Table of Contents

1. Context
2. Usage
   Prerequisites
3. Road Map
4. Contributing
5. References
6. License
7. Contact

Context

We (ZOAK Solutions) have numerous clients and our own systems that require:

• Access with certain roles/groups/users to certain services only from appropriately hardened and monitored hosts
  • If Entra is used for authentication to these services, then this SAW can be a requirement in conditional access policies
• Inbound and outbound network security including the ability to ‘AllowList’ and ‘BlockList’ based on IPs/URLs/Hostnames/other ‘NGFW‘ methods… although this can be achieved with host-based only controls… does not seems like a very layered defence.
• Idempotent deployment solution (deployment code can be run regularly and if no changes to code, no changes to deployment)
  • PowerShell is not ideal for doing idempotency proper… but it can.
• See some blog post made during initial implementation:
  • https://mwclearning.com/?tag=azurevirtualsaw

(back to top)

Implmentation tools/dependencies

• PowerShell
  • Azure PowerShell Az module: Azure PowerShell is a collection of modules for managing Azure resources from PowerShell, script currently installs the enGet-
• Azure
• CloudShell
  • Tested in CloudShell, but can be run in any PowerShell environment
• Whilst idempotency is a requirement, the scripts are not properly idempotent, they check for existing resources in the resource group and will not create if they exist (by name), do not check for changes to the code/config, so if you change the code, you will need to run with the -Destroy parameter to overwrite existing resources.
  • NOTE: This does not apply for outbound FW rules which are recreated on every run, regardless of changes to the code.
  • WARNING: The script does not hold state, if you change the $SAWResourceGroupName ensure you first complete a DeploySAW.ps1 -Destroy -NoDeploy

(back to top)

Usage

Prerequisites

See:

• https://learn.microsoft.com/en-us/azure/virtual-desktop/deploy-azure-virtual-desktop?tabs=powershell#prerequisites
• https://learn.microsoft.com/en-us/azure/firewall/deploy-ps#prerequisites

Deploy an Azure SAW env

1. Clone this repo

   • git clone git@github.com:zoak-solutions/AzureVirtualSAW.git

2. Make a non-example config file cp ./config/EXAMPLE_SAWDeployerConfigItems.ps1 ./config/SAWDeployerConfigItems.ps1 file with your desired configuration

   • Note that ./config/SAWDeployerConfigItems.ps1 is ignored by git, so you can make changes to this file without it being tracked by git

3. Run the DeploySAW.ps1 script

   • Optional Parameters:
     • -Destroy: Destroy all resources in and the resource group itself before recreating (If you make changes to config and want them applied, excepting outbound FW rules which are recreated on every run).

Example usage

git clone git@github.com:zoak-solutions/AzureVirtualSAW.git
cd AzureVirtualSAW
cp ./config/EXAMPLE_SAWDeployerConfigItems.ps1 ./config/SAWDeployerConfigItems.ps1
notepad ./config/SAWDeployerConfigItems.ps1
.\DeploySAW.ps1

Troublshooting

• Authenticaiton and module installation

# Allow PowerShell to run scripts
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser 
# Install Azure PowerShell Az module
Install-Module -Name Az -Repository PSGallery -Force
Update-Module -Name Az -Force
# Authenticate to Azure
Connect-AzAccount

Roadmap

• M365 Defender monitoring, logging, alerting
  • Email / JIRA / Teams / Slack / other notifications
• Alerting on changes to config / drift
• Solution for pre-hardended VM Template

See the open issues for a full list of proposed features (and known issues).

(back to top)

Contributing

If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!

1. Fork the Project
2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
3. Commit your Changes (git commit -m 'Add some AmazingFeature')
4. Push to the Branch (git push origin feature/AmazingFeature)
5. Open a Pull Request

(back to top)

References

• Deploy Azure Virtual Desktop – Azure Virtual Desktop | Microsoft Learn
  • Azure fundamental concepts – Cloud Adoption Framework | Microsoft Learn
  • Azure Virtual Desktop security best practices – Azure | Microsoft Learn
  • Deploying a privileged access solution | Microsoft Learn
  • Securing privileged access intermediaries | Microsoft Learn
  • Deploying a privileged access solution | Microsoft Learn
• Use Azure Firewall to protect Azure Virtual Desktop | Microsoft Learn
  • Deploy and configure Azure Firewall using Azure PowerShell | Microsoft Learn
  • Understanding Azure Virtual Desktop network connectivity – Azure | Microsoft Learn
• Azure Cloud Shell features | Microsoft Learn

(back to top)

License

Distributed under the GNU AGPLv3 License. See LICENSE.txt for more information.

(back to top)

Contact

ZOAK Solutions - @contact@zoak.solutions