Tag Archives: Azure

Azure Network Security

Security is one of the critical areas when you are deploying applications on the cloud. Cloud providers have a set of best practices and tools available to make sure you secure your applications.

Virtual Network: helps create virtual boundaries and isolate resources from unwanted access. Setting up subnets further help sub-boundaries within a virtual network. Secured practices like Site-to-Site connectivity, and point-to-site connectivity using Express routes or Virtual Network gateways help connect between on-prem and on-cloud networks securely.

Network Security Groups (NSG): NSG helps create security rules which will ensure only desired traffic can be received or sent from virtual networks or subnets.

A security rule contains the following aspects

  • name (unique)
  • priority (lower the priority number, the more importance is given)
  • source/ destination
  • protocol
  • direction (inbound/ outbound)
  • port range
  • action (allow/ deny)

You can associate an NSG to a virtual network, subnet, or Application Security Group.

Azure Firewall: One can set FQDN traffic rules, Network traffic rules using Azure Firewall. Network Security Group is more targeted towards Virtual Network or Subnets, whereas Firewall monitors traffic more broadly.

There are three kinds of rules that you can configure in the Azure Firewall. Remember, by default, Azure Firewall blocks all traffic, unless you enable it.

NAT rules: You can configure Azure Firewall Destination Network Address Translation (DNAT) to translate and filter inbound traffic to your subnets. Each rule in the NAT rule collection is used to translate your firewall public IP and port to a private IP and port. Scenarios, where NAT rules might be helpful, are publishing SSH, RDP, or non-HTTP/S applications to the Internet. A NAT rule that routes traffic must be accompanied by a matching network rule to allow the traffic.

Network rules: Any non-HTTP/S traffic that will be allowed to flow through the firewall must have a network rule. For example, if resources in one subnet must communicate with resources in another subnet, then you would configure a network rule from the source to the destination

Application rules: Application rules define fully qualified domain names (FQDNs) that can be accessed from a subnet. For example, specify the Windows Update network traffic through the firewall

Application Security Group: ASGs enable you to configure network security as a natural extension of an application’s structure. That means, you can create a NSG and apply it to an ASG. The ASG can be applied to a VM or set of VMs (forming an application including web servers, application servers, and database servers).

Azure Virtual Network Connectivity

There are two major ways to connect virtual Networks, i.e. VNet peering and Virtual Network Gateway.

VNet Peering: If both the virtual networks that you are trying to connect are on Azure, the best and simplest approach to create a connection is using Virtual Network Peering. One can create local VNet peering for connecting virtual networks in the same region, or Global VNet peering for VNets in different regions.

An important point to note here is, that if you have created VNet peering between network A and network B, it does not automatically mean connectivity will be there from network B to A as well. One needs to create an additional peering from B to A. Also, VNet peering is not transitive, that is A to B connectivity and B to C connectivity do not mean an automatic A to C connectivity.

Virtual Network Gateways: A Virtual Network Gateway needs to be deployed in its own Subnet, so you will start by creating a special “Gateway Subnet”. After this, you create two virtual network gateways in this subnet, for example, one for Virtual network A and another for B. And after that, you can create a connection between the two networks. Again you will need to create a separate connection from A to B and B to A as per the requirement.

Azure DNS: It is a Service for hosting your domain name system record. You can not only create a public domain, but also a private domain accessible from within virtual networks.

You start by creating a DNS zone and adding records. Type A record will map a domain name to an IP address. A CName record will provide an alias for existing domain, for example, www.kamalmeet.com can be an alias for kamalmeet.com

Azure Load Balancing Options

There are multiple ways in which one can manage traffic or balance load in Azure.

Load Balancer

Azure Load balancer work at layer 4 of the OSI model, i.e. at the transport layer. This means it just directs the incoming traffic to destination IPs and does not have access to request data.

A load balancer has the following main components

  • Frontend IP configuration
  • Backen Pool (for example VMs)
  • Health Probes
  • Load Balancing rules

Application Gateway

The application gateway in Azure works at layer 7, which is the Application layer in the OSI model. This means the API gateway can access request data and form rules on that. For example, we can set rules that /images pattern is getting redirected to a backend, whereas /videos pattern to another. Additional one can have features like SSL termination, and WAF (Web Application Firewall, that will protect from threats like SQL injection attack, Cross Site Scripting or XSS attack, etc.) implemented.

