Search…
⌃K
Links

Microsoft Compute

Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes

Asset Inventory

Design Guidance:

Microsoft.Compute/virtualMachines

Name
Terraform
Tags
Terraform
Os Disk-Name
Terraform
Data Disks-Name
Terraform
Os Profile-Computer Name
Terraform

Microsoft.Compute/virtualMachineScaleSets

Name
Terraform
Tags
Terraform
Os Disk-Name
Terraform
Data Disks-Name
Terraform
Public Ipaddress Configuration-Ip Tags
Terraform
Ip Tags-Ip Tag Type
Terraform
Ip Tags-Tag
Terraform

Microsoft.Compute/virtualMachineScaleSets/virtualmachines

Name
Tags
Os Profile-Computer Name
Dns Settings-Dns Servers
Public Ipaddress Configuration-Ip Tags
Ip Tags-Ip Tag Type
Ip Tags-Tag
Plan-Name

Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions

Name
Terraform
Tags
Terraform
Instance View-Name
Terraform

Design for High Availability

Design Guidance:

Microsoft.Compute/virtualMachines

Availability Set-Id
Terraform

Microsoft.Compute/virtualMachineScaleSets

Zones
Terraform
Health Probe-Id
Terraform

Microsoft.Compute/virtualMachineScaleSets/virtualmachines

Availability Set-Id

Hardening

Microsoft.Compute/virtualMachines

Os Disk-Os Type
Terraform
Os Profile-Windows Configuration
Terraform
Os Profile-Linux Configuration
Terraform

Microsoft.Compute/virtualMachineScaleSets

Os Profile-Windows Configuration
Terraform
Os Profile-Linux Configuration
Terraform
Os Disk-Os Type
Terraform

Microsoft.Compute/virtualMachineScaleSets/virtualmachines

Os Profile-Windows Configuration
Os Profile-Linux Configuration

Infrastructure Least Functionality

Microsoft.Compute/virtualMachines

Win Rm-Listeners
Terraform

Microsoft.Compute/virtualMachineScaleSets

Win Rm-Listeners
Terraform

Transparent Data Encryption

Design Guidance:

Microsoft.Compute/virtualMachines

Encryption Settings-Enabled
Terraform
Security Profile-Encryption At Host
Terraform
Managed Disk-Id
Terraform
Disk Encryption Set-Id
Terraform
Disk Encryption Set-Id
Terraform

Microsoft.Compute/virtualMachineScaleSets

Security Profile-Encryption At Host
Terraform
Disk Encryption Set-Id
Terraform
Disk Encryption Set-Id
Terraform

Microsoft.Compute/virtualMachineScaleSets/virtualmachines

Encryption Settings-Enabled
Security Profile-Encryption At Host
Disk Encryption Set-Id
Disk Encryption Set-Id

Trusted Boot

Design Guidance:

Microsoft.Compute/virtualMachines

Uefi Settings-Secure Boot Enabled
Terraform
Uefi Settings-V Tpm Enabled
Terraform

Microsoft.Compute/virtualMachineScaleSets

Uefi Settings-Secure Boot Enabled
Terraform
Uefi Settings-V Tpm Enabled
Terraform

Microsoft.Compute/virtualMachineScaleSets/virtualmachines

Uefi Settings-Secure Boot Enabled
Uefi Settings-V Tpm Enabled

TLS

Design Guidance:

Microsoft.Compute/virtualMachines

Listeners-Protocol
Terraform
Listeners-Certificate Url
Terraform

Microsoft.Compute/virtualMachineScaleSets

Listeners-Protocol
Terraform
Listeners-Certificate Url
Terraform

Microsoft.Compute/virtualMachineScaleSets/virtualmachines

Listeners-Protocol

Load Balancing

Microsoft.Compute/virtualMachineScaleSets

Application Gateway Backend Address Pools-Id
Terraform
Ip Configurations-Load Balancer Backend Address Pools
Terraform
Load Balancer Backend Address Pools-Id
Terraform
Load Balancer Inbound Nat Pools-Id
Terraform

Microsoft.Compute/virtualMachineScaleSets/virtualmachines

Application Gateway Backend Address Pools-Id
Ip Configurations-Load Balancer Backend Address Pools
Load Balancer Backend Address Pools-Id
Ip Configurations-Load Balancer Inbound Nat Pools
Load Balancer Inbound Nat Pools-Id
Network Interface Configurations-Enable Ipforwarding

Identification and Authentication

Design Guidance:

