For the AZ-104 Microsoft Azure Administrator exam, it is vital that you understand the key methodologies that can be used to provide robust security to Azure Web Apps. This examination will test your aptitude and understanding of Azure services, like securing Azure web apps, authenticating and authorizing users, restricting access using firewall rules, and installing SSL certificates.
Securing Azure Web Apps
Azure web apps are fortified using numerous security control functionalities. The following are the key methods:
1. Authentication and Authorization
Azure provides built-in authentication and authorization support which restricts access to your web-based applications. This helps in securing your applications, consequently reducing the need for application code dealing with security aspects.
Azure integrates the app registration process with an identity provider such as Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter. After the authentication process, it delivers the user claims to your application to make authorization decisions.
Example
az webapp auth update –name WebApp1 –resource-group myResourceGroup –enabled true –action LoginWithAzureActiveDirectory –aad-client-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx –aad-client-secret password –aad-token-store true –aad-allowed-token-audiences https://WebApp1.azurewebsites.net/.auth/login/aad/callback
This command enables Azure Active Directory authentication for the web app.
2. SSL bindings
Security should be implemented at every level of your application. One level is communication between your consumers and the web app itself. Here, SSL (Secure Sockets Layer), or it’s updated version TLS (Transport Layer Security), encrypts this communication providing a secure pathway.
Azure web apps provide automated management as well as renewal of your SSL certificates by configuration of a binding directly to your web app. Further, the App Service Certificate provides simplicity of the creation, management and configuration of SSL certificates for your domains.
Example
az webapp config ssl bind –certificate-thumbprint xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx –ssl-type SNI –name WebApp1 –resource-group myResourceGroup
This will add an SSL binding to your web app using the certificate thumbprint.
3. IP Restrictions
The Azure App Service can restrict incoming traffic by enabling Access Restrictions. In this case, rules can be set to allow or deny access based on IP address or CIDR range.
The Access Restrictions service augments the security of your app by enabling restrictions by IP/CIDR range, Azure Virtual Network Service Endpoint, Azure App Service Environment boundaries, or a combination of all these.
Example
az webapp config access-restriction add –resource-group myResourceGroup –name WebApp1 –rule-name ‘IP Restriction Rule’ –action Allow –ip-address 203.0.113.0/24 –priority 100
This command adds an access restriction rule to the web app allowing traffic from the IP address range 203.0.113.0/24.
In conclusion, securing your Azure App Service includes implementing a range of strategies – from authentication and authorization to SSL bindings and IP restrictions. Successfully passing the AZ-104 Microsoft Azure Administrator exam will require a deep understanding of these methodologies and how they functionally impact Azure web apps. Consider the above strategies and practice using the Azure CLI and Azure portal tools to confidentially implement these aspects for the AZ-104 exams.
Practice Test
True or False: App Service automatically switches to HTTPS on Azure.
- True.
- False.
Answer: True.
Explanation: Azure App Service enforces HTTPS for all incoming requests by default, enhancing the security of the application.
Which of these is NOT a threat detection type for App Service on Azure?
- a. SQL Injection
- b. Access from unusual location
- c. DDoS attack
- d. Illegal experimentation
Answer: (d) Illegal experimentation
Explanation: Azure does not directly have a threat detection type named “Illegal experimentation”. It has other measures like SQL Injection, Access from unusual location, and DDoS attack.
True or False: Azure App Service provides built-in authentication and authorization support.
- True.
- False.
Answer: True.
Explanation: Azure App Service indeed provides built-in authentication and authorization support, helping to secure your application without changing code.
Which of these is not a technical requirement to secure an App Service?
- a. SSL certificate
- b. Traffic Manager
- c. VPN
- d. Network Security Groups
Answer: (b) Traffic Manager
Explanation: Traffic Manager in Azure is used for DNS based traffic load balancing and not specifically for the security of App Service.
Is it possible to define custom domain SSL bindings for your App Service?
- a. Yes
- b. No
Answer: a. Yes.
Explanation: Azure allows you to define custom domain SSL bindings to secure the connection to your App Service.
True or False: App Service Environments offer the maximum security, scalability and isolation for running App Service apps in Azure.
- True.
- False.
Answer: True.
Explanation: App Service Environments offer greater security, scalability and isolation by running in your virtual network and scaling to numerous instances.
Which of the following is not a restriction for Free and Shared scale modes of App Service?
- a. No VNet Integration
- b. Always On not supported
- c. SSL not supported
- d. Can only host Node.js apps
Answer: d. Can only host Node.js apps.
Explanation: Azure App Service supports multiple languages and frameworks such as .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python.
True or False: Azure App Service supports IP based SSL.
- True.
- False.
Answer: True.
