If an attacker gains access to your database, you can still protect your data.
It is protected by the Transparent Data Encryption feature, also known as TDE which is enabled by default.
For the encryption keys that it uses, Azure manages them. However, you can still bring your own keys.
This feature is available in Azure SQL and Azure Synapse Analytics.
A similar feature is enabled in Azure Database for PostgreSQL and for Azure Database for MySQL.
You should also make sure that the data that travels over the wire, the in-flight data, is secured as well. You can secure that with TLS – Transport Layer Security.
For most services, secure data transport is enabled by default.
You only want people and services that you choose to access your databases.
In all Azure databases, you can configure the firewall, which is enabled by default and blocks IP addresses that are not allowed. This is a great practice for development and testing.
For production, you can wrap your database in a virtual network and use Azure Private Link to connect to it from the service that you need to. This protects your database from the outside world.
If you are using a VM in Azure, you might be using an RDP or an SSH connection to connect to it. Using either of those creates a security vulnerability. So, make sure that you leave the database ports closed when you create your VM.
Instead, what you can do is, you can deploy your VM in a virtual network and use Azure Bastion to securely connect to it.
When you are using Azure Bastion, your VM will never need a public IP address.
You should never store secrets like API keys and connection strings in application code where each and every developer can see them.
You should always store them in a central place in Azure – which is the Azure Key Vault.
The Azure Key Vault contains the secrets, keys and certificates for your applications, and you can securely connect to Azure Key Vault from your services as well.
For production environments, the best practice is to create a separate Azure subscription. This helps you to keep your production data and other assets out of your dev test environments, and you can also easily apply two different sets of policies across the resources into two subscriptions.
Also, it is a good practice to use RBAC to control the access to resources.
Your web apps are under constant attack chances. They can get hit by things like SQL injection attacks and cross-site scripting attacks.
To deal with these attacks, you should implement a gateway service like Azure Front Door or Azure Application Gateway that can route and filter your traffic.
In the stated services, you are able to enable the web application firewall feature.
This feature detects a text and can block and report them.
If there was only a single best practice that you could do, it would be this.
It is an Azure Service that tells you what your security state is, what you can improve and how you can do that.
You can use the Azure Security Center to periodically check the security of your resources and to be alerted and notified when something needs your attention.
The Azure Security Center helps you to implement security best practices by telling you where they need to be implemented and allows you to directly implement them from the Security Center itself.