DEV Community: Salmankhan

Vulnerability Assessment

Salmankhan — Sat, 28 Jun 2025 20:49:38 +0000

🔒 Vulnerability Assessment – A Crucial Pillar in Modern Cybersecurity 🔍

Hey'll, 👋
I'm Salmankhan, with over 9 years of experience in the IT domain, specializing in Cloud Infrastructure and Security across AWS and Azure platforms.

One of the most vital yet often underestimated practices in the security lifecycle is the Vulnerability Assessment. In today’s threat landscape, it's not just about protecting assets—it's about proactively identifying where your defenses might fail.

Here’s a quick insight:

🧠 What is Vulnerability Assessment?
It’s the process of identifying, classifying, prioritizing, and addressing security vulnerabilities in systems, applications, networks, and databases.

💡 Why it matters:

Finds misconfigurations and insecure default settings

Flags SQL Injection, XSS, and privilege escalation risks

Assesses your risk exposure and helps build a remediation roadmap

Supports DevSecOps culture by embedding security into every stage

🔍 Common Assessment Types:

Network Scans (wired/wireless threat detection)

Host-Based Scans (server/workstation-level insights)

Application Scans (web app flaws and misconfigurations)

Database Scans (insecure setups, rogue instances)

Wireless Scans (rogue APs and signal interception risks)

🛠️ Tools That Help:
All purpose vulnerability scanners:
Qualis, Rapid7, Tenable Nessus

✅ Key Takeaway:
Security isn’t a one-time job. Vulnerability assessments must be continuous, collaborative, and ingrained in every IT operation.

CyberSecurity #CloudSecurity #AWS #Azure #VulnerabilityAssessment #InfoSec #ITSecurity #SecurityInsights #SRE #CloudInfra

Service VS Private Endpoint

Salmankhan — Tue, 24 Dec 2024 16:23:42 +0000

In Multi-tenant environment, For PAAS azure services access over internet was not restricted or you were not able
to restrict access to just your resources.

To overcome this challenge restriction was very complex with multi-tenant service. At the beginning only way was to use single tenant environment or running services in VM instead of using PAAS. This public access was concern so Microsoft implemented new services that allow you to limit access on multi-tenant environment.

Today we will discuss those solutions. It's kind of similar; Service Endpoint and Private Endpoint. Both are designed to allow restriction on your services to access, who can connect you services and how they do it. Sometimes it's confusing which service to use. Therefore, we'll see these services and try to make clear decision.

Service Endpoint

Service Endpoint allow you to restrict access to your PAAS resources to traffic coming from your Azure VNET. With Service Endpoint, PAAS service is still separate to your VNET, and traffic is leaving your virtual network access the PAAS Service. However, PAAS service is configured to be able to identify traffic coming from VNET and allow that without configuring public IP on your VNET.

Service Endpoint work by enabling a subnet on your VNET to support Service Endpoint. Afterwards, you can configure your PAAS resource to only accept traffic from those subnets. No need for IP filtering or NAT; you can tell PAAS resource which NET and subnet to allow traffic. When service endpoint enabled PAAS resource sees traffic coming from VNET's private IP not it's public IP.
Another advantage of using service endpoint is that traffic is routed to azure resources. Service Endpoint means traffic is
sent directly to the Azure resource.

Service Endpoint Supported by below services;

Azure Storage
Azure SQL Database
Azure Synapse Analytics
Azure Database for PostgreSQL Server
Azure Database for MySQL Server
Azure Key Vault
Azure Cosmos DB
Azure App Service
Azure Event Hubs
Azure Service Bus
Azure Cognitive Services
Azure Container Registry

Limitation
Service Endpoint can not be used by traffic originating on-premises, through VPN or Express Route, Only traffic allowed
from your Azure VNET. If you want to allow your on-prem resources to access then you need to whitelist their public IP.

Private Endpoint

Private Link is newer solution than service endpoint. The key difference between private endpoint and service endpoint is that Multi-tenant PAAS resource into VNET. With private endpoint the PAAS resource will be within your VNET and gets private IP on your VNET. When traffic will be sent to PAAS resource, it does not leave VNET.
When you use private endpoints, traffic is secured to private endpoint resource. The platform validates network connections, allowing only those that reach the specified private-endpoint resource.

In case of Azure Storage, you would need separate private endpoint to access file and blob. Private Endpoint pairs your internal services or application with standard load balancer that allow access from parties outside your network.
Access is restricted via RBAC or subscription. Client can create private endpoint and request access to private endpoint service via approval process. By doing this business can utilize private network components without trouble or security considerations of maintaining VPN connectivity or peering to consumer of their application.

