Security Controls For Azure Arc Enabled Servers & SQL Server on Azure Arc

Eray ALTILI
14 min readOct 5, 2022
Azure Arc Services

Network Security:

NS-1: Establish network segmentation and protect resources in Virtual Network

For the Azure Connected Machine agent that runs on your server, make sure it can communicate with the Azure Arc service over TCP port 443 (HTTPS). Configure machines to use Transport Layer Security (TLS) 1.2. and above.

NS-2: Connect on-premises or cloud network privately

Use ExpressRoute create private connections between Cloud Resources and on-premises infrastructure. This means you can connect your on-premises or multi-cloud servers with Azure Arc and send all traffic over an Azure ExpressRoute

NS-3: Establish private network access to cloud services

Secure cloud services by establishing a private access point for the resources. You should also disable or restrict access from public network when possible.

When available, use Private Endpoints with Private Link to secure cloud resources in virtual network. When Private Endpoints and Private Link not available, use secure Service Endpoints.

With Azure Arc-enabled servers, use a Private Link Scope model to allow multiple servers or machines to communicate with their Azure Arc resources using a single private endpoint.

Azure Arc Private Link Scope connects private endpoints (and the virtual networks they’re contained in) to an Azure resource, in this case Azure Arc-enabled servers.

Other extensions like Azure Monitor, Automation, Azure Key Vault and Azure Blob storage will be connected via public endpoints if you don't create private endpoint for these services.

Use Azure Private DNS Zones and Ensure DNS Resolution with Private Link

NS-4: Use Network Service Tags

Using Azure virtual network service tags, define network access controls on NSGs or Azure Firewall that are configured for your Azure Arc-enabled server resources.

--

--

Eray ALTILI

I am passionate about Technology, Cloud Computing, Machine Learning, Blockchain and Finance. All opinions are my own and do not express opinions of my employer.