loc_az_hci/docs/security/security-guide.md

# Security Guide

Security best practices and configuration for the Azure Stack HCI infrastructure.

## Overview

This guide covers security considerations and best practices for securing the Azure Stack HCI infrastructure.

## Network Security

### VLAN Segmentation

- **VLAN 10**: Storage (isolated)
- **VLAN 20**: Compute (isolated)
- **VLAN 30**: App Tier (isolated)
- **VLAN 40**: Observability (isolated)
- **VLAN 50**: Dev/Test (isolated)
- **VLAN 60**: Management (restricted access)
- **VLAN 99**: DMZ (public-facing)

### Firewall Rules

- Default deny between VLANs
- Explicit allow rules for required communication
- Management VLAN access restricted to authorized IPs
- DMZ isolated from internal networks

## Access Control

### Proxmox RBAC

- Use role-based access control (RBAC)
- Create dedicated users instead of using root
- Use API tokens instead of passwords
- Limit permissions to minimum required

See [Proxmox RBAC Guide](proxmox-rbac.md) for detailed configuration.

### Azure Arc Security

- Use managed identities where possible
- Implement Azure Policy for compliance
- Enable Azure Defender for Cloud
- Use Azure Key Vault for secrets

### Kubernetes RBAC

- Use Role-Based Access Control (RBAC)
- Create service accounts for applications
- Limit cluster-admin access
- Use network policies for pod isolation

## Secrets Management

### Environment Variables

- Store secrets in `.env` file (not committed to git)
- Use `.env.example` as template
- Never commit `.env` to version control
- Rotate secrets regularly

### Azure Key Vault

For production deployments, consider using Azure Key Vault:

```bash
# Store secret
az keyvault secret set \
  --vault-name <vault-name> \
  --name <secret-name> \
  --value <secret-value>

# Retrieve secret
az keyvault secret show \
  --vault-name <vault-name> \
  --name <secret-name> \
  --query value -o tsv
```

### Kubernetes Secrets

- Use Kubernetes secrets for application credentials
- Consider external secret management (e.g., Sealed Secrets)
- Encrypt secrets at rest
- Rotate secrets regularly

## SSL/TLS

### Certificates

- Use valid SSL/TLS certificates for all services
- Configure certificate auto-renewal (Cert-Manager)
- Use Let's Encrypt for public services
- Use internal CA for private services

### Cloudflare Tunnel

- Cloudflare Tunnel handles SSL termination
- No inbound ports required
- WAF protection enabled
- DDoS protection enabled

## Monitoring and Auditing

### Logging

- Enable audit logging for all components
- Centralize logs (Azure Log Analytics, syslog)
- Retain logs for compliance
- Monitor for suspicious activity

### Azure Monitor

- Enable Azure Monitor for all resources
- Set up alerting for security events
- Monitor for policy violations
- Track access and changes

### Azure Defender

- Enable Azure Defender for Cloud
- Configure threat detection
- Set up security alerts
- Review security recommendations

## Compliance

### Azure Policy

- Apply security baseline policies
- Enforce compliance requirements
- Monitor policy compliance
- Remediate non-compliant resources

### Updates

- Keep all systems updated
- Use Azure Update Management
- Schedule regular maintenance windows
- Test updates in non-production first

## Best Practices

1. **Principle of Least Privilege**: Grant minimum required permissions
2. **Defense in Depth**: Multiple layers of security
3. **Regular Audits**: Review access and permissions regularly
4. **Incident Response**: Have a plan for security incidents
5. **Backup and Recovery**: Regular backups and tested recovery procedures

## Additional Resources

- [Proxmox RBAC Guide](proxmox-rbac.md)
- [Azure Security Documentation](https://docs.microsoft.com/azure/security/)
- [Kubernetes Security](https://kubernetes.io/docs/concepts/security/)