Microsoft Compute

Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes
Asset Inventory
Design Guidance:
Tag resources, resource groups, and subscriptions for logical organization - Azure Resource Manager
docsmsft
Microsoft.Compute/virtualMachines
Name
​Azure Resource Manager​
​Terraform​
Tags
​Azure Resource Manager​
​Terraform​
Os Disk-Name
​Azure Resource Manager​
​Terraform​
Data Disks-Name
​Azure Resource Manager​
​Terraform​
Os Profile-Computer Name
​Azure Resource Manager​
​Terraform​
Microsoft.Compute/virtualMachineScaleSets
Name
​Azure Resource Manager​
​Terraform​
Tags
​Azure Resource Manager​
​Terraform​
Os Disk-Name
​Azure Resource Manager​
​Terraform​
Data Disks-Name
​Azure Resource Manager​
​Terraform​
Public Ipaddress Configuration-Ip Tags
​Azure Resource Manager​
​Terraform​
Ip Tags-Ip Tag Type
​Azure Resource Manager​
​Terraform​
Ip Tags-Tag
​Azure Resource Manager​
​Terraform​
Microsoft.Compute/virtualMachineScaleSets/virtualmachines
Name
​Azure Resource Manager​
Tags
​Azure Resource Manager​
Os Profile-Computer Name
​Azure Resource Manager​
Dns Settings-Dns Servers
​Azure Resource Manager​
Public Ipaddress Configuration-Ip Tags
​Azure Resource Manager​
Ip Tags-Ip Tag Type
​Azure Resource Manager​
Ip Tags-Tag
​Azure Resource Manager​
Plan-Name
​Azure Resource Manager​
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions
Name
​Azure Resource Manager​
​Terraform​
Tags
​Azure Resource Manager​
​Terraform​
Instance View-Name
​Azure Resource Manager​
​Terraform​
​
Design for High Availability
Design Guidance:
Create zonal VMs with the Azure portal - Azure Virtual Machines
docsmsft
Microsoft.Compute/virtualMachines
Availability Set-Id
​Azure Resource Manager​
​Terraform​
Microsoft.Compute/virtualMachineScaleSets
Zones
​Azure Resource Manager​
​Terraform​
Health Probe-Id
​Azure Resource Manager​
​Terraform​
Microsoft.Compute/virtualMachineScaleSets/virtualmachines
Availability Set-Id
​Azure Resource Manager​
​
Hardening
Microsoft.Compute/virtualMachines
Os Disk-Os Type
​Azure Resource Manager​
​Terraform​
Os Profile-Windows Configuration
​Azure Resource Manager​
​Terraform​
Os Profile-Linux Configuration
​Azure Resource Manager​
​Terraform​
Microsoft.Compute/virtualMachineScaleSets
Os Profile-Windows Configuration
​Azure Resource Manager​
​Terraform​
Os Profile-Linux Configuration
​Azure Resource Manager​
​Terraform​
Os Disk-Os Type
​Azure Resource Manager​
​Terraform​
Microsoft.Compute/virtualMachineScaleSets/virtualmachines
Os Profile-Windows Configuration
​Azure Resource Manager​
Os Profile-Linux Configuration
​Azure Resource Manager​
​
Infrastructure Least Functionality
Microsoft.Compute/virtualMachines
Win Rm-Listeners
​Azure Resource Manager​
​Terraform​
Microsoft.Compute/virtualMachineScaleSets
Win Rm-Listeners
​Azure Resource Manager​
​Terraform​
​
Transparent Data Encryption
Design Guidance:
Azure Disk Encryption for virtual machines and virtual machine scale sets
docsmsft
Microsoft.Compute/virtualMachines
Encryption Settings-Enabled
​Azure Resource Manager​
​Terraform​
Security Profile-Encryption At Host
​Azure Resource Manager​
​Terraform​
Managed Disk-Id
​Azure Resource Manager​
​Terraform​
Disk Encryption Set-Id
​Azure Resource Manager​
​Terraform​
Disk Encryption Set-Id
​Azure Resource Manager​
​Terraform​
Microsoft.Compute/virtualMachineScaleSets
Security Profile-Encryption At Host
​Azure Resource Manager​
​Terraform​
Disk Encryption Set-Id
​Azure Resource Manager​
​Terraform​
Disk Encryption Set-Id
​Azure Resource Manager​
​Terraform​
Microsoft.Compute/virtualMachineScaleSets/virtualmachines
Encryption Settings-Enabled
​Azure Resource Manager​
Security Profile-Encryption At Host
​Azure Resource Manager​
Disk Encryption Set-Id
​Azure Resource Manager​
Disk Encryption Set-Id
​Azure Resource Manager​
​
Trusted Boot
Design Guidance:
Trusted launch for Azure VMs - Azure Virtual Machines
docsmsft
Microsoft.Compute/virtualMachines
