Azure

This week, I deployed a private n8n automation instance in Azure with a focus on security, auditability, and zero public exposure. Here’s how I solved the HTTPS challenge without storing credentials or opening ports unnecessarily. Problem Statement I needed to: Run n8n privately for internal automations Enable HTTPS for browser access and webhook security Use Let’s Encrypt for free TLS certs Avoid storing Azure credentials on the VM Keep the VM locked down with minimal exposure Azure VM and NSG Setup Deployed Ubuntu VM with n8n running via systemd Configured Azure Network Security Group (NSG) to allow: Port 22 (SSH) and 443 (HTTPS) only Scoped to my static IP Temporarily opened port 80 for Let’s Encrypt HTTP challenge SSL Issue: Nginx Serving Self-Signed Cert Despite running Certbot successfully, openssl s_client revealed: ...

Introduction Securing Azure Entra ID (formerly Azure AD) is crucial for maintaining a robust security posture. This post covers essential security measures and how to implement them effectively. Cleaning Up App Registrations Identifying Unused Applications First, identify app registrations with expired credentials: # Get app registrations with expired secrets/certificates Get-AzureADApplication | Where-Object { $_.PasswordCredentials.EndDate -lt (Get-Date) -or $_.KeyCredentials.EndDate -lt (Get-Date) } Verification Process Check service principal sign-in logs for the last 30 days Disable service principals showing no activity Delete the corresponding app registration Implementing MFA Requirements Assessing MFA Status Navigate to Authentication Methods > User Registration Details to identify users without MFA: ...

Introduction Securing Azure infrastructure requires implementing multiple layers of security controls. This post walks through implementing essential security policies to protect your Azure environment. Preventing Public Blob Storage Access One common security risk is accidentally exposing blob storage containers publicly. Azure Policy can prevent this: Navigate to Azure Policy Search for the built-in policy “Configure your Storage account public access to be disallowed” Assign the policy at your desired scope (subscription or management group) Set the effect to “Deny” to prevent creation of public containers { "properties": { "displayName": "Prevent Public Blob Access", "policyType": "BuiltIn", "mode": "All", "parameters": {}, "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Storage/storageAccounts" }, { "field": "Microsoft.Storage/storageAccounts/allowBlobPublicAccess", "equals": "true" } ] }, "then": { "effect": "deny" } } } } Implementing Conditional Access Policies Admin Role Protection Secure privileged accounts with dedicated conditional access policies: ...