惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

M
MIT News - Artificial intelligence
有赞技术团队
有赞技术团队
S
Schneier on Security
aimingoo的专栏
aimingoo的专栏
T
Troy Hunt's Blog
U
Unit 42
Hacker News - Newest:
Hacker News - Newest: "LLM"
V2EX - 技术
V2EX - 技术
T
The Blog of Author Tim Ferriss
V
Visual Studio Blog
H
Heimdal Security Blog
H
Hacker News: Front Page
Blog — PlanetScale
Blog — PlanetScale
博客园 - 司徒正美
Cloudbric
Cloudbric
Google DeepMind News
Google DeepMind News
C
Cisco Blogs
The Cloudflare Blog
C
Cybersecurity and Infrastructure Security Agency CISA
Microsoft Security Blog
Microsoft Security Blog
MyScale Blog
MyScale Blog
F
Fortinet All Blogs
N
News | PayPal Newsroom
Attack and Defense Labs
Attack and Defense Labs
D
DataBreaches.Net
N
News and Events Feed by Topic
Security Archives - TechRepublic
Security Archives - TechRepublic
Forbes - Security
Forbes - Security
Simon Willison's Weblog
Simon Willison's Weblog
F
Full Disclosure
The Register - Security
The Register - Security
L
LINUX DO - 热门话题
Webroot Blog
Webroot Blog
Google Online Security Blog
Google Online Security Blog
AI
AI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
I
Intezer
S
Security Affairs
阮一峰的网络日志
阮一峰的网络日志
K
Kaspersky official blog
云风的 BLOG
云风的 BLOG
博客园 - 叶小钗
T
Threatpost
Spread Privacy
Spread Privacy
小众软件
小众软件
AWS News Blog
AWS News Blog
S
Secure Thoughts
S
Security @ Cisco Blogs
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
J
Java Code Geeks

Microsoft Azure Blog

Frontier models and production agents: Advancing Microsoft Foundry for the agentic era | Microsoft Azure Blog Built to bounce back: How Azure resiliency evolved | Microsoft Azure Blog External key management for Azure Managed HSM Meet Brain: The AI system behind Azure reliability | Microsoft Azure Blog Proving application resilience on Azure with Chaos Studio | Microsoft Azure Blog How to design, build, and optimize cloud infrastructure for long-term efficiency Claude in Microsoft Foundry is now generally available | Microsoft Azure Blog The 2026 Agent Confidence Index: Where 300 builders see real momentum | The Microsoft Cloud Blog Accelerate modern Linux workloads with Azure Files | Microsoft Azure Blog Optimizing PostgreSQL on Azure directly in Visual Studio Code From insight to action: The next phase of agentic cloud operations | Microsoft Azure Blog Modernize your data with Azure Storage: Plan and migrate with confidence | Microsoft Azure Blog 3 things leaders need to know from Microsoft Build 2026 | Microsoft Azure Blog Claude Fable 5 available today in Microsoft Foundry: Powering the next era of autonomous agents AI alone won’t change your business. The system running it will. Announcing Microsoft Discovery general availability and Microsoft Discovery app preview A Developer’s Guide to Managing Models, Cost and Quality in Microsoft Foundry Foundry IQ: Build smarter agents faster with unified knowledge and serverless retrieval Microsoft Build 2026: Building agentic apps with Microsoft Fabric and Microsoft Databases New Azure Cobalt 200 VMs deliver 50% performance improvement, fully optimized for modern agentic AI workloads Claude Opus 4.8 is now available in Microsoft Foundry Powering multi-cluster workloads with seamless cross‑cluster networking for Azure Kubernetes Fleet Manager Azure NetApp Files for EDA workloads: From revolution to breakthrough at scale Azure IaaS: Deploy high-performance workloads with a system-level approach Azure Files Entra-Only identities: Advancing cloud-native identity and security From commit to cloud: Powering what’s next for PostgreSQL Advancing enterprise AI: New SAP on Azure announcements from SAP Sapphire 2026 Red Hat Summit 2026: Platform modernization and AI on Microsoft Azure Red Hat OpenShift Build AI apps with Azure Cosmos DB: Key trends from Cosmos Conf 2026 Scaling cloud and AI: Microsoft Azure’s commitment to Europe’s digital future Enforcing trust and transparency: Open-sourcing the Azure Integrated HSM Microsoft named a Leader in the IDC MarketScape: Worldwide API Management 2026 Vendor Assessment OpenAI’s GPT-5.5 in Microsoft Foundry: Frontier intelligence on an enterprise ready platform Microsoft Discovery: Advancing agentic R&D at scale Introducing Azure Accelerate for Databases: Modernize your data for AI with experts and investments Cloud Cost Optimization: Principles that still matter Optimize object storage costs automatically with smart tier—now generally available Microsoft named a Leader in The Forrester Wave™ for Sovereign Cloud Platforms How Drasi used GitHub Copilot to find documentation bugs Cloud Cost Optimization: How to maximize ROI from AI, manage costs, and unlock real business value Azure IaaS: Keep critical applications running with built-in resiliency at scale Building sovereign AI at the edge: Microsoft and Armada collaborate to deliver Azure Local on Galleon modular datacenters Navigating digital sovereignty at the frontier of transformation Microsoft named a Leader in 2026 Gartner® Magic Quadrant™ for Integration Platform as a Service AI for nuclear energy: Powering an intelligent, resilient future | The Microsoft Cloud Blog What’s new with Microsoft in open-source and Kubernetes at KubeCon + CloudNativeCon Europe 2026 Advancing agentic AI with Microsoft databases across a unified data estate FabCon and SQLCon 2026: Unifying databases and Fabric on a single data platform Microsoft at NVIDIA GTC: New solutions for Microsoft Foundry, Azure AI infrastructure and Physical AI From legacy to leadership: How PostgreSQL on Azure powers enterprise agility and innovation
Azure IaaS: Defense in depth built on secure-by-design principles
Narayan Annamalai · 2026-05-05 · via Microsoft Azure Blog

