I work in a small startup that is only hosted in Azure and I was wondering the best way to secure everything.
I use the below services
The web apps and the Vms need to communicate with the other three services.
Below is what we are currently doing. Is this correct and if not can you provide any resources to work from?
I would appreciate any help that can be provided.
Edit
Things that i am worried about are:
Sql Server allow access to azure. I can turn this off but then the website will need to be added to the firewall and as i understand it the ip address is not static. Is it a security concern to leave this on?
By default, “Allow access to Azure services” is turned on, enabling this feature would allow any traffic from resources/services hosted in Azure to access the database.
Storage accounts, the connection string allows unlimited access to the account. You can lock this down with SAS to ip addresses but it has the same issues as the sqlsvr when connecting from the website. Also the SAS is time based how is it renewed?
A shared access signature can take one of two forms: Ad hoc SAS and SAS with stored access policy. We could re-specify the start time, expiry time, and permissions to get a new ad hoc SAS. When we associate a SAS with a stored access policy, the SAS inherits the constraints - the start time, expiry time, and permissions - defined for the stored access policy, we could modify the stored access policy to revoke the SAS or get a new SAS based on new stored access policy.
For more information about Shared Access Signatures (SAS), you could read this article.