DEV Community

loading...

Secure applications

cheahengsoon profile image Eng Soon Cheah ・2 min read

Configure SSL/TLS certificates

  • Primary characteristics of certificates assigned to Azure services:
    • X.509 v3 format
    • Signed by a trusted CA or self-signed
    • Subject name matches fully qualified domain name (FQDN) of the target service:
      • FQDN must include a custom domain name
      • Use of platform-assigned domain names (e.g. cloudapp.net) is not allowed
    • Minimum of 2048-bit encryption
  • Implementing self-signed certificates: - Windows: New-SelfSignedCertificate (replaces deprecated makecert.exe) - Linux: ssh-keygen

Configure managed service identity for app services

  • Primary characteristics of managed service identity:
    • Represents an Azure AD identity
    • Is platformed-managed (eliminates the need to rotate secrets)
    • Facilitates authentication by applications that Azure services are hosting
    • Supports two types of identities:
      • System-assigned: an identity autoassociated directly with a specific Azure service
        • User-assigned: a standalone identity that allows association with multiple Azure services
  • Implementing managed service identity:
    • Azure portal: directly from the blade of the target Azure service
    • Azure PowerShell
    • Azure CLI
    • REST API

Implement PaaS firewall rules

  • Primary characteristics of Platform as a Service (PaaS) firewall:
    • Supports a number of Azure PaaS services, including Azure Storage
    • Default allow (all networks)
    • Operates on the network level (proper authorization to the target service is still required)
  • Configuring PaaS firewall:
    • To restrict traffic from the internet:
      • Specify one or more IP address ranges from which traffic will be allowed
    • To allow traffic from specific subnets of virtual networks only:
      • On virtual network subnets, create virtual network service endpoints
      • On the PaaS firewall, specify subnets of virtual networks  

Configure Azure services to protect web apps

  • Primary characteristics of Azure Front Door Service:
    • Facilitates defining, managing, and monitoring global routing for traffic targeting web apps
    • Operates at layer 7 of the OSI model (HTTP/HTTPS)
    • Uses anycast with split TCP and the Microsoft global network to optimize performance and reliability -Implementing AFD for web apps:
    • Create an AFD instance
    • Add application backend and backend pools
    • Add routing rules

Configure Azure Application Security Groups

  • Primary characteristics of ASGs:
    • Serve as an extension to NSGs
    • Eliminate the need to reference IP address ranges in NSGs
    • Allow grouping of Azure VMs based on their workload, regardless of their IP address
    • Are assigned to network interface cards (NICs) of Azure VMs
  • ASG constraints:
    • All NICs associated with the same ASG must be connected to the same virtual network
    • You can’t specify multiple ASGs as a source and/or destination of an NSG rule Alt text of image

Discussion (1)

pic
Editor guide