Explanation: Azure App Service does support IP-based SSL apart from SNI SSL.
Which of Azure’s web application security services includes a Web Application Firewall (WAF)?
- a. Azure App Service
- b. Azure DDoS Protection
- c. Azure Active Directory
- d. Azure Front Door
Answer: d. Azure Front Door
Explanation: While Azure App Service does have some security measures, the Web Application Firewall (WAF) is part of the Azure Front Door Service.
True or False: Azure App Service provides pre-defined security alerts.
- True.
- False.
Answer: True.
Explanation: Azure App Service provides pre-defined security alerts as a part of its threat protection solution.
Difficulty level: Medium. Which of the following are correct methodologies to secure an App Service?
- a. Rely on Azure’s default settings.
- b. Regularly review and rotate access credentials.
- c. Utilize Azure AD for authentication and authorization.
- d. Use only HTTP for connection.
Answer: b. Regularly review and rotate access credentials, c. Utilize Azure AD for authentication and authorization.
Explanation: One shouldn’t rely only on default settings for security and HTTPS should always be used instead of HTTP for connections.
What can you use to detect and mitigate potential security threats to your Azure App Service?
- a. Application Insights
- b. Azure Monitor
- c. Azure Security Center
- d. None of the above
Answer: c. Azure Security Center.
Explanation: Azure Security Center provides unified security management and advanced threat protection across hybrid cloud workloads.
Interview Questions
What is Azure App Service?
Azure App Service is a fully managed platform for building, deploying,
and scaling your web apps. It provides a powerful and flexible option
to create everything from simple prototypes to complex web applications.
How can you secure an App Service in Azure?
We can secure Azure App Service in several ways:
- Authentication and authorization
- Client certificate
- IP restrictions
- Secure Sockets Layer(SSL) settings
What are the functions of Azure App Service Authentication/Authorization?
Azure App Service Authentication/Authorization allows you to easily
secure your app with a variety of authentication providers like Azure Active
Directory, Google, Facebook, Twitter etc. and manage the authorized access
to your app.
How does Azure App Service IP Restrictions work?
IP Restrictions for an Azure App Service allows you to set up a list of
allowable IP addresses. This way, only requests made from these IP addresses
can access the web application and all other IP addresses are denied by default.
How do you apply SSL settings to an Azure app service?
To apply SSL settings to an Azure app service, go to the Azure portal,
navigate to the app service you want to configure, click on ‘TLS/SSL settings’,
and there you can add, map, and remove SSL bindings.
How does Azure App Service handle Client Certificates?
Azure App Service has an option to require incoming requests to present
a valid client certificate for authorization. This is done by uploading the
certificate into the Azure portal and then enabling the option on the App Service.
How can Azure App Service Authentication/Authorization setup be configured?
The Azure App Service Authentication/Authorization set up can be configured
in the Azure portal at the individual web application level. We can navigate to the
web application and under the ‘Authentication/Authorization’ blade, configure the desired settings.
What are some of the built-in authentication providers supported by Azure App Service?
Azure App Service supports a variety of built-in authentication providers such as
Azure Active Directory, Google, Facebook, Twitter, Microsoft Account and others.
What is the primary purpose of secure Azure App Services with Client Certificates?
The primary purpose is to require incoming requests to present a valid certificate
for authentication. This enables an additional security layer where each request made to the
app service can be authenticated and authorized using SSL client certificates.
Can an App Service on Azure be integrated with a Virtual Network?
Yes, Azure App Services can be integrated with Azure Virtual Networks using Service Endpoints and
Azure Private Link to securely host and access web apps.
What precautions should be taken before enabling IP restrictions on an Azure app service?
Before enabling IP restrictions on an Azure app service, ensure that
any trusted IP addresses or ranges are added to the whitelist otherwise
they may be blocked from accessing the app service.
What is the purpose of Windows Identity Foundation (WIF) in Azure App Service Authorization?
Windows Identity Foundation (WIF) is a framework for building
identity-aware applications. In Azure App Service, it is used
to authenticate and authorize users to gain access to protected
resources within the application.
Are multi-factor authentication methods applicable on Azure App Services?
Yes, Azure App Service does allow for the implementation of multi-factor
authentication methods for user sign-in, requiring users to verify their
identity through more than one verification method.
What is the role of Azure Private Link in securing an Azure App Service?
Azure Private Link provides private access to your app service over a private network
connection. It helps isolate the network traffic to your app service, thus adding a
significant layer of security.
Can service endpoints increase the security of your Azure App Service?
Yes, service endpoints provide secure and direct network connectivity to
Azure resources from a virtual network, enhancing your app service’s security
by isolating access to your app service on a per-virtual network basis.