Analytics workspace. They can also be extracted from Azure blob storage, and viewed in different tools, such as Excel and Power BI.
Enable and on-board data to Azure Sentinel or a third-party SIEM based on your business requirements.
-
Retrieve multi-dimensional metrics programmatically via APIs
-
How to get started with Azure Monitor and third-party SIEM integration
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: The Activity log is enabled by default and is preserved for 90 days in Azure's Event Logs store. Set your Log Analytics workspace retention period according to your organization's compliance regulations in Azure Monitor. Use Azure Storage accounts for long-term and archival storage.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Monitor, manage, and troubleshoot Standard Load Balancer resources using the Load Balancer page in the Azure portal and the Resource Health page under Azure Monitor. Available metrics for security include information on Source Network Address Translation (SNAT) connections, ports. Additionally metrics on SYN (synchronize) packets and packet counters are also available.
Use Azure Monitor to review endpoint health probe status with multi-dimensional metrics for Standard, external and internal, Load Balancers. Gather these metrics programmatically via APIs and written to a storage account via the 'All Metrics' option.
Azure Monitor logs are not available for Internal Basic Load Balancers.
Use Azure Monitor to see health probe status summarized per backend pool for the Basic External Load Balancer, such as, the number of instances in your backend-pool not receiving requests from the Load Balancer due to health probe failures.
Implement Logging with Azure Operational Insights to provide statistics about load balancer health status.
Use the Activity Logs to view alerts and monitor actions on resources and their status in your Azure subscriptions. Activity logs are enabled by default, and can be viewed in the Azure portal.
Use Microsoft Power BI with the Azure Audit Logs content pack and analyze your data with pre-configured dashboards. Customize views to suit your requirements based on business need.
Stream logs to an event hub or a Log Analytics workspace. They can also be extracted from Azure blob storage, and viewed in different tools, such as Excel and Power BI. You can enable and on-board data to Azure Sentinel or a third-party SIEM.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Use Security Center with Log Analytics workspace for monitoring and alerting on anomalous activity related to Load Balancer in security logs and events.
Enable and on-board data to Azure Sentinel or a third-party SIEM tool.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Not applicable to Azure Load Balancer. This recommendation is intended for compute resources.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Not applicable as Azure Load Balancer is a core networking service that does not make DNS queries.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Not applicable to Azure Load Balancer as this recommendation applies to compute resources.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
For more information, see the Azure Security Benchmark: Identity and access control.
Guidance: Azure role-based access control (Azure RBAC) allows you to manage access to Azure resources such as your Load Balancer through role assignments. Assign these roles to users, groups service principals, and managed identities.
Inventory Pre-defined and built-in roles for certain resources with tools like Azure CLI, Azure PowerShell or the Azure portal.
Azure Security Center monitoring: Yes
Responsibility: Customer
For more information, see the Azure Security Benchmark: Data protection.
Guidance: Use Azure RBAC to control access to your Load Balancer resources.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Load Balancer is a pass through service that does not store customer data. It is a part of the underlying platform that is managed by Microsoft.
Microsoft treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure.
To ensure customer data in Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.
Azure Security Center monitoring: Not applicable
Responsibility: Shared
Guidance: Use Azure Monitor with the Azure Activity log to create alerts when changes take place to critical Azure resources, such as Load Balancers used for important production workloads.
Azure Security Center monitoring: Yes
Responsibility: Customer
For more information, see the Azure Security Benchmark: Inventory and asset management.
Guidance: Use Azure Resource Graph to query for and discover all resources (such as compute, storage, network, ports, protocols, and so on) in your subscriptions. Azure Resource Manager is recommended to create and use current resources.
Ensure appropriate (read) permissions in your tenant and enumerate all Azure subscriptions and resources in your subscriptions.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Apply tags to Azure resources with metadata to logically organize according to a taxonomy.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Use tagging, management groups, and separate subscriptions where appropriate, to organize and track assets.
Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from your subscriptions in a timely manner.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Create a list of approved Azure resources per your organizational needs which you can leverage as a allow list mechanism. This will allow your organization to onboard any newly available Azure services after they are formally reviewed and approved by your organization's typical security evaluation processes.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in your subscriptions.
Query for and discover resources with Azure Resource Graph within owned subscriptions.
Ensure all Azure resources present in the environment are approved.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Use Azure AD Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Software that is required for business operations, but may incur higher risk for the organization, should be isolated within its own virtual machine and/or virtual network and sufficiently secured with either an Azure Firewall or a network security group.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
For more information, see the Azure Security Benchmark: Secure configuration.
Guidance: Use Azure Policy aliases to create custom policies to audit or enforce the configuration of your Azure resources. Use Built-in Azure Policy definitions.
Azure Resource Manager has the ability to export the template in JavaScript Object Notation (JSON), which should be reviewed to ensure that the configurations meet the security requirements for your organization.
Export Azure Resource Manager templates into JavaScript Object Notation (JSON) formats, and periodically review them to ensure that the configurations meet your organizational security requirements.
Implement recommendations from Security Center as a secure configuration baseline for your Azure resources.
Azure Security Center monitoring: Not applicable
Responsibility: Customer
Guidance: Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings across your Azure resources. Also, you can use Azure Resource Manager templates to maintain the security configuration of your Azure resources required by your organization.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Use Azure DevOps to securely store and manage your code like custom Azure Policy definitions, Azure Resource Manager templates, and desired state configuration scripts.
Grant or deny permissions to specific users, built-in security groups, or groups defined in Azure Active Directory (Azure AD) if it is integrated with Azure DevOps, or in Active Directory if integrated with TFS.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Define and implement standard security configurations for Azure resources using Azure Policy. Use Azure Policy aliases to create custom policies to audit or enforce the network configuration of your Azure resources. Implement built-in policy definitions related to your specific Azure Load Balancer resources. Also, use Azure Automation to deploy configuration changes. to your Azure Load Balancer resources.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Use Security Center to perform baseline scans for your Azure Resources and Azure Policy to alert and audit resource configurations.
Azure Security Center monitoring: Yes
Responsibility: Customer
For more information, see the Azure Security Benchmark: Incident response.
Guidance: Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first.
The severity is based on how confident Security Center is in the finding or the analytics used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.
Mark subscriptions using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data.
It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Export your Security Center alerts and recommendations using the continuous export feature to help identify risks to Azure resources.
Use Continuous export feature in Security Center that allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion.
Utilize the Security Center data connector to stream the alerts to Azure Sentinel.
Azure Security Center monitoring: Yes
Responsibility: Customer
Guidance: Use the Workflow Automation feature in Security Center to automatically trigger responses to security alerts and recommendations to protect your Azure resources.
Azure Security Center monitoring: Yes
Responsibility: Customer
For more information, see the Azure Security Benchmark: Penetration tests and red team exercises.
11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings
Guidance: Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.
Azure Security Center monitoring: Not applicable
Responsibility: Shared
- See the Azure security benchmark
- Learn more about Azure security baselines