DEV Community

Victor
Victor

Posted on

[Part 2] - Practice Azure services - Enhance security by using Key Vault and App Configuration

#security #azure #architecture #tutorial

Scenario

In the previous post, we use a shared key to establish a connection to an Azure storage account (including Table storage and Blob storage) and SQL Database. This method can lead security vulnerabilities. To enhance the security of our application, we can leverage App Configuration along with Azure Key Vault. This post will illustrate how to integrate these services to our current application.

Let's started.

Overview architecture

Overview architecture

The app now functions similarly to what was described in the earlier post. The difference is that we now save the connection string (shared key) for the storage account and SQL Database in Key Vault, and the configurations are managed in App Configuration instead of relying on the environment variables of Azure App Service. When the API starts up, it will load the configuration from an additional configuration provider, which is App Configuration, with the values sourced from Key Vault.

Set up Azure Service
If you're unsure how to set up Azure App Configuration and Azure Key Vault, you can refer to these Microsoft articles:

Quickstart: Create an Azure App Configuration store | Microsoft Learn

Tutorial for using Azure App Configuration Key Vault references in an ASP.NET Core app | Microsoft Learn

You need to have all below information prior to proceeding to the next step.

Key Vault and new secrets

Key Vault and new secrets

App configuration

App Configuration

Activate Managed Identity for the API

Activate system managed identity

Remember the Object (principal ID) to use for the next step.

Grant access to your API/ local dev to Key Vault

Azure role-based access control: "Key Vault Secrets User"/"Key Vault Administrator"

Grant permission

Modify code

You can use code sample from previous post.

Add one more extension class to add Azure App Configuration to provided configuration builder.

Code snippet 1

Modify "Program.cs" file

Code snippet 2

Run locally

Change value of config key: "appConfig:ConnectionString"
Run API from Visual studio. If It runs successfully, then deploy to Azure App Service

Deploy new changes to Azure App Service

Check API

Environment variables of App service

App service environment variable

API swagger - OK: means the APP can interact with App Configuration and Key Vault

API endpoints

Over to you: When to use the App Configuration and Key Vault and what are pros and cons?

Top comments (0)