Implementing Azure Security Best Practices: Break Glass Accounts, MFA, and Legacy Auth

This week, I implemented several critical security measures in Azure Active Directory (now Microsoft Entra ID) that every organization should consider. Let’s walk through the key implementations: 1. Break Glass Account Setup Break glass accounts are emergency access accounts that help maintain access during identity system failures. Here’s how to set one up: Create a dedicated emergency access account Store credentials securely (I used a password manager) Configure exemptions from Conditional Access policies Share access with minimal required administrators Document the process and access procedures 2. Conditional Access for Admin Roles Implemented stronger MFA controls for administrative roles: ...

1 min · Me

Kubernetes Node Pool Management and Cloud-Specific Scaling Patterns

Node Pool Design Patterns GKE Node Pool Configuration # GKE Node Pool resource "google_container_node_pool" "general_purpose" { name = "general-purpose" cluster = google_container_cluster.primary.name location = "us-central1" autoscaling { min_node_count = 1 max_node_count = 10 location_policy = "BALANCED" } node_config { machine_type = "n2-standard-4" disk_size_gb = 100 disk_type = "pd-ssd" labels = { role = "general" env = "production" } taint { key = "specialty" value = "gpu" effect = "NO_SCHEDULE" } } management { auto_repair = true auto_upgrade = true } } EKS Node Group Configuration # EKS Node Group resource "aws_eks_node_group" "compute_optimized" { cluster_name = aws_eks_cluster.main.name node_group_name = "compute-optimized" node_role_arn = aws_iam_role.eks_node.arn subnet_ids = aws_subnet.private[*].id scaling_config { desired_size = 2 max_size = 10 min_size = 1 } instance_types = ["c5.2xlarge"] capacity_type = "SPOT" labels = { workload = "compute" cost = "spot" } taint { key = "workload" value = "compute" effect = "NO_SCHEDULE" } } AKS Node Pool Configuration # AKS Node Pool resource "azurerm_kubernetes_cluster_node_pool" "memory_optimized" { name = "memopt" kubernetes_cluster_id = azurerm_kubernetes_cluster.main.id vm_size = "Standard_E4s_v3" enable_auto_scaling = true min_count = 1 max_count = 5 node_labels = { workload = "memory-intensive" } node_taints = [ "workload=memory:NoSchedule" ] zones = [1, 2, 3] } Cloud-Specific Features GKE-Specific Capabilities # GKE-specific features resource "google_container_cluster" "advanced" { # Autopilot mode enable_autopilot = true # Vertical Pod Autoscaling vertical_pod_autoscaling { enabled = true } # Binary Authorization enable_binary_authorization = true # Workload Identity workload_identity_config { workload_pool = "${project_id}.svc.id.goog" } } EKS-Specific Features # EKS-specific features resource "aws_eks_cluster" "advanced" { # Fargate Profiles fargate_profile { name = "serverless" selectors { namespace = "serverless" } } # IPv6 Support kubernetes_network_config { ip_family = "ipv6" } # Secrets Encryption encryption_config { provider { key_arn = aws_kms_key.eks.arn } resources = ["secrets"] } } AKS-Specific Features # AKS-specific features resource "azurerm_kubernetes_cluster" "advanced" { # Azure CNI Overlay network_profile { network_plugin = "azure" network_policy = "calico" network_mode = "overlay" } # Azure AD Integration azure_active_directory_role_based_access_control { managed = true azure_rbac_enabled = true } # Azure Key Vault Integration key_vault_secrets_provider { secret_rotation_enabled = true } }

2 min · Me