Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides an overview of core Azure security features for virtual machines.
Azure Virtual Machines lets you deploy a wide range of computing solutions in an agile way. The service supports Microsoft Windows, Linux, Microsoft SQL Server, Oracle, IBM, SAP, and Azure BizTalk Services. You can deploy any workload and any language on nearly any operating system.
Azure VMs provide the flexibility of virtualization without buying and maintaining physical hardware. You can build and deploy applications with the assurance that your data is protected in highly secure datacenters.
With Azure, you can build security-enhanced, compliant solutions that:
- Protect virtual machines from viruses and malware
- Encrypt sensitive data
- Secure network traffic
- Identify and detect threats
- Meet compliance requirements
Trusted launch
Trusted launch is the default for newly created Generation 2 Azure VMs and Virtual Machine Scale Sets. Trusted launch protects against advanced and persistent attack techniques including boot kits, rootkits, and kernel-level malware.
Trusted launch provides:
- Secure Boot: Protects against installation of malware-based rootkits and boot kits by ensuring only signed operating systems and drivers can boot
- vTPM (virtual Trusted Platform Module): A dedicated secure vault for keys and measurements that enables attestation and boot integrity verification
- Boot Integrity Monitoring: Uses attestation through Microsoft Defender for Cloud to verify boot chain integrity and alert on failures
Trusted launch can be enabled on existing VMs and Virtual Machine Scale Sets. For more information, see Trusted launch for Azure virtual machines.
Confidential computing
Azure confidential computing protects data while in use through hardware-based trusted execution environments. Confidential VMs use AMD SEV-SNP technology to create a hardware-enforced boundary between your application and the virtualization stack.
Confidential VMs provide:
- Hardware-based isolation: Between virtual machines, hypervisor, and host management code
- Confidential OS disk encryption: Binds disk encryption keys to the VM's TPM, making disk content accessible only to the VM
- Secure key release: Cryptographic binding between platform attestation and VM encryption keys
- Attestation: Customizable policies to ensure host compliance before deployment
For more information, see Azure confidential VMs.
Azure Backup
Azure Backup is a scalable solution that protects your application data with zero capital investment and minimal operating costs. Application errors can corrupt your data, and human errors can introduce bugs into your applications. With Azure Backup, your virtual machines running Windows and Linux are protected.
Azure Backup provides independent and isolated backups to guard against accidental destruction of data. Backups are stored in a Recovery Services vault with built-in management of recovery points.
For more information, see What is Azure Backup? and Azure Backup service FAQ.
Azure Site Recovery
Azure Site Recovery helps orchestrate replication, failover, and recovery of workloads and apps so they're available from a secondary ___location if your primary ___location goes down.
Site Recovery:
- Simplifies BCDR strategy: Makes it easy to handle replication, failover, and recovery of multiple business workloads and apps from a single ___location
- Provides flexible replication: Replicate workloads running on Hyper-V VMs, VMware VMs, and Windows/Linux physical servers
- Supports failover and recovery: Provides test failovers for disaster recovery drills without affecting production environments
- Eliminates secondary datacenters: Replicate to Azure, eliminating the cost and complexity of maintaining a secondary site
For more information, see What is Azure Site Recovery?, How does Azure Site Recovery work?, and What workloads are protected by Azure Site Recovery?.
Virtual networking
Virtual machines require network connectivity. Azure requires virtual machines to be connected to an Azure virtual network.
An Azure virtual network is a logical construct built on top of the physical Azure network fabric. Each logical Azure virtual network is isolated from all other Azure virtual networks. This isolation helps ensure that network traffic in your deployments is not accessible to other Microsoft Azure customers.
For more information, see Azure network security overview and Virtual Network overview.
Security policy management
Microsoft Defender for Cloud helps you prevent, detect, and respond to threats. Defender for Cloud gives you increased visibility into, and control over, the security of your Azure resources. It provides integrated security monitoring and policy management across your Azure subscriptions.
Defender for Cloud helps you optimize and monitor VM security by:
- Providing security recommendations for virtual machines
- Monitoring the state of your virtual machines
- Providing Microsoft Defender for Servers with advanced threat protection
Microsoft Defender for Servers includes:
- Microsoft Defender for Endpoint integration for endpoint detection and response
- Vulnerability assessment for identifying security weaknesses
- Just-in-time VM access to reduce attack surface
- File integrity monitoring to detect changes to critical files
- Adaptive application controls for approved applications
For more information, see Introduction to Microsoft Defender for Cloud, Microsoft Defender for Servers, and Microsoft Defender for Cloud frequently asked questions.
Compliance
Azure Virtual Machines is certified for FISMA, FedRAMP, HIPAA, PCI DSS Level 1, and other key compliance programs. This certification makes it easier for your Azure applications to meet compliance requirements and for your business to address domestic and international regulatory requirements.
For more information, see Microsoft Trust Center: Compliance and Azure compliance documentation.
Hardware security module
Azure Key Vault provides secure storage for keys and secrets. Key Vault offers the option to store your keys in hardware security modules (HSMs) certified to FIPS 140 validated standards.
Your SQL Server encryption keys for backup or transparent data encryption can all be stored in Key Vault with any keys or secrets from your applications. Permissions and access to these protected items are managed through Microsoft Entra ID.
For more information about Azure key management, see Key management in Azure.
Next steps
Learn about security best practices for VMs and operating systems.