Microsoft.Compute/virtualMachines

Os Profile-Admin Username
Terraform
Os Profile-Admin Password
Terraform
Linux Configuration-Disable Password Authentication
Terraform
SSH-Public Keys
Terraform
Public Keys-Path
Terraform
Public Keys-Key Data
Terraform

Microsoft.Compute/virtualMachineScaleSets

Os Profile-Admin Username
Terraform
Os Profile-Admin Password
Terraform
Linux Configuration-Disable Password Authentication
Terraform
SSH-Public Keys
Terraform
Public Keys-Path
Terraform
Public Keys-Key Data
Terraform

Microsoft.Compute/virtualMachineScaleSets/virtualmachines

Os Profile-Admin Username
Os Profile-Admin Password
Linux Configuration-Disable Password Authentication
SSH-Public Keys
Public Keys-Path
Public Keys-Key Data

Subnet Isolation

Design Guidance:

Microsoft.Compute/virtualMachines

Network Interfaces-Id
Terraform

Microsoft.Compute/virtualMachineScaleSets

Network Interface Configurations-Id
Terraform
Network Interface Configurations-Ip Configurations
Terraform
Ip Configurations-Id
Terraform
Ip Configurations-Name
Terraform
Subnet-Id
Terraform
Public Ipaddress Configuration-Name
Terraform

Microsoft.Compute/virtualMachineScaleSets/virtualmachines

Network Interfaces-Id
Network Interface Configurations-Id
Ip Configurations-Id
Subnet-Id

Firewalls

Design Guidance:

Microsoft.Compute/virtualMachineScaleSets

Network Security Group-Id
Terraform
Ip Configurations-Application Security Groups
Terraform
Application Security Groups-Id
Terraform

Microsoft.Compute/virtualMachineScaleSets/virtualmachines

Network Security Group-Id
Ip Configurations-Application Security Groups
Application Security Groups-Id

Information Flow Routing

Microsoft.Compute/virtualMachineScaleSets

Public Ipprefix-Id
Terraform
Public Ipaddress Configuration-Public Ipaddress Version
Terraform
Ip Configurations-Private Ipaddress Version
Terraform

Microsoft.Compute/virtualMachineScaleSets/virtualmachines

Public Ipprefix-Id
Public Ipaddress Configuration-Public Ipaddress Version
Ip Configurations-Private Ipaddress Version

Protect Cryptographic Keys

Design Guidance:

Microsoft.Compute/virtualMachines

Disk Encryption Key-Secret Url
Terraform
Disk Encryption Key-Source Vault
Terraform
Source Vault-Id
Terraform
Key Encryption Key-Key Url
Terraform
Source Vault-Id
Terraform
Os Profile-Secrets
Terraform
Source Vault-Id
Terraform
Secrets-Vault Certificates
Terraform
Vault Certificates-Certificate Url
Terraform
Vault Certificates-Certificate Store
Terraform

Microsoft.Compute/virtualMachineScaleSets

Os Profile-Secrets
Terraform
Source Vault-Id
Terraform
Secrets-Vault Certificates
Terraform
Vault Certificates-Certificate Url
Terraform
Vault Certificates-Certificate Store
Terraform

Microsoft.Compute/virtualMachineScaleSets/virtualmachines

Disk Encryption Key-Secret Url
Source Vault-Id
Key Encryption Key-Key Url
Source Vault-Id
Listeners-Certificate Url
Os Profile-Secrets
Source Vault-Id
Secrets-Vault Certificates
Vault Certificates-Certificate Url
Vault Certificates-Certificate Store

Name/Address Resolution Integrity

Design Guidance:

Microsoft.Compute/virtualMachineScaleSets

Dns Settings-Dns Servers
Terraform
Public Ipaddress Configuration-Dns Settings
Terraform

Patch Management

Design Guidance:

Microsoft.Compute/virtualMachines

Windows Configuration-Enable Automatic Updates
Terraform

Microsoft.Compute/virtualMachineScaleSets

Upgrade Policy-Mode
Terraform
Rolling Upgrade Policy-Pause Time Between Batches
Terraform
Automatic Osupgrade Policy-Enable Automatic Osupgrade
Terraform
Automatic Repairs Policy-Enabled
Terraform
Windows Configuration-Enable Automatic Updates
Terraform

Microsoft.Compute/virtualMachineScaleSets/virtualmachines

Windows Configuration-Enable Automatic Updates

Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions

Auto Upgrade Minor Version
Terraform
Enable Automatic Upgrade
Terraform