DNS configuration for Private Endpoint
DNS setting that you use to connect to private endpoint also important. Existing Azure services already have DNS configuration you can use when you're connecting over public endpoint. To connect same service over private endpoint, separate DNS Settings, often configured via private DNS zones. While using FQDN ensure your DNS settings are correct.
The network interface associated with private endpoint contains the information that's required to configure your DNS.
The information includes FQDN and private IP Address for private endpoint resource.
https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns

Another key difference with private endpoint is that when enabled, you are granting access to a specific PAAS resource in your VNET. That means you can control egress to PAAS resources. Another scenario, you can use NSG to block access to all Azure SQL DB and then use private endpoint to grant access only to your specific Azure SQL Server.

Unlike Service Endpoint, Private Endpoint allows access from resources on your on-prem network through VPN or ExpressRoute from peered networks. You can also connect to resources across region.

Private Endpoint Support below services;

Azure Storage
Azure Data Lake Storage Gen 2
Azure SQL
Azure Synapse
Azure Key Vault
Azure Kubernetes Services
Azure Virtual Desktop

Limitation
If there is an integration of Azure Private DNS then its problematic or do not need to use Azure Private DNS with your VNET.

Benefit of Private Endpoint
Benefit of the Azure Private Link is that it eliminates a huge hurdle for some organizations that are bound by compliance or governance requirements that traffic is privately secured throughout the organization. Now those organizations can connect to private endpoints via site-to-site VPN or ExpressRoute.

Extending internal resources to other departments or customers is another key benefit of Private Endpoint. Using Private Endpoint in parallel with Azure Standard Load Balancer enables you to make internal PaaS or IaaS services available via Private Endpoint to business units or external customers without allowing traffic to or from the Internet.

Pricing

Private endpoint service, which is consistent at around $0.01/hour for most of the regions.
Inbound data processed, will vary based on the ingress data that your private endpoint is receiving.
Outbound data processed, will also vary based on the egress data that your private endpoint is sending.

Which to pick?
First, Look at resources you want to access and see which service it is supported by. Some services will only be supported in one or the other and so it's your choice.

Assuming you can use either option for your service then decision will come down to complexity. Service Endpoint is more easy to set up than private endpoint.

Conclusion
If you only need a secure connection between the virtual network and another resource, you should use a service endpoint, which means your resources will still have public exposure and you will be accessing those resources using the public endpoint of the resource.

However, if you need to access your azure resources from on-premises through an Azure gateway, a regionally peered virtual network, or a globally peered virtual network, use a private endpoint. The private endpoint will allow connection using the private IP of the resources, eliminating the public exposure completely.

Load Balancer

Salmankhan — Mon, 16 Dec 2024 22:51:38 +0000

Efficient Traffic Distributor to your Cloud Resources
Load balancing often refers to the process of efficiently distributing incoming network traffic across a group of backend servers or resources. In cloud computing, Azure Load Balancer plays a pivotal role in ensuring that your application remain available to perform under heavy load.

Azure Load Balancer Overview
Azure Load Balancer operates at layer 4 of the OSI model, making it a highly efficient and effective tool for managing traffic. It serves as single point of contact for client, it distributes inbound flow arriving at load balancers frontend and backend pool. These instances can be Azure VM or VMSS.

Public Load Balancer
A public load balancer offers both inbound and outbound connectivity for the VMs within your virtual network:

Inbound Traffic: Azure Load Balancer distributes internet traffic to your VMs, ensuring they handle requests efficiently and without overloading any single VM.
Outbound Traffic: It translates the private IP addresses of your VMs to public IP addresses for any outbound connections originating from your VMs.

Internal (Private) Load Balancer
An internal load balancer, also known as a private load balancer, provides inbound connectivity to VMs in scenarios requiring private network connectivity:

Hybrid Scenarios: It allows access to the load balancer's frontend from an on-premises network, making it ideal for hybrid cloud architectures.
Intra-Virtual Network Traffic: Internal load balancers are used to load balance traffic within a virtual network, ensuring even distribution among internal resources.

Key Benefits

High Availability: By distributing traffic across multiple instances, Azure Load Balancer enhances the availability of your applications.
Scalability: It supports the scalability of your applications by efficiently managing increased traffic loads.
Health Monitoring: The integrated health probes ensure that only healthy instances receive traffic, improving reliability.
Security: It provides robust security features by managing traffic flow and protecting backend resources.

