Connect your VMs to Azure Sentinel

Create an application control rule in Azure Security Center

Periodically run a script that lists the running processes on each VM. The IT manager can then shut down any applications that shouldn't be running.

Collection security data in Azure Sentinel.

Build a custom tool that collects security data and displays a report through a web application.

Look through each security log daily and email a summary to your team.

Place the certificates on a network share.

Store them on a VM that's protected by a password.

Store the certificates in Azure Key Vault.

Configure the network to ensure that VMs on the same physical host are isolated.

This is not possible. These workloads need to be run on-premises.

Run the VMs on Azure Dedicated Host.

Azure Firewall

Network security groups

Azure DDoS Protection

Configure Azure DDoS Protection to limit network access to trusted ports and hosts.

Create application rules in Azure Firewall

Ensure that all running applications communicate with only trusted ports and hosts.

Allocate each VM on its own virtual network.

Create a network security group rule that prevents access from another VM on the same network.

Configure Azure DDoS Protection to limit network access within the virtual network.