Table of Contents
We (ZOAK Solutions) have numerous clients and our own systems that require:
- Access with certain roles/groups/users to certain services only from appropriately hardened and monitored hosts
- If Entra is used for authentication to these services, then this SAW can be a requirement in conditional access policies
- Inbound and outbound network security including the ability to ‘AllowList’ and ‘BlockList’ based on IPs/URLs/Hostnames/other ‘NGFW‘ methods… although this can be achieved with host-based only controls… does not seems like a very layered defence.
- Idempotent deployment solution (deployment code can be run regularly and if no changes to code, no changes to deployment)
- PowerShell is not ideal for doing idempotency proper… but it can.
- See some blog post made during initial implementation:
- PowerShell
- Azure PowerShell Az module: Azure PowerShell is a collection of modules for managing Azure resources from PowerShell, script currently installs the enGet-
- Azure
- CloudShell
- Tested in CloudShell, but can be run in any PowerShell environment
- Whilst idempotency is a requirement, the scripts are not properly idempotent, they check for existing resources in the resource group and will not create if they exist (by name), do not check for changes to the code/config, so if you change the code, you will need to run with the
-Destroy
parameter to overwrite existing resources.- NOTE: This does not apply for outbound FW rules which are recreated on every run, regardless of changes to the code.
- WARNING: The script does not hold state, if you change the
$SAWResourceGroupName
ensure you first complete aDeploySAW.ps1 -Destroy -NoDeploy
See:
- https://learn.microsoft.com/en-us/azure/virtual-desktop/deploy-azure-virtual-desktop?tabs=powershell#prerequisites
- https://learn.microsoft.com/en-us/azure/firewall/deploy-ps#prerequisites
-
Clone this repo
git clone git@github.com:zoak-solutions/AzureVirtualSAW.git
-
Make a non-example config file
cp ./config/EXAMPLE_SAWDeployerConfigItems.ps1 ./config/SAWDeployerConfigItems.ps1
file with your desired configuration- Note that
./config/SAWDeployerConfigItems.ps1
is ignored by git, so you can make changes to this file without it being tracked by git
- Note that
-
Run the
DeploySAW.ps1
script- Optional Parameters:
-Destroy
: Destroy all resources in and the resource group itself before recreating (If you make changes to config and want them applied, excepting outbound FW rules which are recreated on every run).
- Optional Parameters:
git clone git@github.com:zoak-solutions/AzureVirtualSAW.git
cd AzureVirtualSAW
cp ./config/EXAMPLE_SAWDeployerConfigItems.ps1 ./config/SAWDeployerConfigItems.ps1
notepad ./config/SAWDeployerConfigItems.ps1
.\DeploySAW.ps1
- Authenticaiton and module installation
# Allow PowerShell to run scripts
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
# Install Azure PowerShell Az module
Install-Module -Name Az -Repository PSGallery -Force
Update-Module -Name Az -Force
# Authenticate to Azure
Connect-AzAccount
- M365 Defender monitoring, logging, alerting
- Email / JIRA / Teams / Slack / other notifications
- Alerting on changes to config / drift
- Solution for pre-hardended VM Template
See the open issues for a full list of proposed features (and known issues).
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature
) - Commit your Changes (
git commit -m 'Add some AmazingFeature'
) - Push to the Branch (
git push origin feature/AmazingFeature
) - Open a Pull Request
- Deploy Azure Virtual Desktop – Azure Virtual Desktop | Microsoft Learn
- Azure fundamental concepts – Cloud Adoption Framework | Microsoft Learn
- Azure Virtual Desktop security best practices – Azure | Microsoft Learn
- Deploying a privileged access solution | Microsoft Learn
- Securing privileged access intermediaries | Microsoft Learn
- Deploying a privileged access solution | Microsoft Learn
- Use Azure Firewall to protect Azure Virtual Desktop | Microsoft Learn
- Azure Cloud Shell features | Microsoft Learn
Distributed under the GNU AGPLv3 License. See LICENSE.txt for more information.
ZOAK Solutions - @contact@zoak.solutions