All product databases must be regularly backed up to an offsite, at least once daily, to Azure or equivalent cloud location (not reachable from the same network and credentials, to protect from malware and ransomware attacks).
All product installed VMs must be protected with secured Firewall, that allows only port 443 to internet
Only Hybr Website VM should have port 443 opened and accessible from outside (internet) via FireWall and FrontEnd Subnet and Load Balancer. No other port(s) of HYBR should be exposed via internet to outside such as RDP.
No other ports should be exposed to outside (internet), except in the following cases:
Hybr using Console Connect Feature with multiple RDP Gateways (Guacamole)
List the specific ports required to be open for this and allow those only to the respective VM Ip Address
All product APIs must be inside a secured backend subnet, behind firewall. Only accessible to each other inside the secured backend subnet and from HYBR Website VMs from frontend subnet. No services or VMs from backend subnet should be reachable from outside (internet).
Only Exception is when there is an external integration with HYBR API or Billing API. And in these cases, enable Access via external facing Load Balancer and Firewall to ONLY specific Remote IP Address and specific ports that needs access to these service APIs.
SQL Server VM(s) must be behind a secured firewall in the backend subnet.
At NO circumstances ANY SQL VM Ports should be reachable from outside (internet). Ensure special consideration is given to review firewall rules to explicitly DENY ALL ACCESS TO SQL SERVER VM Ip Address from internet.
Only specific IP Address from frontend subnet for HYBR Website VMs and specific IP Address from backend subnet for other services and APIs should be allowed to ONLY SQL SERVER PORT TCP 1433.
All APIs must be configured to use ONLY HTTPS
All web.config and application configuration settings must be encrypted
All secured settings stored in the database must be encrypted
Set up alerts for critical infrastructure and services such as
Disk Free Capacity for VMs and SQL Server Data
Windows Service Status
IIS Website Status for all web applications and APIs
SQL Server DB Maintenance
Ensure scheduled tasks exist for controlling Log file growth, in conjunction with backup tasks
Periodic review of SQL Server Disk free capacity and performance optimizations such as using SSD disks and so on
Cloud Assert Database and log files need to be stored in non-System drive
SQL Server Failover Clustering must be configured for all production workloads and proper monitoring must be configured to take required action(s) when there is failover