Hi everyone,
I thought I would write a very simple, yet effective way of deploying Linux workloads, virtual machines on Azure or pretty much any other cloud of your choice and making sure the basics are being met to get a good , secure and clean deployment which you can always tweak it later.
We all know that the Internet can be the WWW (Wild Wild West) so, in a lot of cases, virtual machines should not be completely open on the Internet, even if it's a web server or any other service that does expose a public service, it should be behind a firewall, a reverse proxy (possibly both), load balancers and so on but we know that sometimes we might need to have a requirement to maybe have management ports opened.
For management usually the best way is to use a VPN which you can then, connect to the backend virtual network and perform those tasks but in the event that you really need to do that, there are a few things that should be looked at when deploying virtual machines that are directly exposed.
1 - Always restrict the IP's that can access in this case port 22 (SSH) from the Internet, that will help narrowing the access from the outside, on Azure you can use Network Security Groups to achieve that.
2 - Always deploy Linux virtual machines using SSH Keys, do not use passwords, passwords can be easily cracked using brute force tools and as a matter of fact, if you deploy a Linux virtual machine today, without any of these protections in place, you will notice thousands of attempts after a few minutes of being online.
3 - If you are planning to use a smaller size virtual machine to host a Ghost , Wordpress instance or anything simple, sometimes it's good to enable swap, we all know that we should always avoid swapping, but on cloud environments that is even trickier since all resources are accessed through network so swapping through that will make problems even worse, on Azure, all virtual machines come with a local attached ephemeral disk (which you cannot use for storage) but it is great for swap and temporary files that don't need to be kept. So, if you have any need to use swap, make sure you set it up to use this resource instead. You can find the steps here to achieve that.
I will keep adding and updating this guidance as I see fit, so keep checking it back for other recommendations.
Image by Alex Chumak (@ralexnder) | Unsplash Photo Community