Merge pull request #271472 from rcdun/nickb/clarify-ingestion-vm-security

prmerger-automator[bot] · web-flow · commit 6b5d06e47adc · 2024-04-09T09:18:02.000Z
Improve security guidance for AOI ingestion agent VM
diff --git a/articles/operator-insights/set-up-ingestion-agent.md b/articles/operator-insights/set-up-ingestion-agent.md
@@ -28,25 +28,52 @@ From the documentation for your Data Product, obtain the:
 
 ## VM security recommendations
 
-The VM used for the ingestion agent should be set up following best practice for security. For example:
+The VM used for the ingestion agent should be set up following best practice for security. We recommend the following actions:
 
-- Networking - Only allow network traffic on the ports that are required to run the agent and maintain the VM.
-- OS version - Keep the OS version up-to-date to avoid known vulnerabilities.
-- Access - Limit access to the VM to a minimal set of users, and set up audit logging for their actions. We recommend that you restrict the following.
-  - Admin access to the VM (for example, to stop/start/install the ingestion agent).
-  - Access to the directory where the logs are stored: */var/log/az-aoi-ingestion/*.
-  - Access to the managed identity or certificate and private key for the service principal that you create during this procedure.
-  - Access to the directory for secrets that you create on the VM during this procedure.
+### Networking
+
+When using an Azure VM:
+
+- Give the VM a private IP address.
+- Configure a Network Security Group (NSG) to only allow network traffic on the ports that are required to run the agent and maintain the VM.
+- Beyond this, network configuration depends on whether restricted access is set up on the data product (whether you're using service endpoints to access the Data product's input storage account). Some networking configuration might incur extra cost, such as an Azure virtual network between the VM and the Data Product's input storage account.
+ 
+When using an on-premises VM:
+
+- Configure a firewall to only allow network traffic on the ports that are required to run the agent and maintain the VM.
+
+### Disk encryption
+
+Ensure Azure disk encryption is enabled (this is the default when you create the VM).
+
+### OS version
+
+- Keep the OS version up-to-date to avoid known vulnerabilities.
+- Configure the VM to periodically check for missing system updates.
+
+### Access
+
+Limit access to the VM to a minimal set of users. Configure audit logging on the VM - for example, using the Linux audit package - to record sign-in attempts and actions taken by logged-in users.
+
+We recommend that you restrict the following:
+- Admin access to the VM (for example, to stop/start/install the ingestion agent).
+- Access to the directory where the logs are stored: */var/log/az-aoi-ingestion/*.
+- Access to the managed identity or certificate and private key for the service principal that you create during this procedure.
+- Access to the directory for secrets that you create on the VM during this procedure.
+
+### Microsoft Defender for Cloud
+
+When using an Azure VM, also follow all recommendations from Microsoft Defender for Cloud. You can find these recommendations in the portal by navigating to the VM, then selecting Security.
 
 ## Download the RPM for the agent
 
 Download the RPM for the ingestion agent using the details you received as part of the [Azure Operator Insights onboarding process](overview.md#how-do-i-get-access-to-azure-operator-insights) or from [https://go.microsoft.com/fwlink/?linkid=2260508](https://go.microsoft.com/fwlink/?linkid=2260508).
 
-Links to the current and previous releases of the agents are available below the heading of each [release note](ingestion-agent-release-notes.md). If you're looking for an agent version that's more than 6 months old, check out the [release notes archive](ingestion-agent-release-notes-archive.md).
+Links to the current and previous releases of the agents are available below the heading of each [release note](ingestion-agent-release-notes.md). If you're looking for an agent version that's more than six months old, check out the [release notes archive](ingestion-agent-release-notes-archive.md).
 
 ### Verify the authenticity of the ingestion agent RPM (optional)
 
-Before you install the RPM, you can verify the signature of the RPM with the [Microsoft public key file](https://packages.microsoft.com/keys/microsoft.asc) to ensure it has not been corrupted or tampered with.
+Before you install the RPM, you can verify the signature of the RPM with the [Microsoft public key file](https://packages.microsoft.com/keys/microsoft.asc) to ensure it hasn't been corrupted or tampered with.
 
 To do this, perform the following steps:
 
@@ -71,7 +98,7 @@ The output of the final command should be `<path-to-rpm>: digests signatures OK`
 The ingestion agent must be able to authenticate with the Azure Key Vault created by the Data Product to retrieve storage credentials. The method of authentication can either be:
 
 - Service principal with certificate credential. This must be used if the ingestion agent is running outside of Azure, such as an on-premises network. 
-- Managed identity. If the ingestion agent is running on an Azure VM, we recommend this method. It does not require handling any credentials (unlike a service principal).
+- Managed identity. If the ingestion agent is running on an Azure VM, we recommend this method. It doesn't require handling any credentials (unlike a service principal).
 
 > [!IMPORTANT]
 > You may need a Microsoft Entra tenant administrator in your organization to perform this setup for you.
@@ -83,7 +110,7 @@ If the ingestion agent is running in Azure, we recommend managed identities. For
 > [!NOTE]
 > Ingestion agents on Azure VMs support both system-assigned and user-assigned managed identities. For multiple agents, a user-assigned managed identity is simpler because you can authorise the identity to the Data Product Key Vault for all VMs running the agent.
 
-1. Create or obtain a user-assigned managed identity, follow the instructions in [Manage user-assigned managed identities](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). If you plan to use a system-assigned managed identity, do not create a user-assigned managed identity.
+1. Create or obtain a user-assigned managed identity, follow the instructions in [Manage user-assigned managed identities](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). If you plan to use a system-assigned managed identity, don't create a user-assigned managed identity.
 1. Follow the instructions in [Configure managed identities for Azure resources on a VM using the Azure portal](/entra/identity/managed-identities-azure-resources/qs-configure-portal-windows-vm) according to the type of managed identity being used.
 1. Note the Object ID of the managed identity. This is a UUID of the form xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, where each character is a hexadecimal digit.
 
@@ -160,7 +187,7 @@ Repeat these steps for each VM onto which you want to install the agent.
     sudo dnf install systemd logrotate zip
     ```
 1. Obtain the ingestion agent RPM and copy it to the VM.
-1. If you are using a service principal, copy the base64-encoded P12 certificate (created in the [Prepare certificates](#prepare-certificates-for-the-service-principal) step) to the VM, in a location accessible to the ingestion agent.
+1. If you're using a service principal, copy the base64-encoded P12 certificate (created in the [Prepare certificates](#prepare-certificates-for-the-service-principal) step) to the VM, in a location accessible to the ingestion agent.
 1. Configure the agent VM based on the type of ingestion source.
 
     # [SFTP sources](#tab/sftp)