Uefi Settings-Secure Boot Enabled
​Azure Resource Manager​
​Terraform​
Uefi Settings-V Tpm Enabled
​Azure Resource Manager​
​Terraform​
Microsoft.Compute/virtualMachineScaleSets
Uefi Settings-Secure Boot Enabled
​Azure Resource Manager​
​Terraform​
Uefi Settings-V Tpm Enabled
​Azure Resource Manager​
​Terraform​
Microsoft.Compute/virtualMachineScaleSets/virtualmachines
Uefi Settings-Secure Boot Enabled
​Azure Resource Manager​
Uefi Settings-V Tpm Enabled
​Azure Resource Manager​
​
TLS
Design Guidance:
Tutorial: Secure a Windows web server with TLS/SSL certificates in Azure - Azure Virtual Machines
docsmsft
Tutorial: Secure a web server with TLS/SSL certificates - Azure Virtual Machines
docsmsft
Microsoft.Compute/virtualMachines
Listeners-Protocol
​Azure Resource Manager​
​Terraform​
Listeners-Certificate Url
​Azure Resource Manager​
​Terraform​
Microsoft.Compute/virtualMachineScaleSets
Listeners-Protocol
​Azure Resource Manager​
​Terraform​
Listeners-Certificate Url
​Azure Resource Manager​
​Terraform​
Microsoft.Compute/virtualMachineScaleSets/virtualmachines
Listeners-Protocol
​Azure Resource Manager​
​
Load Balancing
Microsoft.Compute/virtualMachineScaleSets
Application Gateway Backend Address Pools-Id
​Azure Resource Manager​
​Terraform​
Ip Configurations-Load Balancer Backend Address Pools
​Azure Resource Manager​
​Terraform​
Load Balancer Backend Address Pools-Id
​Azure Resource Manager​
​Terraform​
Load Balancer Inbound Nat Pools-Id
​Azure Resource Manager​
​Terraform​
Microsoft.Compute/virtualMachineScaleSets/virtualmachines
Application Gateway Backend Address Pools-Id
​Azure Resource Manager​
Ip Configurations-Load Balancer Backend Address Pools
​Azure Resource Manager​
Load Balancer Backend Address Pools-Id
​Azure Resource Manager​
Ip Configurations-Load Balancer Inbound Nat Pools
​Azure Resource Manager​
Load Balancer Inbound Nat Pools-Id
​Azure Resource Manager​
Network Interface Configurations-Enable Ipforwarding
​Azure Resource Manager​
​
Identification and Authentication
Design Guidance:
Connect to a Linux VM using SSH - Azure Bastion
docsmsft
Connect to a Linux VM using RDP - Azure Bastion
docsmsft
Connect to a Windows VM using RDP - Azure Bastion
docsmsft
Secure and use policies - Azure Virtual Machines
docsmsft
Connect to a Windows VM using SSH - Azure Bastion
docsmsft
Microsoft.Compute/virtualMachines
Os Profile-Admin Username
​Azure Resource Manager​
​Terraform​
Os Profile-Admin Password
​Azure Resource Manager​
​Terraform​
Linux Configuration-Disable Password Authentication
​Azure Resource Manager​
​Terraform​
SSH-Public Keys
​Azure Resource Manager​
​Terraform​
Public Keys-Path
​Azure Resource Manager​
​Terraform​
Public Keys-Key Data
​Azure Resource Manager​
​Terraform​
Microsoft.Compute/virtualMachineScaleSets
Os Profile-Admin Username
​Azure Resource Manager​
​Terraform​
Os Profile-Admin Password
​Azure Resource Manager​
​Terraform​
Linux Configuration-Disable Password Authentication
​Azure Resource Manager​
​Terraform​
SSH-Public Keys
​Azure Resource Manager​
​Terraform​
Public Keys-Path
​Azure Resource Manager​
​Terraform​
Public Keys-Key Data
​Azure Resource Manager​
​Terraform​
Microsoft.Compute/virtualMachineScaleSets/virtualmachines
Os Profile-Admin Username
​Azure Resource Manager​
Os Profile-Admin Password
​Azure Resource Manager​
Linux Configuration-Disable Password Authentication
​Azure Resource Manager​
SSH-Public Keys
​Azure Resource Manager​
Public Keys-Path
​Azure Resource Manager​
Public Keys-Key Data
​Azure Resource Manager​
​
Subnet Isolation
Design Guidance:
Security features used with Azure VMs - Azure security
docsmsft
Microsoft.Compute/virtualMachines
Network Interfaces-Id
​Azure Resource Manager​
​Terraform​
Microsoft.Compute/virtualMachineScaleSets
Network Interface Configurations-Id
​Azure Resource Manager​
​Terraform​
Network Interface Configurations-Ip Configurations
​Azure Resource Manager​
​Terraform​
Ip Configurations-Id
