Azure App Service is a cloud-based platform for hosting and managing web apps, mobile app back ends, RESTful APIs, or automated business processes. One of the key requirements for any application, especially those hosted in the cloud, is security. In this article, we will look at some of the ways to configure and manage security for an Azure App Service, a topic relevant for the AZ-500 Microsoft Azure Security Technologies exam.
1. Authentication/Authorization
Azure provides built-in authentication and authorization support to secure your web app without altering your code. It integrates with Azure Active Directory, Facebook, Google, Twitter, and Microsoft, so you can concentrate on your application code, and let Azure take care of the security foundation.
To add and configure this, navigate to the Authentication / Authorization pane in your app’s Azure portal settings. Here, you can select your chosen provider from the list, or use Azure Active Directory for controlling access.
2. Manage Identity and Access Control
An important aspect of security is managing who can access your Azure resources and what they can do with them. Role-Based Access Control (RBAC) is the primary method that Azure uses for managing access. Here’s a snippet that shows how to assign a role for an App Service:
az role assignment create --assignee appServicePrincipalId --role Reader --scope /subscriptions/SUBSCRIPTION_ID/resourceGroups/myResourceGroup/providers/Microsoft.Web/sites/myWebApp
This allows `appServicePrincipalId` to have Reader role on `myWebApp`.
3. Configuring SSL/TLS
SSL/TLS is critical for securing your website by encrypting communications between server and user. Azure App Service provides automated, managed certificates that are free to use and renew with no configuration. It is also possible to upload a custom SSL certificate.
To configure SSL/TLS, navigate to the `TLS/SSL settings` area on the App Service and manage `Private Key Certificates (.pfx)`, or import and use `Managed Certificates`.
4. App Service Managed Service Identity (MSI)
Azure Services can use Managed Service Identity to obtain Azure Active Directory (AAD) tokens. These tokens can then be used to access resources that support AAD authentication.
To enable MSI for your App Service, navigate to `Identity` under the `Settings` tab in the Azure portal.
5. Network Isolation and Access Restrictions
Azure App Service Environment (ASE) is a deployment that provides network isolation to your apps. You can control inbound and outbound network traffic using Network Security Groups (NSGs).
To set up an ASE, go to the `Networking` section in your App Service settings in the Azure portal.
6. Application Gateway Web Application Firewall (WAF)
Azure Application Gateway offers a web application firewall (WAF) that provides centralized, inbound protection for your web applications. Customers can enable WAF on their Application Gateway with one click.
To configure a WAF, navigate to `Firewalls and virtual networks` in your Application Gateway instance.
Setting up security for Azure App Service is essential to ensure that your applications are safe and secure. By leveraging Azure’s built-in tools and features, you can secure your applications more efficiently and effectively. Make sure you understand these concepts for your AZ-500 exam and beyond.
Practice Test
True or False: In Azure App Service, you can configure both network and application-level security.
- True
- False
Answer: True
Explanation: In Azure App Service, you can configure security at both the network and application levels to protect and isolate your data and applications.
To manage access in Azure App Service, which feature is used?
- Azure Active Directory
- Managed Service Identity
- Role Based Access Control
- Access Management
Answer: Role Based Access Control
Explanation: Role-Based Access Control (RBAC) is used to manage access and permissions in Azure App Service.
True or False: Azure App Service uses Firewall to protect applications.
- True
- False
Answer: True
Explanation: Azure App Service uses a firewall to protect applications from potential threats by filtering inbound and outbound network traffic.
Which of the following can be used to encrypt data at rest in Azure App Service?
- Application Request Routing
- Azure DNS
- Azure Storage Service Encryption
- Azure Information Protection
Answer: Azure Storage Service Encryption
Explanation: Azure Storage Service Encryption is used for encrypting data at rest.
In Azure App Service, which feature is not a part of securing network traffic?
- Web Application Firewall
- Private Endpoints
- Internet Protocol restrictions
- Content Delivery Network
Answer: Content Delivery Network
Explanation: Content Delivery Network is not a part of securing network traffic in Azure App Service.
True or False: You can only configure security for the application level in Azure app service.
- True
- False
Answer: False
Explanation: In Azure App Service, you can configure security at both the application and network levels.
Which of the following is not a part of securing applications in Azure App Service?
- Using encryption in transit
- Authentication/ Authorization
- FTP/FTPS
- Azure Data Catalog
Answer: Azure Data Catalog
Explanation: Azure Data Catalog is not involved in securing applications in Azure App Service.
True or False: Azure App Service does not include Managed Service Identity.
- True
- False
Answer: False
Explanation: Azure App Service does include Managed Service Identity (MSI), which is a feature of Azure Active Directory.
Among the following, which can be set up for encryption of sensitive data in Azure App Service?