Conclusion Azure Load Balancer is an essential component for any organization looking to optimize the performance and availability of their applications in the cloud. Whether you need to balance internet traffic or manage internal network traffic, Azure Load Balancer offers the flexibility and features necessary to meet your needs.

Landing zone?

Salmankhan — Mon, 09 Dec 2024 22:00:30 +0000

Azure Landing Zone

There are 3 Microsoft foundation Azure architect sites which can assist you with your cloud governance, infrastructure, business management, applications, security and lot more.
It's best practice where you can land your application.

What is landing zone?
Basically whenever your client is ready to migrate from on premises to cloud platform at that time you should have some reference guide or framework in which you can fit your clients overall requirements whether it may be cost optimization, security, performance, monitoring anything.

So Cloud Architectural Framework is collection of guidance and best practices.
It helps you in cloud adoption journey
CAF is lifecycle that Microsoft presents again with goal of helping you avoid pitfall in terms of cloud adoption.

*Pillars of landing zones in CAF *
Strategy
Plan
Ready
Migrate
Innovate
Secure
Manage
Govern
Organize

From above ready phase Cloud Adoption Framework of Azure the landing zone hosts Workload you plan to built in or migrate to cloud. It's not always necessary to follow all of the guidelines cause sometimes you have to go with proven practices.

Types of Landing Zones

Platform Landing Zone - Framing of your solution
Application Landing Zone - application or Workload related landing zone

You don't have to adopt them cause plenty of them are going to create lot more resources which you're not be using all the time.

Above diagram will give you reference for different landing zones.

What's wonderful about landing zone is that Microsoft is prioritizing them so work is going on they are being developed and lot many templates.
Different Landing Zone for hybrid cloud are given on git hub you can not follow all of these deployments cause some of them are way too complicated.

Idea is not only we can automate these template but also using all this to start our deployment from Landing zone architecture. We should bring more proven practices.

There is another framework
Azure Well Architecture Framework(WAF)
These are pillars that drive architectural excellence at fundamental level of Workload.
CAF design your overall strategy.
WAF is where you get into Workload.

WAF pillars

Realiability
Security
Cost Optimization
Operational Excellence
Performance Efficiency

Third framework is
Azure Architecture Center
This is center piece of Azure architecture with reference. What you have here is opportunity to combine our best practices of CAF and WAF Landing Zone.
In this framework you can search for references which has already been deployed or developed by proven practices.
Exa. Go for azure openai architecture in landing zone

You can have Azure Landing Zone for tenant deployment, openai reference.
If you're deploying Azure Landing Zone template from github best go for the creator who has created this, in right panel check activities.

I think best practices are good but I would like to chose proven practices here.

Sentinel Overview

Salmankhan — Mon, 02 Dec 2024 21:48:03 +0000

Azure Sentinel Overview

Azure Sentinel is a security information event management(SIEM) & security orchestration automated response(SOAR) solution. It's very advanced centralized security monitoring and response solution. You're going to monitor data from M365, other cloud providers(AWS, GCP, IBM), Azure resources, Defender, on-Prem resources like f5 or Cisco. Gather report on these and analysis. Azure Sentinel help you with you this. Ability to detect, investigate and respond with azure Sentinel give advantage here.

!(https://dev-to-uploads.s3.amazonaws.com/uploads/articles/tgcxfyutm71j1s3rwbk0.jpeg)

It's taking of taking azure security center to next level with additional capabilities like investigate and response capability.

Azure Sentinel Configuration

*How does it work? *
It's all unnderpinned log analytics workspace. We know what log analytics workspace do. We know that they can help us to ingest data, store data and got all query language and visualization capability built on top.
Azure Sentinel is built on top of this log analytics workspace.
When you create Azure Sentinel you are just enabling log analytics workspace for Azure Sentinel.
Now we use data connectors to retrieve data and these are created by various providers for variety of data types.

!(https://dev-to-uploads.s3.amazonaws.com/uploads/articles/9b13otd6kvuohu1q5r8m.jpeg)

Now Sentinels power is in what we going to do with data. Example - analytics, workbooks, hunting, automation etc.

Azure Sentinel alerts and incidents

how does this work
We have log analytics workspace as base where all data is going to be and that data is going to be analyzed and alert will be created on that data.
You are going to analyze data like you're going to looking for failed login attempt to Azure portal or maybe failed RDP attempt to your VM, some storage account key mishaps with multiple storage account in your environment to detect this were going to analyze our data.
So to create alert Microsoft provides several pre-built rule templates that you can use to identify security issues.
When rules become active they perform analysis and generate some alerts.
And when we generate an alert we get incidents that we can go and manage within Azure Sentinel portal.