Application gateway core components

  • Frontend IP (public or private)
  • Listeners (listens to traffic and route based on rules)
  • Request Routing Rule (when adding rule, you need to define listener and backend pool)
  • Backend pool

While talking about application gateway, it is important to mention Azure Front Door, which can work at the global level. From Azure “While both Front Door and Application Gateway are layer 7 (HTTP/HTTPS) load balancers, the primary difference is that Front Door is a non-regional service whereas Application Gateway is a regional service. While Front Door can load balance between your different scale units/clusters/stamp units across regions, Application Gateway allows you to load balance between your VMs/containers etc. that is within the scale unit.

Traffic Manager

The traffic manager distributes traffic at the DNS level, hence it is used for managing traffic at the global region level. For example, you might want to send traffic originating from Europe to hit Europe servers whereas traffic from North America to hit North America servers. While resolving the DNS, the traffic manager will choose the backend endpoint based on the rules set. An important thing to note here is that actual traffic never passes through the traffic manager, as was the case with the Load balancer or Application gateway, because the traffic manager is only responsible for providing back the endpoint, and after that client directly interacts with the endpoint.

Following routing methods are allowed

  • Priority
  • Weighted
  • Performance
  • Geographic
  • Multivalue
  • Subnet

Virtual Networks

Sometime back I wrote about virtual networks and Azure-specific implementation. Here is a quick recap and some additional details.

As the name suggests, the term virtual network has two words, virtual and network. we deal with networks on daily basis, in our offices and workplaces, which are nothing but a collection of computers, machines, and other devices. with infrastructure moving to the cloud, where we deal with virtual machines and devices, it is logical to have a network that is virtual, hence a virtual network.

Next within the network, we create subnets to logically divide our network. The network address space is divided among subnets.

Network Virtual Appliances (NVA) are Virtual machines with pre-installed images that can provide capabilities for networking such as firewall, WAN optimizer, routers, load balancers, etc.

A virtual network gateway (creates encrypted cross-premises connections to your virtual network from on-premises locations, or encrypted connections between VNets) is composed of two or more VMs that are automatically configured and deployed to a specific subnet you create called the gateway subnet. The gateway VMs contain routing tables and run specific gateway services. It can use one of the three protocols, Open VPN protocol, SSTP (Secure Socket Tunneling Protocol, windows only), and IKEv2 (Internet Key Exchange version 2).  

To communicate between Virtual networks, we have VNet peering, which can be local (Same region VNets) or global (different regions VNets).

Additionally one can set up a Load balancer, which can be internal (within the network) or external (traffic from outside the network). A 5 tuple hash is used by default to route traffic, which includes – Source IP, destination Ip, Destination port, and protocol.

Azure Monitor

Azure Monitor is a tool, which acts as an umbrella for services that help us gather telemetry data and analyze it. Azure Monitor Captures data in form of Logs and Metrics. Logs contain time-stamped information about changes made to resources. Logs data is mostly in text form. Whereas Metrics are numerical values that describe some aspect of a system at a point in time. 

image source https://docs.microsoft.com/en-us/azure/azure-monitor/overview

The image above shows how Azure monitor gathers data in form of Logs and Metrics from Applications and other Azure resources. Once data is gathered, Monitor can be used to view and analyze data in the form of tables and graphs. In addition, one can set up an automated response in the form of Alerts or passing the information to Logic Apps or Custom APIs.

You can capture the following data for Azure monitor

Application data: Data that relates to your custom application code.
Operating system data: Data from the Windows or Linux virtual machines that host your application.
Azure resource data: Data that relates to the operations of an Azure resource, such as a web app or a load balancer.
Azure subscription data: Data that relates to your subscription. It includes data about Azure health and availability.
Azure tenant data: Data about your Azure organization-level services, such as Azure Active Directory.

source: https://docs.microsoft.com/en-us/azure/azure-monitor/overview

Here is an example explanation of Azure monitor usage

Azure Application Insights

Once your application is deployed in a production environment, you want to make sure everything is working fine with it. You would like to analyze how many exceptions and errors are being thrown, how many requests are being handled, how many requests are being made, what is memory and CPU usage, and so on. In Azure, you can do all this by using the Application Insights tool.

