Last Update: Sep 04, 2024 | Published: Mar 26, 2019
Microsoft is continuously expanding Azure on a daily basis; this expansion also includes security features. There is some debate about who owns the responsibility of securing assets in the cloud, regardless of who owns the platform. Microsoft identifies who is responsible for what as the customer progresses through their platform displayed in their shared responsibility model (seen below). Securing and configuring your virtual machines falls under the ownership of the customer. In this article, we’ll look at a new method for securing virtual machines with Microsoft’s preview release of Adaptive Network Hardening.
Adaptive Network Hardening is a feature found in the Azure Security Center. You can find it under the Networking blade once you’ve activated Azure Security Center.
This feature is like an add-on to your Network Security Group. At a fundamental level, a Network Security Group can have rules applied to it granting or denying network traffic or access. Adaptive Network Hardening provides a more granular recommendation based on the traffic it has analyzed. For instance, you have a virtual machine in Azure you use as a jump box to administer the other Azure assets. You access this jump box through remote desktop protocol on port 3389. You created a Network Security Group rule which allows this traffic from a 10.0.0.0/24 subnet. Adaptive Network Hardening will analyze this traffic (machine learning) and make recommendations to reduce the scope of the subnet. It does not apply the recommendations for you. It will provide instructions under Remediation Steps found under Adaptive Network Hardening.
Adaptive Network Hardening is pretty straight forward. It does require that you have virtual machines to harden. The first thing you will have to do is activate the Azure Security Center. The Security Center has 2 pricing tiers, free and Standard. You get a free 30-day trial of the Standard plan. The features available for each tier are listed below:
Once you’ve activated your plan, the Azure Security Center features will become available allowing you to explore the features and services provided at your pricing tier. Let’s take a quick look at Adaptive Network Hardening:
You can select any of the virtual machines in any of the categories to view the Edit Adaptive Network Hardening Policy page. This page will display any alerts and recommendations it has discovered while enabled. You also have the ability to add rules (similar to a Network Security Group) here as well (see below). Azure Security Center needs to collect data for more than 30 days on your resources in order to provide more granular recommendations as it analyzes the traffic to and from these resources. As a reminder, Microsoft does not apply the recommended rules or adjusts to the recommended ports. They place the responsibility of hardening the network squarely on the customer’s shoulders.
I hope this gives you a better insight into this new security feature. Unfortunately, I just started my Azure Security Center subscription so Azure wasn’t able to gather enough data (needs 30 days) to provide any solid recommendations other than securing my RDP connections. I hope to come back and update this article with some better graphics and data. However, the concept of using machine learning to improve your virtual machines is a great idea at this level. Adaptive Network Hardening is one more Azure security feature you can leverage to improve your Azure security posture.