Security for cloud infrastructure is no longer defined by a single control, product, or boundary. Modern threats target identity, software supply chains, control planes, networks, and data simultaneously.

This blog post is the third part of a blog series called Azure IaaS which will share best practices and guidance to help you build a trusted infrastructure platform—from performance, resiliency, and security to scalability and cost efficiency.

Security for cloud infrastructure is no longer defined by a single control, product, or boundary. Modern threats target identity, software supply chains, control planes, networks, and data simultaneously. Addressing this reality requires two things to work together: a layered defense-in-depth architecture and security principles that are enforced consistently across the platform.

In Azure Infrastructure as a Service (IaaS), security is built around these two reinforcing ideas. First, Azure implements defense in depth, applying multiple, independent layers of protection across compute, networking, storage, and operations so that no single control stands alone. Second, those protections are guided by Microsoft’s  Secure Future Initiative (SFI) principles: secure by design, secure by default, and secure in operation. Together, they define how Azure IaaS is engineered, configured, and operated at scale.

Defense in depth as a system

Defense in depth is not a checklist of features—it is a system-level security architecture. Each layer is designed with the assumption that another layer may fail, and that compromise at one point should not lead to platform-wide impact.

In Azure IaaS, defense in depth spans the full infrastructure stack:

  • Hardware and host integrity
  • Virtualized compute isolation
  • Network segmentation and traffic control
  • Data protection for storage
  • Continuous monitoring and response

These layers are intentionally independent. Hardware root-of-trust mechanisms validate host integrity before workloads ever start. Virtual machines (VM) run with strong isolation boundaries enforced by the hypervisor. Network controls limit lateral movement and restrict exposure. Storage services encrypt and protect data even if credentials are compromised. And telemetry and monitoring systems operate continuously, detecting and responding to anomalous behavior across the platform.

This layered approach ensures that Azure IaaS security does not rely on perimeter assumptions or a single “control plane defense,” but instead applies multiple mutually reinforcing controls that work together.

Secure by design: Engineering security into the platform

“Secure by design” means security is architected into the platform from the beginning, not added after deployment. In Azure IaaS, this starts at the lowest layers of the stack.

Hardware and host-level trust

Azure servers are built with hardware roots of trust, measured boot, and secure firmware validation. Technologies such as Trusted Platform Modules (TPMs) and secure boot validate that host firmware, boot loaders, and operating systems have not been tampered with before the system joins the Azure fleet. These mechanisms reduce exposure to firmware-level and boot-chain attacks that traditional software-only defenses cannot address.

Azure also offloads critical infrastructure functions—such as storage, networking, and management operations—into dedicated, hardened components like Azure Boost, reducing the attack surface of the host operating system and improving isolation between customer workloads and platform services.

Virtual machine-layer trust

At the virtual machine layer, Azure enforces strong virtualization boundaries using a hardened hypervisor. Features like Trusted Launch for Azure VM combine secure boot, virtual TPMs, and integrity monitoring to protect VMs against low-level attacks such as bootkits and kernel rootkits.