​Azure Resource Manager​
​Terraform​
Ip Configurations-Name
​Azure Resource Manager​
​Terraform​
Subnet-Id
​Azure Resource Manager​
​Terraform​
Public Ipaddress Configuration-Name
​Azure Resource Manager​
​Terraform​
Microsoft.Compute/virtualMachineScaleSets/virtualmachines
Network Interfaces-Id
​Azure Resource Manager​
Network Interface Configurations-Id
​Azure Resource Manager​
Ip Configurations-Id
​Azure Resource Manager​
Subnet-Id
​Azure Resource Manager​
​
Firewalls
Design Guidance:
Virtual networks and virtual machines in Azure
docsmsft
Microsoft.Compute/virtualMachineScaleSets
Network Security Group-Id
​Azure Resource Manager​
​Terraform​
Ip Configurations-Application Security Groups
​Azure Resource Manager​
​Terraform​
Application Security Groups-Id
​Azure Resource Manager​
​Terraform​
Microsoft.Compute/virtualMachineScaleSets/virtualmachines
Network Security Group-Id
​Azure Resource Manager​
Ip Configurations-Application Security Groups
​Azure Resource Manager​
Application Security Groups-Id
​Azure Resource Manager​
​
Information Flow Routing
Microsoft.Compute/virtualMachineScaleSets
Public Ipprefix-Id
​Azure Resource Manager​
​Terraform​
Public Ipaddress Configuration-Public Ipaddress Version
​Azure Resource Manager​
​Terraform​
Ip Configurations-Private Ipaddress Version
​Azure Resource Manager​
​Terraform​
Microsoft.Compute/virtualMachineScaleSets/virtualmachines
Public Ipprefix-Id
​Azure Resource Manager​
Public Ipaddress Configuration-Public Ipaddress Version
​Azure Resource Manager​
Ip Configurations-Private Ipaddress Version
​Azure Resource Manager​
​
Protect Cryptographic Keys
Design Guidance:
Creating and configuring a key vault for Azure Disk Encryption - Azure Virtual Machines
docsmsft
Creating and configuring a key vault for Azure Disk Encryption on a Windows VM - Azure Virtual Machines
docsmsft
Secure and use policies - Azure Virtual Machines
docsmsft
Microsoft.Compute/virtualMachines
Disk Encryption Key-Secret Url
​Azure Resource Manager​
​Terraform​
Disk Encryption Key-Source Vault
​Azure Resource Manager​
​Terraform​
Source Vault-Id
​Azure Resource Manager​
​Terraform​
Key Encryption Key-Key Url
​Azure Resource Manager​
​Terraform​
Source Vault-Id
​Azure Resource Manager​
​Terraform​
Os Profile-Secrets
​Azure Resource Manager​
​Terraform​
Source Vault-Id
​Azure Resource Manager​
​Terraform​
Secrets-Vault Certificates
​Azure Resource Manager​
​Terraform​
Vault Certificates-Certificate Url
​Azure Resource Manager​
​Terraform​
Vault Certificates-Certificate Store
​Azure Resource Manager​
​Terraform​
Microsoft.Compute/virtualMachineScaleSets
Os Profile-Secrets
​Azure Resource Manager​
​Terraform​
Source Vault-Id
​Azure Resource Manager​
​Terraform​
Secrets-Vault Certificates
​Azure Resource Manager​
​Terraform​
Vault Certificates-Certificate Url
​Azure Resource Manager​
​Terraform​
Vault Certificates-Certificate Store
​Azure Resource Manager​
​Terraform​
Microsoft.Compute/virtualMachineScaleSets/virtualmachines
Disk Encryption Key-Secret Url
​Azure Resource Manager​
Source Vault-Id
​Azure Resource Manager​
Key Encryption Key-Key Url
​Azure Resource Manager​
Source Vault-Id
​Azure Resource Manager​
Listeners-Certificate Url
​Azure Resource Manager​
Os Profile-Secrets
​Azure Resource Manager​
Source Vault-Id
​Azure Resource Manager​
Secrets-Vault Certificates
​Azure Resource Manager​
Vault Certificates-Certificate Url
​Azure Resource Manager​
Vault Certificates-Certificate Store
​Azure Resource Manager​
​
Name/Address Resolution Integrity
Design Guidance:
DNS Name resolution options for Linux VMs - Azure Virtual Machines
docsmsft
Microsoft.Compute/virtualMachineScaleSets
Dns Settings-Dns Servers
​Azure Resource Manager​
​Terraform​
Public Ipaddress Configuration-Dns Settings
​Azure Resource Manager​
​Terraform​
​
Patch Management
Design Guidance:
Updates and maintenance overview - Azure Virtual Machines
docsmsft
Microsoft.Compute/virtualMachines

