My web application's endpoints are all secured and demand an OAuth access token.
To my understanding, Azure App Services Health Check is done through a HTTP call:
https://azure.github.io/AppService/2020/08/24/healthcheck-on-app-service.html
Exposing a path like /api/health can be used for attacks like DOS.
How exposing the path /api/health is justified from the security perspective?
What is a secured way of using App Services' Health Check ?
The Azure platform itself does have some mitigations to circumvent DDoS attacks. However, you can add additional layers of protection such as DDoS, App Gateway, and WAF.
Remember though, that if you're using App Service Authentication, the platform will utilize that to send authenticated requests to your configured health check API endpoint. But from a secured way to use health check, you would make sure that your endpoint only accepts authenticated requests.
Related
I have a website on the namecheap server and an application on microsft azure deploy on Azure App Service I would like to send post requests from my namecheap server to azure which contains the application my questionis this possible and also isn't there a security risk?
thank you for your help
Web programs are accessed through HTTP Requests. The security risk you mentioned does not exist.
In webapp, the security of web application data is what we need to care about.
After passing the authentication, the data can be curd according to the authority to ensure the security of the program.
It is recommended that you deploy the azure webapp program to increase the authentication function, such as jwt token.
I'm looking for a way to host a Azure app service behind the Azure API Management without exposing a public url to the app service it self.
The API Management is going to do AD Auth so unauthorized requests are not reaching the app service and waist resources. Same goes for DDos Attacks. Must be terminated by the API Management.
How can I do this? Is the expensive Azure app service environment the only solution?
You could limit the access to your App service to the ip/hostname of the API Management instance. See https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions
Ddos is hard because what is desired behavior and what is not proberbly depends if the structure of you APIs. But you could limit each subscription key with a limit. See https://learn.microsoft.com/en-us/azure/api-management/transform-api#protect-an-api-by-adding-rate-limit-policy-throttling
Current implementation:
Single-instance WebApp with custom authentication (own DB) and custom server-based token management (matching session-token-user in an in-memory table).
Desired implementation:
Multiple WebApp instances behind Azure Application Gateway as a load balancer and URL router. Still with custom authentication. Token handling: ????? (preferably JWT)
As this will be a multi-tenant service, we don't want to use AD.
Questions:
What would be the best way to implement this scenario? Where we can keep track of users vs. tokens? This is, considering that now many servers need to verify the token. An in-memory table is not suitable anymore, unless it can be done inside the Gateway instance.
Does this has to be done programmatically (like now), or there is a configurable mechanism in Gateway or some other Azure service?
Application Gateway does not support authentication with AD. It also definitely does not support custom authentication. Hence the authentication and authorization has to be done at the backend servers. The solution would require a distributed cache where tokens are kept, which is accessible to all backend servers. You could use Azure Redis Cache for this.
We have a API-based microservice system, where a public API gateway (.NET Nancy API running on Azure Website) calls into microserviced API's (various technologies) to return data.
Currently, the microserviced API's are either Azure WebSites, or Azure Functions (HTTP trigger), so that means they have a public endpoint, with HTTP exposed to the public. (e.g https://my-microservice.azurewebsites.net)
Is there any way to lock this down so that only the API gateway can call into it?
I've read about DIPR but that seems to be based on a public IPv4 address (i don't think we can get a static IP for the API gateway?).
Currently we make the microserviced API's require authentication via bearer tokens (using IdSrv auth server), but ideally i'd like to secure the API's at the network level, then remove the token/IdSrv dependency. Can we leverage VNET's?
How do other people solve this? As in, how can we lock down an Azure Website from public access?
TIA.
You should use Azure Virtual Network and create rules for inbound/outbound traffic (valid for Standard / Premium App Service Plans): https://learn.microsoft.com/en-us/azure/app-service-web/web-sites-integrate-with-vnet
There's also Azure App Service environment for that, however it requires a Premium App Service Plan: https://learn.microsoft.com/en-us/azure/app-service-web/app-service-app-service-environment-intro
I published my web app into Azure web application but I want to provide the security for this application.
I know by using HTTPS we can provide security for web application. I read this link before posting question here.
Rather than using https, are there any other techniques for providing security to web site or web application?
As this document mentioned about the Security Level in Azure App Service:
Infrastructure and platform security - You trust Azure to have the services you need to actually run things securely in the cloud.
Application security - You need to design the app itself securely. This includes how you integrate with Azure Active Directory, how you manage certificates, and how you make sure that you can securely talk to different services.
For Infrastructure and platform security, Azure would isolate your App Service apps and communication of sensitive datas (e.g. sql connectionstring, appId, appSecret,etc.) are always encrypted. Also, App service would provide threat management protects App Service resources from malware, DDoS, MITM, and other threats.
For Application security, you need to develop, manage your application in a security way. The frequent threats would as follows:
SQL Injection
Session hijacking
Cross-site-scripting
Additionally, you could leverage integration with Tinfoil Security to perform penetration testing on your app and follow the instructions to fix possible vulnerability. For a better understanding of it, you could refer to this official tutorial about secure an app in Azure App Service.