Securing the Cloud: A Hands-On Guide to Building a Robust Azure Infra with Real-World Techniques

In today’s cloud-dependent landscape, safeguarding data, applications, and infrastructure is critical. In this project, I designed a security-focused architecture within Azure, involving three virtual machines (VMs), two SQL servers (for production and development), and other key resources.

Each component was carefully configured with security in mind, utilizing Azure Bastion, Customer-Managed Keys (CMKs), VM Extensions for malware protection, SQL auditing, Microsoft Sentinel with Proof of Connectors for Microsoft Entra AD and Defender for Cloud. Additionally, I enabled the NIST SP 800–53 rev4 compliance policy to ensure alignment with industry standards.

This basic guide is designed for security engineers looking to enhance their understanding of secure Azure practices. Each section explores the configuration process in detail, along with why these decisions matter and how they impact overall security posture.

Network Security: Reducing Attack Surface and Protecting Access

1. Azure Bastion for Secure VM Connectivity
In secure network design, minimizing public exposure is essential. Azure Bastion enables seamless, private connectivity to virtual machines (VMs) from the Azure Portal, eliminating the need for public IP addresses. This service utilizes SSL to connect directly through the portal, meaning VM access is possible without public-facing IPs or SSH/RDP ports.

• Why: Bastion minimizes potential exposure to malicious attacks, as no external traffic can directly connect to the VMs.
• How: Configured by creating a Bastion host within a virtual network (VNet) that provides jump server functionality, accessible only through the Azure Portal. With Bastion in place, we can manage VMs without exposing them to internet risks.

Azure Bastion

2. Removing Public IP from Ops VM
For additional security, I removed the public IP address from our Ops VM. This VM remains accessible only through Azure Bastion, removing it from potential threats that come with public access points.

• Why: Limiting public IPs reduces the possible entry points for attackers.
• How: Configuring Azure Bastion allowed us to eliminate the Ops VM’s public IP without losing accessibility, allowing remote management without exposing it to unnecessary risks.

VMs

Public IP removed from VM1

Public IP removed from VM2

Public IP Removed from VM3

Data and Encryption: Securing Data in Motion and at Rest

1. Encrypting Data Disks with Customer-Managed Keys (CMKs)
Data encryption at rest is a baseline requirement for securing sensitive information. By using customer-managed keys instead of platform-managed keys, we retain full control over encryption operations and enhance compliance alignment. These keys are stored in Azure Key Vault, providing an extra layer of control and auditing for data protection.

• Why: Customer-managed keys enable more control over encryption, ensuring compliance with stringent regulations.
• How: Integrated Azure Disk Encryption (ADE) with Key Vault for data disk encryption, securing VM data disks with 256-bit AES encryption.

Encrypted VMs

2. Securing SQL Server and Database Connections
To protect data at the database level, I limited public network access, enforced Transport Layer Security (TLS) requirements, and set strict IP restrictions.

• Why: TLS encryption and IP restrictions are crucial in protecting data at the network layer, ensuring only authorized sources can communicate with our database.
• How: Configured SQL firewall rules to restrict inbound IP ranges, set minimum TLS requirements in SQL server settings, and restricted authentication methods by enforcing Azure AD authentication over SQL authentication methods.

SQL Dev Server : No Public access

SQL Dev Server : TLS Enabled

SQL Prod Server: Nil Public Access

SQL Prod Server : TLS Enabled

Azure AD Authentication enabled for SQL Dev Server

Azure AD Authentication enabled for SQL Prod Server

Malware Protection via VM Extensions

Protecting VMs against malware is essential for secure compute environments. By leveraging Azure VM Extensions like Microsoft Antimalware, we automatically protect our virtual machines from common malware threats.

• Why: VM extensions provide streamlined, consistent protection across environments without the need for manual configuration.
• How: Enabled Antimalware VM Extension to monitor and mitigate potential malware threats. This extension is configured to automatically update definitions, protecting VMs against newly emerging threats.

Monitoring and Auditing SQL Databases

Continuous monitoring is fundamental to maintaining a proactive security stance. For this project, I configured Azure SQL Auditing to track database activity and flag suspicious behavior. Also Azure Defender for Cloud was enabled which offered a tremednous help in keeping the security in check.

• Why: Auditing is vital in a Zero Trust model, enabling detailed analysis and rapid identification of malicious activities.
• How: Enabled SQL Auditing with destination chosen as Log Analytics agent. Also enabled Defender for Cloud.

Auditing Enabled for SQL Dev Server

Auditing Enabled for SQL Prod Server

Audit Logs

Monitoring and Compliance with Sentinel and NIST SP 800–53

As part of this project, I integrated Microsoft Sentinel with Proof of Connectors for Entra AD, which allowed comprehensive tracking of identity-related events and alerts within the Azure environment. Additionally, to ensure our setup meets industry standards, I enabled NIST SP 800–53 rev4 policies within Defender for Cloud.

• Why: Sentinel, with Entra AD connectors, provides a robust SIEM solution, enabling continuous monitoring and correlation of security events across identity services.
• How: Configured Sentinel to connect with Microsoft Entra AD, allowing enriched threat intelligence with alerts on identity-based threats and vulnerabilities. Enabled NIST SP 800–53 policy in Defender for Cloud, which assists in continuously auditing for compliance with regulatory requirements.

Microsoft Sentinel

NIST Policy Assignment

3. Enabling Defender for Cloud on SQL Servers
To monitor and protect SQL databases in both production and development, I enabled Microsoft Defender for Cloud. This tool provides continuous monitoring, threat detection, and actionable alerts.

• Why: Defender for Cloud offers advanced threat protection by detecting anomalies and vulnerabilities specific to SQL environments.
• How: Enabled Defender for Cloud on both SQL instances, configuring alerts and policies within Azure Security Center for centralized visibility.

Microsoft Defender for Cloud

Microsoft Defender for cloud

Learnings and Technical Lessons

This project involved deep insights into critical Azure security areas:

1. Infrastructure and Network Security: Network boundaries are the first layer of defense in a Zero Trust model. With tools like Azure Bastion, firewalls, and secure IP configurations, we created a tightly controlled network with minimal exposure to external threats.
2. Data Security and Protection: Protecting data is a top priority, particularly in a cloud environment where data sovereignty and compliance are key. Encrypting data disks and restricting SQL server access were crucial steps to ensure data security.
3. Application Security and Monitoring: Leveraging Defender for Cloud and Azure Sentinel provides proactive and reactive threat management. These tools enable real-time insights, detection, and response, improving both security visibility and incident response times.