- VPN Gateway
- Azure Key Vault
- Azure Logic Apps
- Azure Cognitive Service
Answer: Azure Key Vault
Explanation: Azure Key Vault is a specialized service for storing sensitive data and can be used for encryption in Azure App Service.
True or False: Azure App Service uses DNS to protect applications.
- True
- False
Answer: False
Explanation: Azure App Service does not use DNS for security. It uses a firewall and other security measures like RBAC and MSI.
In Azure App Service, which two features enable single sign-on? (Choose two)
- Azure Active Directory
- Azure Blockchain Service
- Azure AD B2B Collaboration
- Azure Maps
Answer: Azure Active Directory, Azure AD B2B Collaboration
Explanation: With Azure AD and Azure AD B2B collaboration, single sign-on capability can be enabled in Azure App Service.
True or False: Role-Based Access Control (RBAC) in Azure App Service enables secure access at the application level only.
- True
- False
Answer: False
Explanation: RBAC manages access at both the network and application levels in Azure App Service.
To encrypt data in transit to and from an application in Azure App Service, which feature is used?
- Azure Express Route
- Azure AD Connect
- HTTP/ HTTPS
- Azure AD Privileged Identity Management
Answer: HTTP/ HTTPS
Explanation: HTTPS is used for encryption in transit for data to and from an application in Azure App Service.
Azure App Service uses which of the following to isolate networking traffic to your apps?
- Azure Service Fabric
- Azure Virtual Networks (VNet)
- Azure DevOps
- Azure Front Door
Answer: Azure Virtual Networks (VNet)
Explanation: Azure Virtual Networks (VNet) is used by Azure App Service to isolate network traffic to your apps.
True or False: Private Endpoint can be enabled in Azure App Service to access an app over a private network connection.
- True
- False
Answer: True
Explanation: In Azure App Service, Private Endpoint can be enabled to ensure network traffic between your app and the private network is kept on the Microsoft backbone network.
Interview Questions
What is Azure App Service?
Azure App Service is a fully managed platform for building, deploying, and scaling web apps. You can host web apps, mobile app back ends, RESTful APIs, or automated business processes.
How can you securely redirect HTTP traffic to HTTPS in Azure App Service?
You can enable the “HTTPS Only” option in the Azure portal to securely redirect HTTP traffic to HTTPS.
What authentication method can be used with Azure App Service?
Azure App Service provides built-in authentication and authorization support so you can sign in users and access data by writing minimal or no code in your web app, RESTful API, and mobile back end, and also Azure Functions.
How can you enable authentication in Azure App Service?
To turn on authentication and authorization for an app in the App Service, go to the Azure portal, then navigate to the Authentication / Authorization pane in the App Service app’s menu.
What is managed identity in Azure App Service?
Managed identities for Azure resources is a feature of Azure Active Directory. With this feature, you can easily access other AAD-protected resources such as Azure Key Vault.
How can you secure the connection strings in Azure App Service?
You can store your connection strings securely in Azure App Service configuration. Connection strings and other configuration information can be stored in environment variables accessed through the System.Configuration.ConfigurationManager class.
What are Azure App Service Environment (ASE) for?
Azure App Service Environment (ASE) lets you host Azure App Service apps within your Virtual Network (VNet) and are dedicated completely to your apps for increased performance and security.
Is it possible to use custom domain SSL for an Azure App Service app?
Yes, you can add a custom domain to your app and secure it with a SSL binding in Azure App Service.
What are IP Safelist for server-level in Azure Database for MySQL?
The IP safelist allows applications in Azure App Service access to your Azure Database for MySQL server. Adding your app’s outbound IP addresses to the server-level IP firewall in Azure Database for MySQL provides access to your server.
What are Azure Security Center’s recommendations for App Service?
Azure Security Center provides several recommendations to secure your App Service such as enabling HTTPS only, installing application updates, and enable managed service identity.
How can you monitor Azure App Service?
You can use Azure Monitor to collect, analyse, and act on telemetry data from your Azure and on-premises environments. Monitor helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.
What encryption options does Azure App Service provide?
Azure App Service provides two types of encryption: encryption in transit and encryption at rest. Encryption in transit protects your data if communications are intercepted while data moves between your site and the service. Encryption at rest protects your data from unauthorized access when it is stored in the apps system.
What is CORS and how does it relate to Azure App Service?
CORS (Cross-Origin Resource Sharing) is a W3C protocol that allows a web application running at one origin to access resources from a server at a different origin. Azure App Service supports CORS at the application level.
How to enable a Managed Service Identity for your web app?
Inside the Azure Portal, in your App Service instance details blade, click on the option “Identity”. In the Identity blade, switch the “System Assigned” status to On, then Save.
How to use IP restrictions for an Azure App Service?
IP restrictions for an Azure App Service can be used to allow access to your app service only from a list of known IP addresses. These can be configured in the Networking section of the Azure portal.
extutorials.com