loc_az_hci/docs/security/security-guide.md

Security Guide

Security best practices and configuration for the Azure Stack HCI infrastructure.

Overview

This guide covers security considerations and best practices for securing the Azure Stack HCI infrastructure.

Network Security

VLAN Segmentation

• VLAN 10: Storage (isolated)
• VLAN 20: Compute (isolated)
• VLAN 30: App Tier (isolated)
• VLAN 40: Observability (isolated)
• VLAN 50: Dev/Test (isolated)
• VLAN 60: Management (restricted access)
• VLAN 99: DMZ (public-facing)

Firewall Rules

• Default deny between VLANs
• Explicit allow rules for required communication
• Management VLAN access restricted to authorized IPs
• DMZ isolated from internal networks

Access Control

Proxmox RBAC

• Use role-based access control (RBAC)
• Create dedicated users instead of using root
• Use API tokens instead of passwords
• Limit permissions to minimum required

See Proxmox RBAC Guide for detailed configuration.

Azure Arc Security

• Use managed identities where possible
• Implement Azure Policy for compliance
• Enable Azure Defender for Cloud
• Use Azure Key Vault for secrets

Kubernetes RBAC

• Use Role-Based Access Control (RBAC)
• Create service accounts for applications
• Limit cluster-admin access
• Use network policies for pod isolation

Secrets Management

Environment Variables

• Store secrets in .env file (not committed to git)
• Use .env.example as template
• Never commit .env to version control
• Rotate secrets regularly

Azure Key Vault

For production deployments, consider using Azure Key Vault:

# Store secret
az keyvault secret set \
  --vault-name <vault-name> \
  --name <secret-name> \
  --value <secret-value>

# Retrieve secret
az keyvault secret show \
  --vault-name <vault-name> \
  --name <secret-name> \
  --query value -o tsv

Kubernetes Secrets

• Use Kubernetes secrets for application credentials
• Consider external secret management (e.g., Sealed Secrets)
• Encrypt secrets at rest
• Rotate secrets regularly

SSL/TLS

Certificates

• Use valid SSL/TLS certificates for all services
• Configure certificate auto-renewal (Cert-Manager)
• Use Let's Encrypt for public services
• Use internal CA for private services

Cloudflare Tunnel

• Cloudflare Tunnel handles SSL termination
• No inbound ports required
• WAF protection enabled
• DDoS protection enabled

Monitoring and Auditing

Logging

• Enable audit logging for all components
• Centralize logs (Azure Log Analytics, syslog)
• Retain logs for compliance
• Monitor for suspicious activity

Azure Monitor

• Enable Azure Monitor for all resources
• Set up alerting for security events
• Monitor for policy violations
• Track access and changes

Azure Defender

• Enable Azure Defender for Cloud
• Configure threat detection
• Set up security alerts
• Review security recommendations

Compliance

Azure Policy

• Apply security baseline policies
• Enforce compliance requirements
• Monitor policy compliance
• Remediate non-compliant resources

Updates

• Keep all systems updated
• Use Azure Update Management
• Schedule regular maintenance windows
• Test updates in non-production first

Best Practices

1. Principle of Least Privilege: Grant minimum required permissions
2. Defense in Depth: Multiple layers of security
3. Regular Audits: Review access and permissions regularly
4. Incident Response: Have a plan for security incidents
5. Backup and Recovery: Regular backups and tested recovery procedures

Additional Resources

• Proxmox RBAC Guide
• Azure Security Documentation
• Kubernetes Security