Azure Web Apps Advanced Security
•Download as PPTX, PDF•
1 like•685 views
Azure Web Apps Security using a Virtual network, App Gateway, Internal ASE, External ASE, IP Whitelisting, Web Application Firewall, OWASP, Managed Service Identity.
More Related Content
What's hot
What's hot (20)
Similar to Azure Web Apps Advanced Security
Similar to Azure Web Apps Advanced Security (20)
More from Udaiappa Ramachandran
More from Udaiappa Ramachandran (20)
Recently uploaded
Recently uploaded (20)
Azure Web Apps Advanced Security
- 1. Azure WebApps – Advanced Security Udaiappa Ramachandran ( Udai ) LinkedIn://linkedin.com/in/udair Twitter: @nhcloud
- 2. Who am I? • Udaiappa Ramachandran ( Udai ) • CTO, Akumina, Inc., • Consultant • Focus on Cloud Computing • Microsoft Azure, Amazon Web Services and Google • New Hampshire Cloud User Group (http://www.meetup.com/nashuaug ) • http://cloudycode.wordpress.com • @nhcloud
- 3. Agenda • Introduction to Web Apps • App Gateway • VNET Service Endpoints • App Service Environment • WebApp Deployment Scenarios • PowerShell Provisioning • References
- 4. Web Apps • Multiple languages and frameworks • DevOps optimization • Global scale with high availability • Connections to SaaS platforms and on-premises data • Security and compliance • Application templates • Visual Studio integration • API and mobile features • Hosts Windows, Linux, Dockers, Mobile and Serverless code
- 5. App Gateway • Web Traffic Load balancer • Protects your workload • Web application firewall (OWASP 3.0 or 2.2.9 ruleset) • URL-based routing • Multiple-site hosting • Multi-tenant • Auto scaling and zone redundancy • Redirection • Global redirection • Path-based redirection (ex., /cart/*) • Redirect to external site • Cookie based session affinity • WebSocket and HTTP/2 traffic • Health Monitoring • Static VIP
- 6. VNET Service Endpoints • Generally available • Azure Storage: Generally available in all Azure regions. • Azure SQL Database: Generally available in all Azure regions. • Azure Database for PostgreSQL server: Generally available in Azure regions where database service is available. • Azure Database for MySQL server: Generally available in Azure regions where database service is available. • Azure Cosmos DB: Generally available in all Azure public cloud regions. • Azure Key Vault: Generally available in all Azure public cloud regions. • Preview • Azure SQL Data Warehouse: Available in preview in all Azure public cloud regions. • Azure Service Bus: Available in preview. • Azure Event Hubs: Available in preview. • Azure Data Lake Store Gen 1: Available in preview.
- 7. Deployment - Simple • Store Sensitive details such as connection string to Key Vault • Enable Identity (MSI- Managed Service Identity) to access the key vault
- 8. Deployment – With App Gateway • Store Sensitive details such as connection string to Key Vault • Use Identity to access the key vault • Configure App Gateway as a Whitelist IP to Web App • Enable WAF on App Gateway with Detection or Prevention mode • Deploy App Gateway into multiple Zones • Assign right size based on the WebApp Content Response
- 9. Deployment-VNET Client • Point-to-Site VPN • User Action • Need whitelist IP to work with other services such as Storage, Key Vault, etc., • Store Sensitive details such as connection string to Key Vault • Use Identity to access the key vault • Configure App Gateway as a Whitelist IP to Web App • Enable WAF on App Gateway with Detection or Prevention mode • Deploy App Gateway into multiple Zones • Assign right size based on the WebApp Content Response
- 10. WebApp and VNET Client Issues • Client address (40.79.65.200) is not authorized and caller is not a trusted service Create a VM, install any software and configure including any ports • 403 Forbidden message from Azure Storage • It is by design that we cannot enable the Azure Storage firewall if the Azure App Service and Azure Storage Account are in the same region • The public multi-tenant App Service does not support integration with the Service Endpoints + Firewall feature of Azure Storage • Allow trusted Microsoft services to access this storage account • Add the Outbound IP Address • 403 Forbidden message from Key Vault • The public multi-tenant App Service does not support integration with the Service Endpoints + Firewall feature of Azure Storage • Allow trusted Microsoft services to bypass this firewall • Add the Outbound IP Address
- 11. App Service Environment • External ASE • Internal ASE
