I like to skate on the other side of the ice ~Steven Wright
Azure App Service is a platform as a service offered by Azure to host web, mobile and RESTful APIs. Even though infrastructure is fully managed for us, we are responsible for securing the application we deploy.
App service infrastructure like compute, storage, web frameworks, network, and other features are continuously updated to address vulnerabilities and are compliant with rigorous standards.
This includes securing resources from other clients' resources in shared space unless you are using an isolated App service environment(ASE).
All communications between resources are…
Life is like riding a bicycle. To keep your balance, you must keep moving. ~Albert Einstein
What is Azure Application Gateway?
An Azure application gateway is a Layer 7(HTTP, HTTPS), web traffic load balancer used to create highly scalable and secure web front ends.
Traditional Load Balancers Vs Azure Application Gateway
Traditional load balancers operate at layer 4, which means routing is based on IP address and port level whereas Azure application gateway routes traffic based on HTTP request URI/headers.
Application gateway backends can use layer 4 load balancers behind them though. e.g. a web server behind an application gateway…
Security is not a product but a process ~Bruce Schneier
What is a stored access policy?
Let’s start with, why do need a stored access policy in the first place. We can give access to storage accounts by sharing keys directly. But this gives full access to all the services in that storage account.
We can try to provision a more granular level of access on a service level and specific permissions with shared access signatures or SAS. These SAS keys are signed by storage account keys(with exception of user delegation SAS). By any chance, if these SAS keys are…
It is good to review past mistakes before committing new ones ~Warren Buffet
What is Azure Access Review?
Azure Access review is used to assess continued access to Azure groups, user roles, and applications. It can be used to set up reviews on a recurring basis to ensure the right users/groups have the right roles assigned to them.
Prerequisites for Access Review
Azure AD Premium P2 or Enterprise Mobility & Security (EMS) E5 license is required for this feature.
How does it help?
Reduces admin overhead. Prevents excessive continued rights assigned to groups/users.
It enables consistent reviews. Manual reviews can…
consistency is the key
What is Azure Blueprint?
Azure Blueprint is used to package infrastructure items together, enabling consistency and compliance throughout the enterprise.
Instead of managing a mess of PowerShell scripts and deployment documents we can create blueprints and use them to deploy resources consistently.
It prevents manual effort of referring resource architecture documents and replicating designs, which might be error-prone and time-consuming.
It also reduces the time considerably to build environments from scratch.
Doesn’t ARM templates have similar functionality?
Yes and No. Yes, ARM templates can be used to deploy resources consistently too, but we either have to…
Our goal is to set the gold standard when it comes to compliance ~Cathy Engelbert
What is an Azure Policy?
Azure policies help organizations enforce standards and maintain consistency across resources. These standards could be necessary for either regulatory compliance or just a standard organizational consistency for managing security, cost, etc.
Rules can be defined in policies, which are evaluated against properties of existing/new resources to identify and remediate out of compliance resources.
There are several built-in policies already available in Azure for some common use cases.
How does it work?
Rules are defined in a JSON format for resources…
Wikis work best in environments where you’re comfortable delegating control to the users of the system. ~ Howard G. Cunningham
SAS tokens provide limited access to resources in a storage account. We can specify resources clients can access, permissions they can have, and the duration of the access. It also restricts access to specific IP addresses.
Types of SAS tokens —
User Delegation SAS — It is signed with Azure AD Credentials of user/service principal instead of Azure storage keys. Necessary roles need to be assigned to a user to enable this.
Service SAS — Service SAS delegates access to…
Everyone is a strong proponent of strong encryption ~ Dorothy Denning
Azure Disk Encryption is used to encrypt data at rest for both Linux and Windows Virtual Machines.
Both OS and Data disks can be encrypted. Azure Disk Encryption service utilizes DM-Encryption feature of Linux for encryption and Bitlocker to encrypt Windows systems.
Disk Encryption is integrated with Azure Key vault for storing encryption keys. It's a requirement to have Key Vault and VMs in the same region and subscription.
Not all VM sizes can be encrypted, Basic and A-Series machines are not supported. …
I realize I don’t do a very good job of keeping up to date, but I try to. ~ Bob Dylan
Azure Update Management service is used to manage OS patches/updates for both Windows and Linux platforms. Not only is it for Azure only resources, but on-premise and third-party cloud environments too.
Update management is not a separate service in Azure but it is a component in Azure Automation Account. The solution is free, only log analytics storage costs are applied.
Windows Clients(Windows 7, 10) cannot be patched using update management, only Windows servers are supported(along with Linux machines too).
As the world is increasingly interconnected, everyone shares the responsibility of securing cyberspace ~ Newton Lee
Azure Front Door is a highly available and scalable global application delivery network service that offering load balancing on HTTP/S level (layer 7) for applications.
In a plain illustration below, Azure Front door(custom DNS www.foo.com) load balances web applications deployed in east us and west us. Due to its routing capability, it can direct requests to the nearest, least latency location(of course based on several factors discussed later).
Client requests are forwarded to the most available and highest performing application backend. …