Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 days ago.
Improve this question
I enabled custom domain to access blobs on my storage account. On the storage account i initially had Secure transfer disabled. I was able to access the blob using custom domain. When i enabled Secure transfer i get the message AccountRequiresHttps
When i checked the tooltip on Secure transfer required it says "
The secure transfer option enhances the security of your storage account by only allowing requests to the storage account by secure connection. For example, when calling REST APIs to access your storage accounts, you must connect using HTTPs. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When you are using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn’t support HTTPs for custom domain names, this option is not applied when using a custom domain name."
I was expecting the Secure tranfer required option wont really apply to custom domain
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
I have a node.js app that's connected to Amazon RDS database, and the app itself is hosted on Elastic Beanstalk.
For it to start work I've allowed "all public connections" in the database and set up so that all inbound traffic can access the database. But if someone get the endpoint link to my database they can access it however they want if I understand things correctly, so I'm now asking you how should I set up the security in the settings for my app?
In the client my app will write the users login data and store some information about them, and they will be able to see their own data and the data from people who are their "friends" in the app.
I've read through some of the documentation but as I'm pretty new to all this I have a hard time understanding what would be the best solution for me.
Thanks.
From a network security perspective you want to make sure that only resources that need to talk to your database are able to do so, i.e. you want a "least-privilege" approach on your network layer.
The way to do that in AWS is through security groups and subnets. Since a database should never be publicly accessible, it should be deployed into a private subnet. That will ensure the database can't be exposed to the internet by accident. While ensuring that resources within your network/VPC are still able to send traffic to the database (in principle).
This is where the next layer of security comes in, we try to restrict access to the database to only the instances that really need it. The way to do that is through security groups. These are essentially instance-level firewalls that control who is allowed to access the instance. Your beanstalk instances will have a security group as well. Security groups can use references to other security groups, so ideally you'd configure the database security group to only allow traffic on the database port (e.g. 3306 for MySQL) from the security group of the Elastic Beanstalk instances.
Afterwards only the beanstalk instances will be able to talk to your database, which is a good first step.
Now that only your application servers can access the database server you should think about how you handle authentication from these servers. You should avoid hard-coding your database credentials on the machines and instead store them in some external service such as the AWS Secrets Manager or the Systems Manager Parameter Store. Afterwards you give the instances permissions to fetch the credentials from there by extending the permissions of the instance role. You should then write code to fetch the credentials + connection string from one of these sources in your application.
For additional security ensure that the connection to the database is encrypted in transit using some form of SSL/TLS, the specific settings depend on your database engine.
I'd also suggest you take a look at the security section of the RDS documentation - this has been an overview of the first steps you should consider, but there is always more to do :)
References
Guide on creating a VPC for your RDS DB
SSL/TLS configurations
Security Groups and RDS
Using the Secrets Manager to rotate DB credentials
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
How can I attach a certificate for the backend HTTP setting via DevOps Repo. The certificate is in my PC. Not much familiar with this coding logic.
Please help me
How can I attach a certificate for the backend HTTP setting via DevOps Repo. The certificate is in my PC
To achieve this, you could submit your certificate to the Secure files in the Azure Devops Library:
Secure files:
Use the Secure Files library to store files such as signing
certificates, Apple Provisioning Profiles, Android Keystore files, and
SSH keys on the server without having to commit them to your source
repository. Secure files are defined and managed in the Library tab in
Azure Pipelines.
Then we could use the Download Secure File task in a pipeline to download a secure file to the agent machine.
Next, we could use powershell scripts to attach a certificate for the backend HTTP:
Configure end to end TLS by using Application Gateway with PowerShell
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 1 year ago.
Improve this question
I was looking into to how import an API hosted locally/on-premise withing a internal network.
I found Microsofts documentation on: "Using Azure API Management service with an internal virtual network", but the prerequisites for that (as i understood it) was to either have a Developer or Premium tier on the APIM Resource.
As we want to be able to use the APIM in production environment we cant use the Developer tier and Premium is not profitable at this moment.
What i want to do is to be able to expose the on premises API's endpoints by proxying the endpoints via API Management.
Is there any other ways of doing this?
There are a couple of alternatives you could consider to exposing on-premises data, taking into account that the other tiers of APIM can access resources on the internet.
Application Gateway + VPN Gateway
App Service + Hybrid Connection
Logic Apps + On-Premise Data Gateway
With these setup, you could set these up as backends to APIM.
Also, you would want to protect these services from the public internet by setting up one or more of the following
IP Restrictions, if available for the service
Mutual Certificate Authentication
OAuth / Managed Identity
Also, there is a feature request for supporting Hybrid Connections directly in APIM which you could up vote for it to gain traction.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
Hi can any1 tell me how to implement email functionality in azure without using sendgrid or any other 3rd party all. Can we have service bus to connect azure and exchange server to send emails.is it possible.or do we have exchange server web services to be accesses in azure and sends
email
The problem is not about having to use a third party, it is about the security and firewall implications — particularly with corporate security overlords. An exchange server can have outgoing smtp (even with username and password) enabled, and it is easy for any application (including those running on Azure) to send outgoing SMTP. The problem that you will invariably run into is that the perimeter security around the exchange server will not allow smtp from a public ip address (hackers frequently scan for open port 25, so that they can relay spam through unsuspecting mail servers). Windows Azure (roles and websites) cannot use a fixed (outgoing) ip, so firewall rules cannot be created.
Your options are:
Setup a VPN with your corporate network, so your Azure instance will send from a private IP address.
Run a mail relay service on an Azure VM. The VM can have an infinite lease on an IP address, so won't change (much). There are simple and cheap mail transfer agent services that run on Linux.
Use any 'ol smtp server. If you're not sending much out, you could use Google or even outlook.com. Outlook.com allows you to configure accounts that are hosted elsewhere, so you should be able to use smtp with your windows live id (Microsoft account).
I would avoid writing complicated code and services that use something like service bus. System.Net.Mail should be used to send to an smtp server.
One thing I've seen done in the past was to have the Windows Azure app put a message on a queue, along with optionally some larger data (attachments, large body text, etc.) in a blob. That gets the data stored in Windows Azure storage. From there, an on-premises app (e.g. Windows Service) could pull the queue and blob data, construct an email message, and send it to the on-premises Exchange server.
If you need everything to be cloud-hosted, then I would think you should be able to connect your Windows Azure apps to an Exchange web service endpoint (assuming you can properly secure that and make the web service connection).
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I would like to limit access to my SQL Azure databases to only roles that are within the same subscription.
It seems the 'Allow other Windows Services to access this server' (0.0.0.0 - 0.0.0.0) rule would allow access attempts from any role within any subscription.
Is there currently any way to limit connection attempts to only my roles? If not what protection does SQL Azure offer against hostile roles?
Currently there is no way to limit connection attempts to only your roles. It's only a "normal" firewall which, when open for "other Windows Services" will open the 1433 port to all Azure services. No way to distinguish by role.
About the protection - I guess the only protection is the default SQL Server Authentication. I cannot say though if there is some auto blocking mechanism for too many wrong password attempts.
Something else - when you create a server, you have a unique server name, which is unique to your account and not other. So in order for the "hostile role" to begin attempting connect to your server, it must first discover your server name. Then your administrator user (which is something you create) or a valid login.