This hands-on lab provides an Azure administrator with an understanding of how to perform essential security administrative functions within the Azure platform. You will learn how to secure your data, by enabling native protections around a storage account, such as requiring secure connections only (using HTTPS) and creating Shared Access Signatures to manage accesses into your storage. You’ll also learn how to secure and audit an Azure SQL database, by implementing Firewall rules, enabling auditing, and monitoring the audit log for accesses. Finally, you’ll learn how to further optimize your access controls by provisioning a Key Vault, creating a secret, and configuring your Web App to use that secret for authenticating to your protected Storage Account. These are essential skills for applying general security controls and are required for anyone pursuing a career as a Microsoft Azure administrator.
Understand the scenario
You are a system administrator for a company that provides web hosting services for customers. You need to secure your Azure platform services. You will start by managing access to a Storage Account. Next, you will secure access to an Azure SQL Server. Finally, you will implement an Azure Key Vault to store sensitive data.
Secure a Storage Account:
You will first implement security controls around an existing Storage Account. To minimize risk and exposure, you will configure the storage account to only accept connections via a secure (encrypted) channel (i.e., HTTPS). Then you will create a Shared Access Signature (SAS) for allowing services to access the storage account without disclosing the administrative credentials of the account. A SAS is extremely valuable and can grant access to your storage account data (blobs, queues, tables, files) with varying permission levels, and it can be time-bound. Finally, you will further restrict access to the Storage Account by enabling the firewall and creating a rule that permits access to a specified subnet.
Secure an Azure SQL Database:
For this task, you will configure an Azure SQL database to be managed by an Active Directory admin account. Then you will activate auditing, which will allow you to monitor accesses to the database. To further protect the database, you will configure firewall access rules limiting access to a specified virtual network. Finally, to test the configuration, you will log in to a VM client via RDP, run the SQL Server Management Studio, connect to your database, and attempt to run some queries.
Provision a Key Vault:
Microsoft Azure Key Vault is a cloud-hosted management service that allows users to encrypt keys and secrets protected by hardware security modules. In this lesson, you will deploy a key vault with secrets to be used to access resources in your environment. You will configure an access policy that allows your web app service the right get and list secrets; then, you will create a new secret and configure your web app to access the secret in the key vault.
Lab Summary Conclusion:
In this hands-on virtual lab, you will learn how to apply basic security configurations for Azure Platform services. You will learn to secure a storage account, secure an Azure SQL database, and implement a key vault for managing secrets. These skills will help you establish a baseline of good security practice for a career as an Azure administrator.
Other Challenges in this series
- ADVANCED CHALLENGE: Can you Manage a Web App?
- ADVANCED CHALLENGE: Can you Monitor a Web App?
- EXPERT CHALLENGE: Can you Manage, Monitor, and Secure Azure Platform Services?