Name	Azure Resource Manager	Terraform
Tags	Azure Resource Manager	Terraform
Os Disk-Name	Azure Resource Manager	Terraform
Data Disks-Name	Azure Resource Manager	Terraform
Os Profile-Computer Name	Azure Resource Manager	Terraform

Zones	Azure Resource Manager	Terraform
Health Probe-Id	Azure Resource Manager	Terraform

Os Disk-Os Type	Azure Resource Manager	Terraform
Os Profile-Windows Configuration	Azure Resource Manager	Terraform
Os Profile-Linux Configuration	Azure Resource Manager	Terraform

Encryption Settings-Enabled	Azure Resource Manager	Terraform
Security Profile-Encryption At Host	Azure Resource Manager	Terraform
Managed Disk-Id	Azure Resource Manager	Terraform
Disk Encryption Set-Id	Azure Resource Manager	Terraform
Disk Encryption Set-Id	Azure Resource Manager	Terraform

Uefi Settings-Secure Boot Enabled	Azure Resource Manager	Terraform
Uefi Settings-V Tpm Enabled	Azure Resource Manager	Terraform

Listeners-Protocol	Azure Resource Manager	Terraform
Listeners-Certificate Url	Azure Resource Manager	Terraform

Application Gateway Backend Address Pools-Id	Azure Resource Manager	Terraform
Ip Configurations-Load Balancer Backend Address Pools	Azure Resource Manager	Terraform
Load Balancer Backend Address Pools-Id	Azure Resource Manager	Terraform
Load Balancer Inbound Nat Pools-Id	Azure Resource Manager	Terraform

Os Profile-Admin Username	Azure Resource Manager	Terraform
Os Profile-Admin Password	Azure Resource Manager	Terraform
Linux Configuration-Disable Password Authentication	Azure Resource Manager	Terraform
SSH-Public Keys	Azure Resource Manager	Terraform
Public Keys-Path	Azure Resource Manager	Terraform
Public Keys-Key Data	Azure Resource Manager	Terraform

Network Interface Configurations-Id	Azure Resource Manager	Terraform
Network Interface Configurations-Ip Configurations	Azure Resource Manager	Terraform
Ip Configurations-Id	Azure Resource Manager	Terraform
Ip Configurations-Name	Azure Resource Manager	Terraform
Subnet-Id	Azure Resource Manager	Terraform
Public Ipaddress Configuration-Name	Azure Resource Manager	Terraform

Network Interfaces-Id	Azure Resource Manager
Network Interface Configurations-Id	Azure Resource Manager
Ip Configurations-Id	Azure Resource Manager
Subnet-Id	Azure Resource Manager

Network Security Group-Id	Azure Resource Manager	Terraform
Ip Configurations-Application Security Groups	Azure Resource Manager	Terraform
Application Security Groups-Id	Azure Resource Manager	Terraform

Public Ipprefix-Id	Azure Resource Manager	Terraform
Public Ipaddress Configuration-Public Ipaddress Version	Azure Resource Manager	Terraform
Ip Configurations-Private Ipaddress Version	Azure Resource Manager	Terraform

Disk Encryption Key-Secret Url	Azure Resource Manager	Terraform
Disk Encryption Key-Source Vault	Azure Resource Manager	Terraform
Source Vault-Id	Azure Resource Manager	Terraform
Key Encryption Key-Key Url	Azure Resource Manager	Terraform
Source Vault-Id	Azure Resource Manager	Terraform
Os Profile-Secrets	Azure Resource Manager	Terraform
Source Vault-Id	Azure Resource Manager	Terraform
Secrets-Vault Certificates	Azure Resource Manager	Terraform
Vault Certificates-Certificate Url	Azure Resource Manager	Terraform
Vault Certificates-Certificate Store	Azure Resource Manager	Terraform

Dns Settings-Dns Servers	Azure Resource Manager	Terraform
Public Ipaddress Configuration-Dns Settings	Azure Resource Manager	Terraform