💻
Projects
  • Windows Administration Security
  • Azure Cloud Architecture
  • Web Vulnerabilities POC
  • Privilege Escalation and Persistence POC
  • MegaCorpOne Penetration Test Report
  • Rekall Penetration Test Report
  • SOC Environment Engineering - SIEM (Coming Soon)
  • Let me F0ll0w You - OSINTgram POC (Coming Soon)
  • Resource Management - Knocking the Dust Off
Powered by GitBook
On this page
  • Introduction
  • Topology
  • Resource Group
  • Virtual Network
  • Jump Box Provisioner
  • Web Servers
  • Security Group
  • Summary

Azure Cloud Architecture

A real world application of MS Azure cloud architecture for a small blog website complete with secure features and best practices. (IP Addresses/Resources in project have been retired). (09/23/2022)

PreviousWindows Administration SecurityNextWeb Vulnerabilities POC

Last updated 1 year ago

Introduction

In this featured project, my objective was to establish a secure network topology and implement my security strategies upon development of a small blog site with the MS Azure cloud environment. I was super excited with how this turned out, as it really depicted how much web developers have to have in place for something even as rudimentary as a blog to function! A series of screenshots are below, as I eventually tore down this configuration due to cost constraints, but allow me to walk you through each resource and explain the importance of security configurations within the cloud environment!

Topology

Firstly, everything is a lot easier to implement with a plan of action, which in this case is my network topology. From my workstation, I am going to be using a Jump Box provisioning device from within my resource group via SSH. The Jump Box will be configured with my devices unique SSH key as to protect it from password attacks. The placement of this Jump Box is also layered behind my security group firewall. This way, only my IP address and SSH key can access the provisioner and protect the intranet of my web servers and resources.

The web servers are exposed to the internet, but through a firewall as to only filter for port 80 HTTP traffic. The load balancer is implemented in front of the duplicate web servers as to prevent any loss of availability due to high traffic volume. If I were running an eCommerce site, availability would be key to profit. Therefore, a load balancer can maintain distributed network flow and maintain the site's reliability.

Lastly, the web servers are configured from the provisioner via Ansible. Heaven forbid my site skyrockets in popularity overnight, I'd need to scale my resources in a timely manner! Luckily, with the magic of the cloud, I can spin up another web server within my backend pool and have it configured in a matter of minutes to meet the demands of the network traffic. This works conversely as well if I ever needed to scale back down to conserve resources and overall costs.

Resource Group

Think of the resource group as a tagged folder that houses all relevant machines and objects within it. I only had the single front facing domain to manage, but imagine the intricacies of an enterprise level environment; things could get confusing very quickly! The resource group RedTeam allowed me to keep each individual resource wrapped up so I could maintain structured documentation and configuration of this blog site.

Virtual Network

Now what good are network devices if they cannot communicate with one another?! This Virtual Net resource allowed me the specified subnet and private IP addresses to utilize for my resources. The importance behind this feature is to maintain a secure intranet that my backend web servers and load balancer can operate on, while keeping them protected from internet exposure. The last thing any website would benefit from is unauthenticated access or viewing, as this would increase attack surface and risk.

Jump Box Provisioner

To reiterate, the security of a website, especially with resources established on a VNet, are dependent on controlled access. The use of a provisioning jump box allows for a bridge that can turn the website's backend into a DMZ via an air gap. This jump box only remains active when making changes to the backend pool, and is torn down afterwards. Being secured by private key verification and disabling password sign on, the attack surface is reduced significantly. This machine is also a lightweight Ubuntu Linux install, as its main duties are acting as a bridge and configuration device. This aids in cutting cost of resources and avoiding unnecessary bloat applications.

Web Servers

I began with 2 web servers, both configurable with Ansible. Ansible is an automated provisioning tool that allows for spinning up a known good configuration to a new server. This is extremely useful in an enterprise level environment, as it is unrealistic and costly to provision each new workspace or resource individually or in person. This automation allows the website to be scalable. Based on the network requests and traffic, I could spin up more webservers in a matter of minutes to meet the demand and avoid any downtime. This is just a blog site, but a corporation could potentially lose millions of dollars due to a lapse in availability.

Security Group

The implementation of this security group allowed for firewall protection of my intranet resources. Approved inbound and outbound traffic could be configured through a number of set rules, including but not limited to source and destination ports, source and destination IP addresses, and even the protocol utilized. Vulnerable ports, such as the depreciated FTP Port 21 TCP, can be blocked with ease to ensure attack surface is mitigated as much as possible. Now the real benefit to a Security Group is actually the fact that it is a group! Placing certain resources into a security group can allow the same rules to be established across them. This will eliminate a headache of installs by device if you just start with a strong and functional security group in the first place.

Summary

Altogether, I was able to build a successful, operable, and secure website given the initial topology laid out. The MS Azure platform and tools provided the prefect environment to be able to create such a project, especially for a cheaper cost than provisioning this on legitimate hardware. Hosting on the cloud can be a great option, but it definitely has its fair share of necessary risk assessment and configuration in order to secure and protect your data and resources. This was a very small project in comparison to the copious amounts of enterprise level networks and major applications, but the security fundamentals are transferrable skills that will only be expanded upon with increased demand from your resources overall. I am happy with the skills I gained on Azure and this project, and I cannot wait to construct more environments from scratch and expand upon cloud security best practices!