Initial commit: loc_az_hci (smom-dbis-138 excluded via .gitignore)
Some checks failed
Test / test (push) Has been cancelled
Some checks failed
Test / test (push) Has been cancelled
Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
defiQUG
155
docs/security/security-guide.md
Normal file
155
docs/security/security-guide.md
Normal file
@@ -0,0 +1,155 @@
|
||||
# Security Guide
|
||||
|
||||
Security best practices and configuration for the Azure Stack HCI infrastructure.
|
||||
|
||||
## Overview
|
||||
|
||||
This guide covers security considerations and best practices for securing the Azure Stack HCI infrastructure.
|
||||
|
||||
## Network Security
|
||||
|
||||
### VLAN Segmentation
|
||||
|
||||
- **VLAN 10**: Storage (isolated)
|
||||
- **VLAN 20**: Compute (isolated)
|
||||
- **VLAN 30**: App Tier (isolated)
|
||||
- **VLAN 40**: Observability (isolated)
|
||||
- **VLAN 50**: Dev/Test (isolated)
|
||||
- **VLAN 60**: Management (restricted access)
|
||||
- **VLAN 99**: DMZ (public-facing)
|
||||
|
||||
### Firewall Rules
|
||||
|
||||
- Default deny between VLANs
|
||||
- Explicit allow rules for required communication
|
||||
- Management VLAN access restricted to authorized IPs
|
||||
- DMZ isolated from internal networks
|
||||
|
||||
## Access Control
|
||||
|
||||
### Proxmox RBAC
|
||||
|
||||
- Use role-based access control (RBAC)
|
||||
- Create dedicated users instead of using root
|
||||
- Use API tokens instead of passwords
|
||||
- Limit permissions to minimum required
|
||||
|
||||
See [Proxmox RBAC Guide](proxmox-rbac.md) for detailed configuration.
|
||||
|
||||
### Azure Arc Security
|
||||
|
||||
- Use managed identities where possible
|
||||
- Implement Azure Policy for compliance
|
||||
- Enable Azure Defender for Cloud
|
||||
- Use Azure Key Vault for secrets
|
||||
|
||||
### Kubernetes RBAC
|
||||
|
||||
- Use Role-Based Access Control (RBAC)
|
||||
- Create service accounts for applications
|
||||
- Limit cluster-admin access
|
||||
- Use network policies for pod isolation
|
||||
|
||||
## Secrets Management
|
||||
|
||||
### Environment Variables
|
||||
|
||||
- Store secrets in `.env` file (not committed to git)
|
||||
- Use `.env.example` as template
|
||||
- Never commit `.env` to version control
|
||||
- Rotate secrets regularly
|
||||
|
||||
### Azure Key Vault
|
||||
|
||||
For production deployments, consider using Azure Key Vault:
|
||||
|
||||
```bash
|
||||
# Store secret
|
||||
az keyvault secret set \
|
||||
--vault-name <vault-name> \
|
||||
--name <secret-name> \
|
||||
--value <secret-value>
|
||||
|
||||
# Retrieve secret
|
||||
az keyvault secret show \
|
||||
--vault-name <vault-name> \
|
||||
--name <secret-name> \
|
||||
--query value -o tsv
|
||||
```
|
||||
|
||||
### Kubernetes Secrets
|
||||
|
||||
- Use Kubernetes secrets for application credentials
|
||||
- Consider external secret management (e.g., Sealed Secrets)
|
||||
- Encrypt secrets at rest
|
||||
- Rotate secrets regularly
|
||||
|
||||
## SSL/TLS
|
||||
|
||||
### Certificates
|
||||
|
||||
- Use valid SSL/TLS certificates for all services
|
||||
- Configure certificate auto-renewal (Cert-Manager)
|
||||
- Use Let's Encrypt for public services
|
||||
- Use internal CA for private services
|
||||
|
||||
### Cloudflare Tunnel
|
||||
|
||||
- Cloudflare Tunnel handles SSL termination
|
||||
- No inbound ports required
|
||||
- WAF protection enabled
|
||||
- DDoS protection enabled
|
||||
|
||||
## Monitoring and Auditing
|
||||
|
||||
### Logging
|
||||
|
||||
- Enable audit logging for all components
|
||||
- Centralize logs (Azure Log Analytics, syslog)
|
||||
- Retain logs for compliance
|
||||
- Monitor for suspicious activity
|
||||
|
||||
### Azure Monitor
|
||||
|
||||
- Enable Azure Monitor for all resources
|
||||
- Set up alerting for security events
|
||||
- Monitor for policy violations
|
||||
- Track access and changes
|
||||
|
||||
### Azure Defender
|
||||
|
||||
- Enable Azure Defender for Cloud
|
||||
- Configure threat detection
|
||||
- Set up security alerts
|
||||
- Review security recommendations
|
||||
|
||||
## Compliance
|
||||
|
||||
### Azure Policy
|
||||
|
||||
- Apply security baseline policies
|
||||
- Enforce compliance requirements
|
||||
- Monitor policy compliance
|
||||
- Remediate non-compliant resources
|
||||
|
||||
### Updates
|
||||
|
||||
- Keep all systems updated
|
||||
- Use Azure Update Management
|
||||
- Schedule regular maintenance windows
|
||||
- Test updates in non-production first
|
||||
|
||||
## Best Practices
|
||||
|
||||
1. **Principle of Least Privilege**: Grant minimum required permissions
|
||||
2. **Defense in Depth**: Multiple layers of security
|
||||
3. **Regular Audits**: Review access and permissions regularly
|
||||
4. **Incident Response**: Have a plan for security incidents
|
||||
5. **Backup and Recovery**: Regular backups and tested recovery procedures
|
||||
|
||||
## Additional Resources
|
||||
|
||||
- [Proxmox RBAC Guide](proxmox-rbac.md)
|
||||
- [Azure Security Documentation](https://docs.microsoft.com/azure/security/)
|
||||
- [Kubernetes Security](https://kubernetes.io/docs/concepts/security/)
|
||||
|
||||
Reference in New Issue
Block a user