Microsoft Azure Stack Security – Part Two: Extending security into the virtualized user space.

By Martin Zich, CISSP, CCSP – HPE Pointnext

In this second blog of a two part series, we are looking at how Microsoft Azure Stack addresses security in the virtualized user space. The first blog looked at infrastructure security, and can be accessed here. Although there are still many differences with Azure public cloud, Azure Stack has everything needed to run a successful and secure on premise instance of the overall Azure hybrid-cloud solution.

Built in security controls within the virtualized user spacem, 3 monitors.jpg

Azure Stack offers to synchronize your on-premise identities with Azure Active Directory (AAD), which also supports multi-tenancy, or can utilize Active Directory Federation Services (ADFS) for a single tenant. Multi-factor authentication is supported in both scenarios. You can zone your virtual network (VNet) subnets by using by using the Network Security Groups (NSGs), load balance your traffic using Azure Load Balancers (ALB), and store your keys, passwords, certificates or even license files in the Azure Stack Key Vault. Azure Stack also contains the role based access control (RBAC)mechanism which is consistent with Azure Public. But there is much more. Important network-related Azure Stack details to mention are the following. The only supported network gateway today is the VPN Gateway that allows you to create site-to-site or VNet-to-VNet VPN connections (using Windows Server 2016 Routing and Remote Access – RRAS under the hood). There is no point-to-site, or VNet-to-VNet gateway currently supported as it is in Azure Public. You can of course connect to the ExpressRoute circuit as well, which will helps you to avoid public Internet connections and guarantees a sufficient bandwidth SLA on the connection to Azure public cloud. Azure Stack contains DNS, which is a servicefor resolution of Internet names from tenant VMs so there is no longer any need to specify custom DNS entries to resolve Internet names.

Azure Stack offers quite extensive monitoring which goes from machine diagnostics and various metrics, to activity logs that are generated by actions performed over the platform. This allows an administrator to not only keep the logs within the scale unit, but also transfer them to Azure public cloud and make them a part of more extensive log analytics, providing a broader view on what is happening across the hybrid-cloud solution overall.

Azure Stack offers an equivalent to Local Redundant Storage (LRS), the same as in Azure public cloud, with Quality of Service (QoS) for IOPS on VHD files. Limits are enforced through software-defined capabilities within Windows Server 2016.

Azure Stack allows you to back up the workloads either using Azure Backup (files and folders within VMs using System Center Data Protection Manager agents), or Azure Site Recovery, which synchronizes all of the VMs to the Azure Public Recovery Services Vault. Azure Stack does not really offer coverage for all the backup scenarios and it is worth looking at what third-parties such as Commvault and Veritas with HPE StoreOnce solution have to offer. These products provide a solution to create quality backups that are stored on-premise, or on a broad choice of public cloud providers.

What is currently available in the Marketplace?

The Azure Stack Marketplace is starting to fill-up with different security solutions. New offerings are appearing all the time, and the solutions that are offered today are pretty interesting. Worth mentioning are the Next-Generation Firewalls (NGFWs) from big players such as Fortinet, Check Point, and Palo Alto Networks, or F5 who offer their famous Big-IP platform as a Virtual Edition. The solution from Commvault could help backing up your VMs to on-premises repositories or to a pallet of cloud providers. You can backup not only complete VMs, but also go down to the level of files and folders.

Your VMs can have different extensions installed which are basically agents allowing the VM to become a part of the overall security solutions. Microsoft Antimalware is worth mentioning here. It makes sure that your IaaS VMs stay malware and virus free. SIEM solutions are represented by Event Tracker. PT offers their Web Application firewall (WAF), and ZeroDown Software their solution which offers Business Continuity as a Service to make sure that your application stays running, even if your Azure Stack scale-unit dies. It provides live synchronization of the transactions either to another Azure Stack, or to Azure public cloud utilizing Azure Site Recovery mechanisms.


From the security point of view Azure Stack is quite ready now to serve some serious business solutions, and as the partner eco-system builds up it will offer more and more capabilities. It is definitely a great solution to securely extend your Azure public cloud environment to your on-premise data center, allowing even more critical operations and more importantly more sensitive data to take advantage of the flexibility that cloud solutions can offer. All of this is possible while staying compliant with various regulations and standards requirements which you or your customers are obliged to satisfy.

The HPE Pointnext Security and Risk Management practice has created a Security Solution Reference Architecture (SRA) for Azure Stack that is based upon the HPE Enterprise Security Reference Model (ES-RM). These HPE security frameworks can ensure that the correct and adequate security controls for any particular solution within the IT environment are in place and can also help improving the overall security posture in an IT transformation. If you want to find out more on how HPE Pointnext can help you to build and manage your hybrid cloud solutions, or understand how we’ve helped other customers do this, please feel free to reach out. 

We also invite you to attend one of the sessions of the HPE – Microsoft Hybrid Cloud Roadshow being held in cities worldwide from March through May 2019. More information on the Roadshow and a list of cities are available here

medium_euzich1423.jpgMartin Zich is IT security advisory consultant, member of HPE Pointnext Worldwide Security and Risk Management practice, focused not only on information security and privacy in different environments and industries but also on overall cyber-defense and various solutions enabling its practical implementation. Apart from technical advisory he helps organizations to improve their IT security strategies, governance and to address various compliance requirements using IT security best practices.


0 Kudos
About the Author


HPE Alliance Partners