Azure Security Fundamentals Part - 4: Storage Accounts, Firewalls, Logging, and Defender for Cloud
๐ก๏ธ Securing Azure Storage, Firewalls, Logging, and Defender for Cloud
With identities, VMs, databases, and apps hardened, this final post in our Azure Security series focuses on:
- Storage account protection
- Firewall configurations
- Cloud native logging
- Microsoft Defender for Cloud
๐ฆ Storage Account Security
Azure Storage is one of the most widely used services and a common source of accidental data exposure. Securing it is non negotiable.
๐ Choose Secure Authentication
You can access Azure Storage using
| Method | Description | Security Level |
|---|---|---|
| Public Access | Open to the world used for public static sites | โ Least secure |
| Storage Keys | Master key with full control | โ ๏ธ Risky |
| SAS Tokens | Time-bound, limited access URLs | ๐ก Moderate |
| Azure AD Identity | Role based, secure, auditable access | โ Recommended |
Use Azure AD and RBAC, combined with Managed Identity, wherever possible.
๐ Encrypt Data
By default, Azure encrypts all data at rest using Microsoft managed keys. For more control, bring your own key (BYOK) via Key Vault.
๐ Restrict Access
To protect against data exfiltration:
- Use Private Endpoints to limit traffic to internal networks
- If not possible, configure firewall rules for known IPs
- Avoid embedding SAS tokens in code store in Key Vault
โ๏ธ Connecting from App Services and VMs
Same rules apply as with Azure SQL:
[App Service] โโ VNet Integration โโโบ Private Endpoint โโโบ [Storage]
[VM] โโโโโโโโโโโโโ VNet โโโโโโโโโโโโบ Private Endpoint โโโบ [Storage]
โ Use policies to block access using keys or public endpoints.
๐ฅ Azure Firewalls & Web Application Firewalls
๐งฑ Azure Firewall
- Protects non-web traffic
- Supports L3 L7 filtering
- Premium version includes IDPS (Intrusion Detection & Prevention)
| Feature | Basic | Premium |
|---|---|---|
| Layer 3-7 | โ | โ |
| TLS Inspection | โ | โ |
| Threat Intelligence | โ | โ |
Recommended for protecting internal service to service traffic.
๐ Application Gateway + WAF
- Handles web traffic only
- Protects against OWASP Top 10 threats
- Offers SSL termination, routing, custom headers, and more
WAF runs in either
- Detection Mode (logs only)
- Prevention Mode (blocks malicious traffic)
๐ง Tip: WAF rules are based on the OWASP Core Rule Set and update automatically.
๐งพ Logging with Log Analytics
Azure provides diagnostic logging for nearly all services, but logs must be explicitly enabled.
๐งฉ Logging Pipeline
- Enable logging per resource
- Stream logs to a Log Analytics Workspace
- Use Kusto Query Language (KQL) to query log
Logs may take ~2 minutes to stream after configuration.
๐ก๏ธ Microsoft Defender for Cloud
Microsoft Defender for Cloud is a centralized security console that
- Monitors all Azure resources
- Highlights misconfigurations and threats
- Offers one click remediation
- Integrates with Microsoft Sentinel, Microsoft Defender XDR, etc.
๐ฐ Pricing
- Basic plan: Free
- Enhanced detection, analytics, and recommendations: Paid (per resource)
It's best practice to enable it for all subscriptions and check it weekly.
โ Final Recap
| Area | Best Practice |
|---|---|
| Storage Accounts | Use Private Endpoints and Azure AD |
| Firewalls | Deploy both Azure Firewall and WAF |
| Logging | Send logs to Log Analytics and use KQL |
| Defender for Cloud | Enable across subscriptions and review alerts |