- 12. Deployment – VNET (ASE) • Site-to-Site VPN • User Action: • Store Sensitive details such as connection string to Key Vault • Use Identity to access the key vault • Configure App Gateway as a Whitelist IP to Web App • Enable WAF on AppGateway with Detection or Prevention mode • Deploy App Gateway into multiple Zones • Assign right size based on the WebApp Content Response
- 13. Demo • App Gateway • VNET Client • VNET – ASE • PowerShell
- 14. References • VNET Service Endpoints: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints- overview • Integrate your app with an Azure Virtual Network: https://docs.microsoft.com/en-us/azure/app-service/web-sites- integrate-with-vnet • Application Gate way: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-introduction • Multi-tenant back ends: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-web-app- overview • URL-based routing: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway- introduction#url-based-routing • Application Gate way FAQ: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-faq • URL path-based redirection: https://docs.microsoft.com/en-us/azure/application-gateway/tutorial-url-redirect- powershell • About ASEs: https://docs.microsoft.com/en-us/azure/app-service/environment/intro • Network Architecture of an ASE: https://docs.microsoft.com/en-us/azure/app-service/environment/network-info • Trusted Microsoft Services: https://docs.microsoft.com/en-us/azure/storage/common/storage-network- security#trusted-microsoft-services • How to create an ASE: • External ASE: https://docs.microsoft.com/en-us/azure/app-service/environment/create-external-ase • Internal ASE: https://docs.microsoft.com/en-us/azure/app-service/environment/create-ilb-ase
- 15. Thank you for attending New Hampshire Code Camp (@NHCodecamp) 2018
Editor's Notes
- Multiple languages and frameworks - Web Apps has first-class support for ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP, or Python. You can also run PowerShell and other scripts or executables as background services. DevOps optimization - Set up continuous integration and deployment with Azure DevOps, GitHub, BitBucket, Docker Hub, or Azure Container Registry. Promote updates through test and staging environments. Manage your apps in Web Apps by using Azure PowerShell or the cross-platform command-line interface (CLI). Global scale with high availability - Scale up or out manually or automatically. Host your apps anywhere in Microsoft's global datacenter infrastructure, and the App Service SLA promises high availability. Connections to SaaS platforms and on-premises data - Choose from more than 50 connectors for enterprise systems (such as SAP), SaaS services (such as Salesforce), and internet services (such as Facebook). Access on-premises data using Hybrid Connections and Azure Virtual Networks. Security and compliance - App Service is ISO, SOC, and PCI compliant. Authenticate users with Azure Active Directory or with social login (Google, Facebook, Twitter, and Microsoft). Create IP address restrictions and manage service identities. Application templates - Choose from an extensive list of application templates in the Azure Marketplace, such as WordPress, Joomla, and Drupal. Visual Studio integration - Dedicated tools in Visual Studio streamline the work of creating, deploying, and debugging. API and mobile features - Web Apps provides turn-key CORS support for RESTful API scenarios, and simplifies mobile app scenarios by enabling authentication, offline data sync, push notifications, and more. Serverless code - Run a code snippet or script on-demand without having to explicitly provision or manage infrastructure, and pay only for the compute time your code actually uses (see Azure Functions).
- Open Web Application Security Project Global redirection Redirects from one listener to another listener on the gateway. This enables HTTP to HTTPS redirection on a site. Path-based redirection This type of redirection enables HTTP to HTTPS redirection only on a specific site area, for example a shopping cart area denoted by /cart/*. Redirect to external site Public IP(optional)->FrontEndPort<-Listener(host,port,certificate)->Rule(where to go)->httpsettings(protocol,port,certificate)->backend pool (paas,iass,lb), probe(protocol,host,path,port) Proble helps to track the healthiness
- Point-to-Site VPN
- External ASE: Exposes the ASE-hosted apps on an internet-accessible IP address. For more information, see Create an External ASE. ILB ASE: Exposes the ASE-hosted apps on an IP address inside your VNet. The internal endpoint is an internal load balancer (ILB), which is why it's called an ILB ASE. For more information, see Create and use an ILB ASE.