Microsoft Gives Virtual Machines in Windows Azure a Security Boost

Those using Microsoft's Windows Azure cloud service now have access to a new security option that lets them block unauthorized users from accessing virtual machines.

The new security feature, which Microsoft announced at its TechEd conference in New Orleans earlier this month, lets administrators put Access Control Lists (ACLs) on individual endpoints. By putting the ACLs on endpoints or subnets, administrators can control unauthorized access to virtual machines that are protected behind a firewall but are accessible in the public cloud.

"We are adding an additional security option so that administrators can control inbound traffic to Virtual Machine," according to a blog post by Microsoft cloud strategy advisor Louis Panzano from the company's office in Spain. "You simply define how traffic from outside of your corporate firewall communicates with your virtual machine public endpoints through PowerShell and soon it will be available in the management portal."

During a session at the recent MongoDB Days conference in New York (see this blog post), Microsoft cloud evangelist and architect David Makogon noted the announcement of the new security option, saying it offers an important way to control access to an exposed IP port. As Panzano noted in his blog post, Makogon pointed out the option for now is not available in the Windows Azure management portal (meaning it required the creation of PowerShell scripts).

Makogon said a good resource for creating that script is available via a blog post by Michael Washam, who until a few weeks ago was a senior program manager at Microsoft responsible for the Windows Azure PowerShell cmdlets for compute (IaaS, PaaS, and VNET), Windows Azure .NET SDK and areas of the Service Management API (RDFE).

"A significant improvement in the security of virtual machines is the ability to lock down an endpoint so that only a specified set of IP addresses can access it," wrote Washam, now a principal cloud architect at integrator Aditi Technologies.

In his blog post, Washam explained how to specify ACLs during or after a deployment using PowerShell. "You create a new ACL configuration object using New-AzureAclConfig and then modify it with Set-AzureAclConfig," he noted. "The created ACL object is then specified to the *-AzureEndpoint cmdlet in the -ACL parameter." He shared an example script in his post.

This is an important new option, Makogon emphasized, advising attendees of his presentation that it will keep unauthorized users out of their systems running in Windows Azure. "You probably don't want to have that port hanging out to the public," he said, noting that by implementing the script, administrators "can set Azure ACL configuration and create a rule [to] permit or block a particular subnet."

About the Author

Jeffrey Schwartz is editor of Redmond magazine and also covers cloud computing for Virtualization Review's Cloud Report. In addition, he writes the Channeling the Cloud column for Redmond Channel Partner. Follow him on Twitter @JeffreySchwartz.


Subscribe on YouTube