Azure Security Best Practices — DevOps

Always learning
4 min readApr 18, 2024

--

Cloud security refers to the set of measures and technologies designed to protect data, applications, and infrastructure hosted in cloud environments.

buymeacoffee ☕ 👈 Click the link

It encompasses various strategies and tools aimed at safeguarding cloud-based resources from unauthorized access, data breaches, data loss, and other cyber threats.

  • Azure DevOps Access Control
  • Organization Settings
  • Agent pools Management
  • Pipeline settings
  • Project-level Settings
  • Pipeline security
  • Repo settings
  • Authentication and Authorization
  • Secrets and credentials access

Microsoft Entra ID is a cloud-based identity and access management service that enables your employees access external resources.

Entra ID provides hybrid capabilities by integrating with on-premises Active Directory environments.

Microsoft Entra ID is the new name for Azure Active Directory (Azure AD)

Permissions to a user by creating an identity-based policy.

Policy that is attached to the user or a group to which the user belongs

A permission becomes a privilege (or right) when it is assigned to someone.

Agent is someone that is given permission either explicitly (or) assumed to act on an individual’s behalf.

Agent pools are collections of deployment agents that run on deployment targets or on separate machines.

A deployment pool is a set of target servers available to the organization.

Maintenance jobs you can configure agent pools to periodically clean up stale working directories and repositories. This means that they will clean up the working directories for your agents based on the settings that you define.

Maintenance settings are tied to the organization/collection level pool admin permissions, and as such are only visible at the organization/collection level settings.

Microsoft offers hosted agents for executing pipeline tasks, there are scenarios where a self-hosted agent becomes necessary.

Self-hosted agents give you more control to install dependent software needed for your builds and deployments. Also, machine-level caches and configuration persist from run to run, which can boost speed.

Microsoft-hosted agents run on secure Azure platform.

Azure Pipelines supports continuous integration (CI) and continuous delivery (CD) to continuously test, build, and deploy your code.

Azure Pipelines provide a highly configurable and manageable pipeline for releases to multiple stages such as development, staging, QA, and production. it also offers the opportunity to implement gates and approvals at each specific stage.

Build Pipeline

Release Pipeline

Multi-stage Pipeline

There are two ways to define a CI/CD pipeline in Azure DevOps.

  1. Classic interface
  2. YAML syntax.

Classic pipelines involves using a user interface where you go through various tabs and select options provided by the UI.

YAML pipelines rely on code written in a YAML file for their setup.

Disable creation classic build pipelines

Azure Pipelines limit variables that can be set a queue time. Once enabled, only variables that are explicitly marked as “Settable at queue time” can be overriden by a user runs the pipeline.

Repository is a set of version control tools that we can use to manage our code.

Branch policies help teams protect their important branches of development. Policies enforce your team’s code quality and change management standards.

Set of rules developers follow when they write, merge and deploy shared code.

Retention policies let you set how long to keep runs, releases, and tests stored in the system.

Approvals and Checks provide increased security to your YAML pipelines. They allow you to control if a pipeline run is allowed to access a resource.

Service Connection is a configuration that allows Azure DevOps to securely connect and integrate with external services, systems, and resources.

How should we store and access Secrets and credentials?

Personal Access Token is required to set up Azure DevOPs as a content source.

  1. Token
  2. Azure key vault
  3. Third party secret

A token is a digital asset. there are service tokens and coins, they have different functions and different standards.

Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store keys, passwords, certificates, and other secrets. Azure key vaults may be created and managed through the Azure portal.

Third-party secret management tools are external services or applications that provide a centralized and secure way to store and manage secrets for your DevOps workflows.

Thank you 🙏 for taking the time to read our blog.

--

--

Always learning
Always learning

Written by Always learning

கற்றுக் கொள்ளும் மாணவன்...