Create a Networking baseline

Azure networking services maximize flexibility, availability, resiliency, security, and integrity by design. Network connectivity is possible between resources located in Azure, between on-premises and Azure-hosted resources, and to and from the Internet and Azure.

Restrict RDP and SSH access from the Internet

It's possible to reach Azure virtual machines by using Remote Desktop Protocol (RDP) and the Secure Shell (SSH) protocol. These protocols enable the management VMs from remote locations and are standard in datacenter computing.

The potential security problem with using these protocols over the Internet is that attackers can use brute force techniques to gain access to Azure virtual machines. After the attackers gain access, they can use your VM as a launch point for compromising other machines on your virtual network or even attack networked devices outside Azure.

It's recommended that you disable direct RDP and SSH access to your Azure VMs from the Internet. After direct RDP and SSH access from the Internet is disabled, you have other options that you can use to access these VMs for remote management:

• Point-to-site VPN
• Site-to-site VPN
• Azure ExpressRoute
• Azure Bastion Host

1. In the Azure portal click Virtual machines.
2. Select myVM.
3. open the Networking blade.
4. Select the rule which allows RDP (Port 3389) then click Delete.

Restrict SQL Server access from the Internet

Firewall systems help prevent unauthorized access to computer resources. If a firewall is turned on but not correctly configured, attempts to connect to SQL Server might be blocked.

To access an instance of the SQL Server through a firewall, you must configure the firewall on the computer that is running SQL Server. Allowing ingress for the IP range 0.0.0.0/0 (Start IP of 0.0.0.0 and End IP of 0.0.0.0) allows open access to any/all traffic potentially making the SQL Database vulnerable to attacks. Ensure that no SQL Databases allow ingress from the Internet.

1. In the Azure portal go to SQL servers and select your SQL Server.
2. Click on Firewalls and virtual networks.
3. Ensure that the firewall rules exist, and no rule has a Start IP of 0.0.0.0 and End IP of 0.0.0.0 or other combinations which allows access to wider public IP ranges.
4. Close the blade.

Configure the NSG flow logs

When you create or update a virtual network in your subscription, Network Watcher will be enabled automatically in your Virtual Network's region. There is no impact to your resources or associated charge for automatically enabling Network Watcher.

Network security group (NSG) flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG. Flow logs are written in JSON format, and show outbound and inbound flows on a per rule basis, the network interface (NIC) the flow applies to, 5-tuple information about the flow (Source/destination IP, source/destination port, and protocol), if the traffic was allowed or denied, and in Version 2, throughput information (Bytes and Packets). Logs can be used to check for anomalies and give insight into suspected breaches.

1. In the Azure portal select All services.
2. Select Networking.
3. Select Network Watcher.
4. Select NSG flow logs under Logs.
5. Select On.
6. Select a storage account and click Save.

Enable Network Watcher

Network security group (NSG) flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG.

1. In the Azure portal select All services. In the Filter box, enter Network Watcher. When Network Watcher appears in the results, select it.
2. Select Regions, to expand it, and then select the elipsis (...) button on a region which is not enabled.
3. Select Enable Network Watcher.