🚀 From Zero to Secure: Deploying a Hardened Azure Environment with Terraform & Azure CLI

Tags: #azure #devops #cloudsecurity #terraform

📖 Why This Guide?

Passing a cloud security quiz is great — but real-world deployments require more than memorizing the right answer.

This article takes the concepts behind common Azure security questions and turns them into battle-tested deployments using Azure CLI and Terraform.

You’ll learn how to:

1. Build a secure Network Security Group with least privilege inbound rules.
2. Detect & respond to impossible travel sign-ins.
3. Manage Key Vault data-plane access with Azure RBAC.
4. Map and implement Defense in Depth layers.

1️⃣ NSG Inbound — The Right Way

Scenario:

You need to allow HTTPS traffic from the Internet to your app subnet — but safely.

Principles:

• Restrict by port and protocol.
• Avoid * in source IPs unless unavoidable.
• Use higher-level protections like WAF where possible.

Azure CLI:

RG=rg-secure-demo LOC=westeurope VNET=vnet-secure SUBNET=app-subnet NSG=nsg-app RULE=Allow-HTTPS-Internet PRIORITY=100 # Create RG and VNet az group create -n $RG -l $LOC az network vnet create -g $RG -n $VNET -l $LOC \ --address-prefixes 10.10.0.0/16 \ --subnet-name $SUBNET --subnet-prefix 10.10.1.0/24 # Create NSG az network nsg create -g $RG -n $NSG # Add inbound HTTPS rule az network nsg rule create \ -g $RG --nsg-name $NSG -n $RULE \ --priority $PRIORITY \ --direction Inbound --access Allow --protocol Tcp \ --source-address-prefixes Internet \ --destination-port-ranges 443 # Attach NSG to subnet az network vnet subnet update \ -g $RG --vnet-name $VNET -n $SUBNET \ --network-security-group $NSG 

2️⃣ Detecting Impossible Travel

Concept: Impossible travel is when a user logs in from two locations so far apart that traveling between them in the elapsed time is physically impossible.

KQL Query in Log Analytics:

SigninLogs | where ResultType == 0 | project TimeGenerated, UserPrincipalName, Location = tostring(LocationDetails.countryOrRegion) | order by UserPrincipalName, TimeGenerated | extend PrevLocation = prev(Location), PrevTime = prev(TimeGenerated), PrevUser = prev(UserPrincipalName) | where UserPrincipalName == PrevUser and Location != PrevLocation | where datetime_diff('minute', PrevTime, TimeGenerated) < 60 

Real-World Action:

• Enable Azure AD Identity Protection.
• Create Conditional Access policy:
  • Sign-in risk = Medium+
  • Action = Require MFA or Block
• Start in report-only mode, then enforce.

3️⃣ Key Vault Access with RBAC

Scenario:

Grant a specific Azure AD group permissions to create & delete keys in Key Vault.

Azure CLI:

RG=rg-secure-demo LOC=westeurope KV=kv-secure-$RANDOM GROUP_NAME="kv-crypto-admins" # Create Key Vault az keyvault create -n $KV -g $RG -l $LOC # Create AAD group GROUP_ID=$(az ad group create --display-name "$GROUP_NAME" --mail-nickname "$GROUP_NAME" --query id -o tsv) # Assign Key Vault Administrator role ROLE="Key Vault Administrator" SCOPE=$(az keyvault show -n $KV -g $RG --query id -o tsv) az role assignment create \ --assignee-object-id $GROUP_ID \ --assignee-principal-type Group \ --role "$ROLE" \ --scope "$SCOPE" 

Best Practice:

Use RBAC instead of legacy access policies for unified permissions management.

4️⃣ Implementing Defense in Depth

Layer Mapping:

🧹 Clean-Up

az group delete -n rg-secure-demo --yes --no-wait 

📌 Key Takeaways

• NSG rules should be precise — no blanket * inbound.
• Impossible travel is a high-confidence detection signal.
• Key Vault RBAC is modern, scalable, and auditable.
• Security works best in layers.

💬 Question for you:

What’s one Azure security trick you use that isn’t in Microsoft’s documentation? Drop it in the comments, and I’ll build a full code example for it.