Hybr®
Cloud Assert HomeDocs Home
2303
2303
  • Introduction
  • Features
    • Summary
    • Service Providers
      • Tenants Management
        • Tenant Onboarding
        • Tenant Portal Access for HYBR Admin
        • Tenant Portal Access for Support Users From Different Domain
        • Tenant Company Management
        • Company with AAD B2C
        • User Management
        • Subscriptions Management
        • Offers Management
        • Plans Management
      • Reseller Management
        • Reseller Offer
        • Reseller Plan
        • Onboarding a CSP Customer and Mapping it with Reseller
      • Billing
        • Credits
        • Microsoft CSP
        • Pricing Profile
          • Pricing Profiles Management
            • How to set Pricing List Import setting for meter
          • Update Pricing Profile from Excel
        • Cost Reset
      • Resource Management
        • Console connect requirements for imported VMs
        • Connection manager
          • Azure Stack Hub Connection Management
          • Azure
          • AWS
        • VM Template management
        • Param Spec
        • Network Management
        • Azure Integration
        • Policy Management
        • Linked Clone
        • Attach and detach networks
        • Delete Options
        • Backup
          • Veeam Backup Configuration
          • Scheduling a backup using Veeam
      • Microsoft CSP
        • MS CSP security consent process
        • Partner Center Refresh Token Expiry Alert
        • New Commerce Experience (NCE)
          • Transition from Legacy to NCE
        • Azure Reservation Management
        • Granular Delegated Admin Privileges
          • Bulk Transition of customers from DAP to GDAP
          • Default roles to be provided for relationship request.
      • Service Catalog
        • FAQ
      • Azure Stack Hub
        • Create and Publish Service Catalog offers
        • Configure Service Catalogue Plan
        • Pricing
        • Security Deposit for an Azure Stack Hub Offer
      • Customization
      • Administration
        • Application Settings
        • Admin Portal Access for Support Users
    • Business Intelligence Dashboards & Reports
      • Dashboards
      • Reports
        • Schedule Reports
    • Reseller
      • Customers Management
        • Customer Onboarding
        • Plans
        • Offers
      • Billing
        • Pricing Profile Management
    • Customer
      • Subscriptions
      • Resource Management
        • Virtual Machines
        • Connect a VM using browser
        • Virtual Networks
        • Resource Templates
        • Resource Groups
      • Microsoft CSP
        • CSP Operations and Status tracking
      • Software-Defined Network (SDN)
      • Company Registration
    • Cloud Cost Management
      • Cloud Dashboards
        • Azure Invoice Comparision
      • Collaborations
      • Resource Tagging
        • Data Processing Rules
      • Cost Allocations & Budgeting
        • Budgeting
      • Recommendations
      • Reconcilation
      • Getting started
        • Kubernetes
        • Azure
        • AWS
        • GCP
        • Tenant Company Creation
  • Advanced Guides
    • CSP Customers with Resellers
  • API Documentation
    • External Integration and API Documentation Overview
    • External Webhook Integration
    • Zapier Integration
      • External application events which trigger event in Hybr
      • Event in Hybr which trigger external Application
  • Support
    • How do I contact support?
    • How do I share feedback?
    • Roadmap
    • Changelog
  • On-Prem Installation
    • Architecture
    • Prerequisites
      • Infrastructure
        • Production
        • POC
      • Identity Providers
        • AAD B2C
        • Microsoft Entra ID
        • ADFS
      • Services
        • VConnect
        • Workflow
        • Microsoft CSP
        • Remote connect using Guacamole
          • Apache Guacamole Setup
          • Troubleshoot
          • Support Links
          • Guacamole Pre-Requisites
        • Console connect for VCenter V7
          • Pre-Requisites
          • Configurations for Nginx (Reverse Proxy Server)
          • Troubleshoot
          • Supporting Commands / Configurations
      • Ports Requirements
    • Deployment
      • Core Components
      • VConnect
      • Billing
    • Configuration
      • Billing
        • Custom Invoice
        • Multilingual Support
      • Cost Management
        • General
    • Updates
      • Billing
      • Cost Management
    • Infrastructure & Application Security - Recommendations
Powered by GitBook
On this page
  • Backups
  • Network Security
  • Secured Configuration
  • Monitoring
  • SQL Server DB Maintenance

Was this helpful?

  1. On-Prem Installation

Infrastructure & Application Security - Recommendations

Backups

  • All product databases must be regularly backed up to an offsite, at least once daily, to Azure or equivalent cloud location (not reachable from the same network and credentials, to protect from malware and ransomware attacks).

Network Security

  • All product installed VMs must be protected with secured Firewall, that allows only port 443 to internet

  • Only Hybr Website VM should have port 443 opened and accessible from outside (internet) via FireWall and FrontEnd Subnet and Load Balancer. No other port(s) of HYBR should be exposed via internet to outside such as RDP.

  • No other ports should be exposed to outside (internet), except in the following cases:

    • Hybr using Console Connect Feature with multiple RDP Gateways (Guacamole)

      • List the specific ports required to be open for this and allow those only to the respective VM Ip Address

  • All product APIs must be inside a secured backend subnet, behind firewall. Only accessible to each other inside the secured backend subnet and from HYBR Website VMs from frontend subnet. No services or VMs from backend subnet should be reachable from outside (internet).

    • Only Exception is when there is an external integration with HYBR API or Billing API. And in these cases, enable Access via external facing Load Balancer and Firewall to ONLY specific Remote IP Address and specific ports that needs access to these service APIs.

  • SQL Server VM(s) must be behind a secured firewall in the backend subnet.

    • At NO circumstances ANY SQL VM Ports should be reachable from outside (internet). Ensure special consideration is given to review firewall rules to explicitly DENY ALL ACCESS TO SQL SERVER VM Ip Address from internet.

    • Only specific IP Address from frontend subnet for HYBR Website VMs and specific IP Address from backend subnet for other services and APIs should be allowed to ONLY SQL SERVER PORT TCP 1433.

Secured Configuration

  • All APIs must be configured to use ONLY HTTPS

  • All web.config and application configuration settings must be encrypted

  • All secured settings stored in the database must be encrypted

Monitoring

  • Set up alerts for critical infrastructure and services such as

  • Disk Free Capacity for VMs and SQL Server Data

    • Windows Service Status

    • IIS Website Status for all web applications and APIs

SQL Server DB Maintenance

  • Ensure scheduled tasks exist for controlling Log file growth, in conjunction with backup tasks

  • Periodic review of SQL Server Disk free capacity and performance optimizations such as using SSD disks and so on

  • Cloud Assert Database and log files need to be stored in non-System drive

  • Failover cluster:

    • SQL Server Failover Clustering must be configured for all production workloads and proper monitoring must be configured to take required action(s) when there is failover

PreviousCost Management

Last updated 1 year ago

Was this helpful?