The Schwartz Report

Blog archive

Microsoft Tightens Security for Virtual Machines in Windows Azure

Microsoft has added a new security option for those using its Windows Azure cloud service. Administrators can block unauthorized users from accessing virtual machines, Microsoft quietly announced at its TechEd conference in New Orleans earlier this month.

The new option lets administrators put Access Control Lists (ACLs) on individual endpoints. By putting the ACLs on endpoints or subnets, administrators can control unauthorized access to virtual machines that are protected behind a firewall but are accessible in the public cloud.

"We are adding an additional security option so that administrators can control inbound traffic to Virtual Machine," said Microsoft cloud strategy advisor Louis Panzano, from the company's office in Spain in a blog post. "You simply define how traffic from outside of your corporate firewall communicates with your virtual machine public endpoints through PowerShell and soon it will be available in the management portal."

During a session at Friday's MongoDB Days conference in New York (see this blog post), Microsoft cloud evangelist and architect David Makogon noted the announcement of the new security option, saying it offers an important way to control access to an exposed IP port. As Panzano noted in his blog post, Makogon pointed out the option for now is not available in the Windows Azure management portal (meaning it required the creation of PowerShell scripts).

Magogon said a good resource for creating that script is available via a blog post by Michael Washam, who until a few weeks ago was a senior program manager at Microsoft responsible for the Windows Azure PowerShell cmdlets for compute (IaaS, PaaS, and VNET), Windows Azure .NET SDK and areas of the Service Management API (RDFE).

"A significant improvement in the security of virtual machines is the ability to lock down an endpoint so that only a specified set of IP addresses can access it," wrote Washam, now a principal cloud architect at integrator Aditi Technologies. In his blog post, Washam explained how to specify ACLs during or after a deployment using PowerShell. "You create a new ACL configuration object using New-AzureAclConfig and then modify it with Set-AzureAclConfig," he noted. "The created ACL object is then specified to the *-AzureEndpoint cmdlet in the -ACL parameter." He shared an example script in his post.

This is an important new option, Magogon emphasized, advising attendees of his presentation it will keep unauthorized users out of their systems running in Windows Azure. "You probably don't want to have that port hanging out to the public," he said, noting by implementing the script you "can set Azure ACL configuration and create a rule [to] permit or block a particular subnet."


Posted by Jeffrey Schwartz on 06/24/2013 at 1:15 PM


  • Azure Active Directory Connect Preview Adds Support for Disconnected AD Forests

    Microsoft on Thursday announced a preview of a new "Cloud Provisioning" feature for the Azure Active Directory Connect service that promises to bring together scattered Active Directory "forests."

  • Microsoft Defender ATP Gets macOS Investigation Support

    The endpoint and detection response (EDR) feature in Microsoft Defender Advanced Threat Protection (ATP) has reached the "general availability" stage for macOS devices.

  • How To Block Self-Service Purchasing in Microsoft's Power Platform

    Microsoft threw Office 365 admins a bone when it gave them the ability to block users from purchasing Power Platform tools without IT approval. Here's how to prevent total anarchy.

  • Azure DevOps Services Losing Support for Alternate Credentials

    Microsoft gave notice last week that it's going to drop Alternate Credentials support for authenticating users of its Azure DevOps Services.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.