Security and Compliance Pipelines
The course is part of this learning path
Microsoft Azure is a robust, feature-rich cloud platform used by a growing number of technology companies. With its vast array of services, a key challenge to administering an Azure environment is security. How can we ensure that our Azure infrastructure meets strict security standards? This course offers the answer.
In three concise units, the student will learn all about compliance and cloud security. The course delves into several key Azure components, including Azure DevOps, Azure Security Center, Desired State Configuration, and Azure Pipelines. After completing the lessons and watching the video demonstrations, the student will be equipped with the knowledge to automate critical security tasks to ensure a thoroughly hardened cloud architecture.
This skill set will serve infrastructure developers working with live environments or seeking to pass certification exams. Most importantly, it will help students understand cloud security in a comprehensive and thorough way.
For feedback, queries, or suggestions relating to this course, please contact us at firstname.lastname@example.org.
- Scan infrastructure using Azure tools to prevent drift leading to compliance violations
- Automate configuration using Azure Automation and Desired State Configuration
- Create secure and compliant software pipelines in Azure
This course is intended for:
- Those looking to learn more about the security and compliance features in Azure
- People studying for Microsoft's AZ-400 exam
To get the most from this course, you should already have a basic understanding of Microsoft Azure as well as some knowledge of programming and cloud infrastructure.
In the previous lesson, we learned all about the magic of DSC. A PowerShell toolset of declaring configuration state. This is great for getting everything nearly defined and establishing a proper infrastructure as code paradigm. But how do we keep things in a good state? Aside from obsessively refreshing the dashboard every 20 seconds. How can we add a layer of automation and management above DSC to guarantee compliance with all of the level of configuration we have defined in DSC?
Outside of Azure, there are a lot of different tools and frameworks. We mentioned a few such as Chef and Puppet, Ansible, Terraform. However, within Azure, we have a very powerful service that integrates quite neatly with PowerShell DSC. It is known as Azure Automation Configuration State and if you're a DevOps engineer using Azure, this too will become your best friend.
We will refer to Azure Automation State Configuration as AASC for simplicity's sake because it's a long name. And we want to differentiate it from Azure Security Center, ASC. So AASC, Azure Automation State Configuration, works on top of DSC. It is built right into the Azure automation dashboard as state configuration with DSC in parentheses in the left-hand menu basically. So recall that DSC is comprised of resources and configurations and the LCM. By itself, we would need to think of a way to manage all of these artifacts generated and referenced by the various PowerShell scripts. Comprising our overall DSC infrastructure. What AASC does is it gives us a centralized system for managing all of our DSC artifacts with an intuitive pull-based deployment model.
AASC lets you manage not only DSC artifacts but the target nodes and the reporting settings. The pole server collects state data from all target nodes automatically and can be configured to send reports to the log analytics service if you want reports to be more actionable. We will come back to that in a bit. AASC works with both Windows and Linux operating systems and can be configured to work within private networks and proxies. The only prerequisites for actually using Azure state configuration is that you have an Azure automation account and are using a Standard Azure Resource Manager VM since the classic VM version isn't supported yet but that may change.
So that's enough about the high-level features in specs. Let's actually talk through a practical example so you can understand how AASC will make your life easier. So let's start with a basic example of DSC configuration. Here we have a pretty basic script that's meant to ensure a specific config based on whether or not a node is a web server. So we're just you know in confirming a specific setting based on the node. So we can check this code into a git repo and we can run it manually from a terminal if we want. But what do we gain if we integrate it with AASC?
With the whole dashboard and Azure report. From the Azure portal, we can import this script with just a few clicks. We go into Azure automation section, we click on state configuration, the DSC page, we click into configurations and then we select add. And from there, we upload our config file. There's also a text box to add a description which I strongly recommend doing. You wanna know some info about the scripts you'll thank your future self. Now as before once you upload that config, you have to compile it into the node configuration before it can be applied to the pull server and actually run on machines. And this is again just a few clicks in the UI, we did that last lesson.
So once compilation succeeds, the new configuration can be applied to one or more node groups. Now, this may not seem like a big deal applying to node groups from the portal, you know. It may not seem all that important when you're just dealing with a single, simple PowerShell script. However, remember that a more realistic application architecture is gonna have far more moving parts than this. We might have a queuing system, we might have a caching layer, we might have multiple front ends, we could have proxies and authentication systems and different databases, etc. We could need dozens of PowerShell scripts of varying sizes to keep everything in a healthy state and avoid drift. Managing all of that is no easy task. AASC makes it a lot easier and the even cooler thing about AASC is that it not only manages our DSC code but it let us manage the VMs themselves.
AASC supports adding Azure nodes both under the standard resource management and even VMs and other clouds and it lets us manage classic nodes, classic nodes not the classic resource manager but classic nodes themselves. So we'll add a link to the documentation about this. This kind of multi-cloud functionality but what this means is that AASC lets us manage for example AWS EC2 nodes. This is a bit of out of scope, for this class to go into detail on that but it's nice to know that if you do have or if you need to set up a multi-cloud infrastructure Azure does give you the tools to at least manage much of your config in one place.
Now one best practice we want to mention here for scenarios where you need quick response times to compliance failure, is that you should forward AASC reporting data to Azure Monitor logs. As mentioned AASC readily integrates with your Azure log analytics account. With a few PowerShell commands you can configure Azure Monitoring to aggregate AASC data so that it is viewable in the Monitoring section of the AASC dashboard. So you can look at the logs and monitor all of the reporting data going on in your automation state dashboard. You can then set up queries to trigger emails or alerts or other actions if a monitor detects a compliance failure in the logs. So this is really important for cases where compliance failures are very dangerous. So for the exact walkthrough on this, see the documentation link to show exactly how to set that up, if it's an interest to you.
So that about wraps up Azure Automation State Configuration as we can see it is one of the best solutions for automating compliance by managing DSC infrastructure in an Azure cloud. It takes practice to really understand it always a lot of moving parts, so be sure to watch our demos and play around with it on your own. In the next lesson, we go one step further by introducing VM agents and extensions. It will be a blast, see you there.
Course Introduction - Compliance & Security Scanning - Security Center Demo - Preventing Drift - ARM, Activity Log & Track Changes Demo - Desired State Configuration (DSC) - Azure Desired State Configuration Demo - VM Agents & Extensions - VM Agents & Extensions Demo - Security & Compliance Pipelines - Azure Pipelines & Gates Demo - Course Summary
Jonathan Bethune is a senior technical consultant working with several companies including TopTal, BCG, and Instaclustr. He is an experienced devops specialist, data engineer, and software developer. Jonathan has spent years mastering the art of system automation with a variety of different cloud providers and tools. Before he became an engineer, Jonathan was a musician and teacher in New York City. Jonathan is based in Tokyo where he continues to work in technology and write for various publications in his free time.