The Schwartz Report

Blog archive

Microsoft Tightens Security for Virtual Machines in Windows Azure

Microsoft has added a new security option for those using its Windows Azure cloud service. Administrators can block unauthorized users from accessing virtual machines, Microsoft quietly announced at its TechEd conference in New Orleans earlier this month.

The new option lets administrators put Access Control Lists (ACLs) on individual endpoints. By putting the ACLs on endpoints or subnets, administrators can control unauthorized access to virtual machines that are protected behind a firewall but are accessible in the public cloud.

"We are adding an additional security option so that administrators can control inbound traffic to Virtual Machine," said Microsoft cloud strategy advisor Louis Panzano, from the company's office in Spain in a blog post. "You simply define how traffic from outside of your corporate firewall communicates with your virtual machine public endpoints through PowerShell and soon it will be available in the management portal."

During a session at Friday's MongoDB Days conference in New York (see this blog post), Microsoft cloud evangelist and architect David Makogon noted the announcement of the new security option, saying it offers an important way to control access to an exposed IP port. As Panzano noted in his blog post, Makogon pointed out the option for now is not available in the Windows Azure management portal (meaning it required the creation of PowerShell scripts).

Magogon said a good resource for creating that script is available via a blog post by Michael Washam, who until a few weeks ago was a senior program manager at Microsoft responsible for the Windows Azure PowerShell cmdlets for compute (IaaS, PaaS, and VNET), Windows Azure .NET SDK and areas of the Service Management API (RDFE).

"A significant improvement in the security of virtual machines is the ability to lock down an endpoint so that only a specified set of IP addresses can access it," wrote Washam, now a principal cloud architect at integrator Aditi Technologies. In his blog post, Washam explained how to specify ACLs during or after a deployment using PowerShell. "You create a new ACL configuration object using New-AzureAclConfig and then modify it with Set-AzureAclConfig," he noted. "The created ACL object is then specified to the *-AzureEndpoint cmdlet in the -ACL parameter." He shared an example script in his post.

This is an important new option, Magogon emphasized, advising attendees of his presentation it will keep unauthorized users out of their systems running in Windows Azure. "You probably don't want to have that port hanging out to the public," he said, noting by implementing the script you "can set Azure ACL configuration and create a rule [to] permit or block a particular subnet."

 

Posted by Jeffrey Schwartz on 06/24/2013 at 1:15 PM


Featured

comments powered by Disqus

Subscribe on YouTube