!(https://dev-to-uploads.s3.amazonaws.com/uploads/articles/4w6ytvbh1gu3cgo9nmyq.png)

So we have got incident management within Azure Sentinel.

Security Management and Advanced Threat Protection

Salmankhan — Mon, 25 Nov 2024 21:59:53 +0000

Security Management

Cloud is now essential and can say that important factor in every technical aspect.
To protect your cloud vendors have introduced security and as for azure we have Defender for Cloud 💫

Defender for Cloud is application made up of security practices design to protect your cloud and its application from cyber threats.

Defender for Cloud have three major capabilities-

DevSecOps- security management at code level
CSPM- Cloud Security Posture Management to prevent security breach
CWPP- Protection for Server, Database, Storage and Workload

How you enable this?

Defender for Cloud will fix your security vulnerabilities. It is used for blocking the malicious threats, detect them and respond rapidly when you're under attack.

Enable Security for your Cloud
To enable this in Azure cloud your are going to use Microsoft Defender for Cloud
You can check for subscription and enable it there.
Once you enable Defender for Cloud it integrates with Microsoft Defender Portal no steps needed to take. Integration of Defender for Cloud and XDR brings cloud environment into Microsoft Defender XDR.
New update
Today feature has updated Defender for storage malware scan for blobs upto 50 GB

Starting on Dec 31, Defender for storage malware scanning will support upto 50 GB. This feature is under preview previously it was limited for only 2 GB.

Microsoft Security Copilot in Defender for Cloud

Now Defender for Cloud integrated with both Microsoft Security Copilot for Azure. With this integration security question can be asked, receive response trigger analysis summarize using our natural language.
This AI platform will provide you understanding the context and effect of recommendations and addressing misconfiguration in code too.

trying to put thoughts in article and study which might help you who's is reading this article. We rise by lifting others.

What is Cloud Workload Security

Salmankhan — Mon, 18 Nov 2024 23:11:00 +0000

What is Cloud Workload Security?

Cloud Workload Security refers to the practice of protecting resources, services and applications run on cloud. Virtual Machines, databases, containers considered as Cloud Workloads.

Cloud Deployment Models

Public Cloud - Public multitenant offering like AWS, Azure and GCP.
Private Cloud - Cloud environment dedicated to single business entity.
Hybrid Cloud - A combination of on-premises public and private cloud services
Multi Cloud - A combination of cloud services; which includes multiple types of services hosted on multiple public and private clouds.

Cloud Service Types

Infrastructure as a Service
Platform as a Service
Software as a Service

Cloud Workloads are vulnerable to a variety of threats

Cloud resources and Workloads are prone to a wide variety of cyber threats including ransomware, malware, data breach, phishing attacks and DDoS attacks. Cyber attackers can exploit cloud security vulnerabilities using stolen credentials to mount attacks and disrupt services or steal confidential information.
Strong cloud security practices are fundamental to maintain the availability of the business application, safeguarding confidential info.

Example of cloud vulnerabilities

Cloud Workload Security is shared responsibility between Cloud provider and customer

Cloud security practices are similar to organizations typical IT and Network security practices, but there is a catch. Unlike IT, Cloud Security governed by shared responsibility model like cloud service provider will responsible for infrastructure and customer is responsible for managing security above hypervisor. Please refer below.

Best Security Practices for Cloud Customer

Securing the management console - Cloud providers provide management consoles for administering account, configuring services, troubleshooting problems, monitoring and billing. These are targets of attackers. Organizations can control access to cloud management console to prevent attacks and data leaks.
Securing Infrastructure - Virtual Machines, Storage account, container and other resources are common target for cyber attack. Customer must put strong security system and practices in place to unauthorized access to cloud.
Securing admin account for SAAS application - SAAS includes a management console for administering user and services. These are commonly attacked by hackers. Privileged Identity management can ensure its security and reduce risk.
Securing DevOps console and CI/CD pipeline - Devops teams rely on the tools. Perpetrator often exploit devops admin console and launch attack or data leaks. Customer must track and monitor but source code access based on the policy.
Securing Cloud Entitlements - Users or identities leverage cloud IAM permission to access infrastructure and services in their organizations environment. In hands of hackers excessive permission can put sensitive data at risk. PIM and IAM can be used for unauthorized access.