Application Insights instrumentation in your app sends telemetry to your Application Insights resource.
image source – https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview

You can see in the above image that your application components will publish the data to Application Insights service, from where you can create alerts, reports, or trigger other actions based on your need.

Setting up Application Insights need some instrumentation on your application side. Mostly it is as simple as importing the SDK and adding a config file. Here is a detailed explanation of how to implement it for a Java Project https://docs.microsoft.com/en-us/azure/azure-monitor/app/java-get-started?tabs=maven.

You can gather following information from Applications Insights.

  • Request rates, response times, and failure rates
  • Dependency rates, response times, and failure rates 
  • Exceptions
  • Pageviews and load performance
  • AJAX calls
  • User and session counts
  • Performance counters 
  • Host diagnostics
  • Diagnostic trace logs
  • Custom events and metrics

For more information on Application Insights and usage with different languages – https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview

Azure Security Center

Security is one of the most important aspects of any application. When you deploy an application on the cloud, you have to make sure you handle security at multiple levels including computing infrastructure, storage, database, application level and so on. Azure Security Center is a tool that can help you assist in your quest for absolute security for your applications. The tool comes free with Microsoft Azure account and can help you understand if any of your resources or applications need attention.

The image above of the Security Center shows us how we can easily get a high-level view of our security. It gives us actionable recommendations like- if we need to turn on encryption on some of our resources and if some API is exposed to the public which should be controlled.

The video below gives us additional view of security center usage

Managed Identities for Azure Resources

In my last post I talked about how one can use Azure Active Directory to manage user access for various resources. But it is not only users who need access to resources, there are times when your application code needs to access cloud resources. Your application might need access to key-vaults, databases, storage, etc. This can be managed in a similar manner we managed access for users using Managed Identities. Basically we give our application or resource an identity, and using the identity it can access any cloud resource like key-value just like a user.

Managed service identities and Azure VMs

image source: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

The image above shows how a resource with manage identity can get a token from Azure AD, and further use this token to access a cloud resource which gives permission to that identity.

Here is a video explaining the concept in detail

Here are a few key terms you need to understand

An “Identity” is a thing that can be authenticated.

A “Principal” is an identity acting with certain roles or claims.

A “Service Principal” is an identity that is used by a service or application. It can be assigned roles.

Managed Identity” is an identity created for a service, which is like creating an account on Azure AD tenant. Azure infrastructure will automatically take care of authenticating the service and managing the account.

Azure Active Directory

Azure Active Directory or AAD as it is commonly known, is a powerful tool that helps manage users and their access. Let us start by taking a look at official definition by Microsoft

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in:

  • External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications.
  • Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis

Additionally

The Azure Active Directory (Azure AD) enterprise identity service provides single sign-on and multi-factor authentication to help protect your users from 99.9 percent of cybersecurity attacks.

Reference: https://azure.microsoft.com/en-in/services/active-directory/

One key term here “Single Sign On” or SSO. Let’s assume that you work for a company which requires you to access multiple applications for example, your email, an HR system, a leave management system, a project management system, an employee directory and so on. Now think of a scenario when you are required to sign into all these applications independently. For each application you have a separate set of credentials, that you need to remember and hence weaken the security. Additionally managing access is also difficult for admins as in scenario when an employee leaves the company or joins the company, an admin ends up adding or removing credentials to multiple applications, which again is error prone.

To handle such problems, Single Sign on provides us with a mechanism to manage user identities in a single place and provide or manage access to different applications. Azure Active Directory is such a system helping manage user identities at one place and control access to various applications and resources on cloud.

We can see Azure provides us with a very simple way to create Azure Directories, manage users, groups and roles. In addition it also allows you to manage the user, setting like if user needs multi-factor authentication, if user is located in a specific country and can login for there only, etc.