For highly sensitive workloads, Azure confidential computing extends defense in depth by using trusted execution environments (TEEs) backed by hardware-based memory encryption (such as AMD SEV‑SNP or Intel TDX). These technologies help ensure that data remains protected even while in use and inaccessible to the host or hypervisor.

Security here is not a bolt-on—it is a design property of how Azure compute infrastructure is built and operated.

Secure by default: Protection enabled without friction

Secure-by-default controls reduce risk by making the safest option the standard configuration, without requiring customers to assemble security from scratch.

Secure defaults across networking

In Azure IaaS, networking defaults are aligned with least-privilege and Zero Trust principles. Virtual networks are isolated by default. Inbound traffic to VM is blocked unless explicitly allowed. Network security groups (NSGs) enforce stateful filtering, while Azure Firewall provides centralized policy enforcement and traffic inspection when deployed.

Private connectivity options such as Azure Private Link and private endpoints allow services to be accessed without exposing them to the public internet. DDoS protection is automatically applied at the platform edge, helping protect workloads from volumetric attacks without additional configuration.

These defaults limit exposure by design, narrowing the attack surface before workload-specific rules are added.

Encryption and data protection by default

Azure IaaS storage services encrypt data at rest by default, using platform-managed keys, with options to use customer-managed keys via Azure Key Vault or Managed HSM. Disk encryption protects operating system and data disks for VM, and secure snapshots protect point-in-time copies of data.

Encryption in transit is enforced across Azure backbone networks, ensuring traffic between services within the platform is protected without requiring per-workload configuration.

Secure-by-default encryption ensures that data protections are always on, not optional.

Compute protection defaults

Signed and measured Azure host boot, secure host operating system (OS) hardening, host‑level monitoring and patching by Microsoft, and hypervisor-enforced isolation between tenants are all enabled by default and cannot be disabled by Azure tenants.

Trusted Launch is enabled by default for newly created Azure Gen2 VMs and VM scale sets, when using supported OS images, VM sizes, and deployment methods. Supported deployments methods include deployment via the Azure Portal, ARM templates, Bicep, Terraform, and Azure SDKs.

Secure in operation: Continuous protection at runtime

Security does not stop at deployment. The secure in operation principle focuses on maintaining protection continuously as threats evolve.

Monitoring, detection, and signal correlation

Azure integrates telemetry from compute, network, and storage layers into centralized monitoring systems such as Azure Monitor and Microsoft Defender for Cloud. These systems continuously analyze behavior to identify misconfigurations, detect threats, and surface actionable security recommendations.

For IaaS workloads, Defender for Cloud helps identify exposed management ports, missing disk encryption, and insecure network configurations, while also correlating threat signals across the environment.

Identity-centric control and least privilege

Operational security depends heavily on identity. Azure IaaS integrates with Microsoft Entra ID to enforce identity-based access controls, reduce standing privileges, and apply conditional access policies. Features like Just-In-Time (JIT) VM access limit administrative exposure by only opening management ports when needed and only for approved identities.

By minimizing persistent access and rotating privileges dynamically, Azure reduces the impact of credential compromise.

Bringing defense in depth and SFI together

Defense in depth provides the technical structure of Azure IaaS security. Secure by design, secure by default, and secure in operation provide the engineering and operational discipline that governs how those controls are built, deployed, and maintained.

Together, they ensure that Azure IaaS security is:

  • Layered: No single control is assumed to be sufficient.
  • Intrinsic: Security is part of the platform architecture, not an add-on.
  • Consistent: Defaults and policies reduce configuration drift.
  • Adaptive: Continuous monitoring and operational controls evolve with the threat landscape.

This combination allows Azure to protect IaaS workloads across compute, network, and storage while maintaining compatibility with diverse operating systems, workload types, and deployment models.

 Security as an ongoing platform commitment

Azure IaaS security is not defined by a static set of features. It is the result of ongoing engineering investment, guided by clear principles, and reinforced through layered technical controls.

Defense in depth ensures that failures are contained. Secure-by-design architecture reduces attack surfaces from the start. Secure-by-default configurations minimize exposure without adding friction. And secure-in-operation practices ensure the platform continues to adapt as threats evolve.

Together, these principles define how Azure IaaS delivers infrastructure security that is systematic, scalable, and aligned with modern threat realities.

To go deeper, explore the Azure IaaS Resource Center for tutorials, best practices, and guidance across compute, storage, and networking to help you design and operate resilient infrastructure with greater confidence.

Did you miss these posts in the Azure IaaS series?