# Security Guide Security best practices and configuration for the Azure Stack HCI infrastructure. ## Overview This guide covers security considerations and best practices for securing the Azure Stack HCI infrastructure. ## Network Security ### VLAN Segmentation - **VLAN 10**: Storage (isolated) - **VLAN 20**: Compute (isolated) - **VLAN 30**: App Tier (isolated) - **VLAN 40**: Observability (isolated) - **VLAN 50**: Dev/Test (isolated) - **VLAN 60**: Management (restricted access) - **VLAN 99**: DMZ (public-facing) ### Firewall Rules - Default deny between VLANs - Explicit allow rules for required communication - Management VLAN access restricted to authorized IPs - DMZ isolated from internal networks ## Access Control ### Proxmox RBAC - Use role-based access control (RBAC) - Create dedicated users instead of using root - Use API tokens instead of passwords - Limit permissions to minimum required See [Proxmox RBAC Guide](proxmox-rbac.md) for detailed configuration. ### Azure Arc Security - Use managed identities where possible - Implement Azure Policy for compliance - Enable Azure Defender for Cloud - Use Azure Key Vault for secrets ### Kubernetes RBAC - Use Role-Based Access Control (RBAC) - Create service accounts for applications - Limit cluster-admin access - Use network policies for pod isolation ## Secrets Management ### Environment Variables - Store secrets in `.env` file (not committed to git) - Use `.env.example` as template - Never commit `.env` to version control - Rotate secrets regularly ### Azure Key Vault For production deployments, consider using Azure Key Vault: ```bash # Store secret az keyvault secret set \ --vault-name \ --name \ --value # Retrieve secret az keyvault secret show \ --vault-name \ --name \ --query value -o tsv ``` ### Kubernetes Secrets - Use Kubernetes secrets for application credentials - Consider external secret management (e.g., Sealed Secrets) - Encrypt secrets at rest - Rotate secrets regularly ## SSL/TLS ### Certificates - Use valid SSL/TLS certificates for all services - Configure certificate auto-renewal (Cert-Manager) - Use Let's Encrypt for public services - Use internal CA for private services ### Cloudflare Tunnel - Cloudflare Tunnel handles SSL termination - No inbound ports required - WAF protection enabled - DDoS protection enabled ## Monitoring and Auditing ### Logging - Enable audit logging for all components - Centralize logs (Azure Log Analytics, syslog) - Retain logs for compliance - Monitor for suspicious activity ### Azure Monitor - Enable Azure Monitor for all resources - Set up alerting for security events - Monitor for policy violations - Track access and changes ### Azure Defender - Enable Azure Defender for Cloud - Configure threat detection - Set up security alerts - Review security recommendations ## Compliance ### Azure Policy - Apply security baseline policies - Enforce compliance requirements - Monitor policy compliance - Remediate non-compliant resources ### Updates - Keep all systems updated - Use Azure Update Management - Schedule regular maintenance windows - Test updates in non-production first ## Best Practices 1. **Principle of Least Privilege**: Grant minimum required permissions 2. **Defense in Depth**: Multiple layers of security 3. **Regular Audits**: Review access and permissions regularly 4. **Incident Response**: Have a plan for security incidents 5. **Backup and Recovery**: Regular backups and tested recovery procedures ## Additional Resources - [Proxmox RBAC Guide](proxmox-rbac.md) - [Azure Security Documentation](https://docs.microsoft.com/azure/security/) - [Kubernetes Security](https://kubernetes.io/docs/concepts/security/)