DEV Community

Eng Soon Cheah
Eng Soon Cheah

Posted on • Edited on

Secure applications

Configure SSL/TLS certificates

  • Primary characteristics of certificates assigned to Azure services:
    • X.509 v3 format
    • Signed by a trusted CA or self-signed
    • Subject name matches fully qualified domain name (FQDN) of the target service:
      • FQDN must include a custom domain name
      • Use of platform-assigned domain names (e.g. cloudapp.net) is not allowed
    • Minimum of 2048-bit encryption
  • Implementing self-signed certificates: - Windows: New-SelfSignedCertificate (replaces deprecated makecert.exe) - Linux: ssh-keygen

Configure managed service identity for app services

  • Primary characteristics of managed service identity:
    • Represents an Azure AD identity
    • Is platformed-managed (eliminates the need to rotate secrets)
    • Facilitates authentication by applications that Azure services are hosting
    • Supports two types of identities:
      • System-assigned: an identity autoassociated directly with a specific Azure service
        • User-assigned: a standalone identity that allows association with multiple Azure services
  • Implementing managed service identity:
    • Azure portal: directly from the blade of the target Azure service
    • Azure PowerShell
    • Azure CLI
    • REST API

Implement PaaS firewall rules

  • Primary characteristics of Platform as a Service (PaaS) firewall:
    • Supports a number of Azure PaaS services, including Azure Storage
    • Default allow (all networks)
    • Operates on the network level (proper authorization to the target service is still required)
  • Configuring PaaS firewall:
    • To restrict traffic from the internet:
      • Specify one or more IP address ranges from which traffic will be allowed
    • To allow traffic from specific subnets of virtual networks only:
      • On virtual network subnets, create virtual network service endpoints
      • On the PaaS firewall, specify subnets of virtual networks  

Configure Azure services to protect web apps

  • Primary characteristics of Azure Front Door Service:
    • Facilitates defining, managing, and monitoring global routing for traffic targeting web apps
    • Operates at layer 7 of the OSI model (HTTP/HTTPS)
    • Uses anycast with split TCP and the Microsoft global network to optimize performance and reliability -Implementing AFD for web apps:
    • Create an AFD instance
    • Add application backend and backend pools
    • Add routing rules

Configure Azure Application Security Groups

  • Primary characteristics of ASGs:
    • Serve as an extension to NSGs
    • Eliminate the need to reference IP address ranges in NSGs
    • Allow grouping of Azure VMs based on their workload, regardless of their IP address
    • Are assigned to network interface cards (NICs) of Azure VMs
  • ASG constraints:
    • All NICs associated with the same ASG must be connected to the same virtual network
    • You can’t specify multiple ASGs as a source and/or destination of an NSG rule Alt text of image

Speedy emails, satisfied customers

Postmark Image

Are delayed transactional emails costing you user satisfaction? Postmark delivers your emails almost instantly, keeping your customers happy and connected.

Sign up

Top comments (0)

Sentry image

See why 4M developers consider Sentry, “not bad.”

Fixing code doesn’t have to be the worst part of your day. Learn how Sentry can help.

Learn more

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay