I am hoping to use a windows service installed on client machines to talk to an azure service bus. Please note that the service is not installed on the cloud it is on premises.
During my testing I can
Add items to the queue using the default identity (taking my VS settings)
Add items to the queue using SAS - i want a bit more security, using and endpoint connection string
Add items to a queue using client, tenant and secret using ClientSecretCredentials
but I cannot find anywhere if I can use a certificate to authenticate a service principal.
It a certificate a good way to go? Are there any better alternatives?
Related
Follow up to other question posted here:
Azure microservices: authenticating downstream APIs from B2C to Azure AD, how to configure AD?
All our apps and microservices are hosted in a AKS cluster.
Want to have a single webapp decoupled from other services: using a message broker seems a good approach.
How should a public-facing portal be setup to be able to push data down into a queue or endpoint
How can calls to specific API endpoints and microservices to and from the webapp be secured from the public FE?
How would this be configured in terms of authentication, app reg etc.?
Lets answer your questions one after another which you have.
The first question
How should a public-facing portal be setup to be able to push data down into a queue or endpoint ?
For this first we need to use a Web API to push data to Azure Service Bus Queue. You can create a new ASP.NET Core Web API project and install Azure Service Bus NuGet package. Check this document for the way to do it.
Then we can use Service Bus Queue trigger Azure function to read the message from the queue and the process it or store it depending on the requirement. Check Azure Service Bus trigger for Azure Functions for more information.
The second question
How can calls to specific API endpoints and microservices to and from the webapp be secured from the public FE ?
We can achieve this requirement by securing the front end using Application Gateway. We need to configure Application Gateway in front of the Web API.
Check this Configure App Service with Application Gateway document from Microsoft for more information.
Lastly, the third question
How would this be configured in terms of authentication, app reg etc.?
In this case we can use Azure Managed Identity. Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication.
So, we can use Azure Managed Identities with the Azure Resources like AKS. Check this Use managed identities in Azure Kubernetes Service for more information.
On my current project I work with TFS on-prem and I need to deploy resources in Azure.
With a service principal in Azure and an ARM service endpoint in TFS, everything works fine.
However now I get the requirement to secure the service principal with a certificate instead of a password. Creating a service principal with a certificate is almost as easy as with a password, but setting up the ARM service endpoint in TFS (also VSTS by the way) is not that easy.
One of the fields I have to fill in for the ARM service endpoint is the "Service Principal Key".
When creating the service principal with a certificate, I don't have that value (which typically is the password used to create the AD application).
Is it possible to create a TFS service endpoint using an Azure service principal based on a certificate?
We cannot create the ARM service endpoint based on a certificate, just as you mentioned we can only provide the "Service Principal Key".
However we can create Azure Classic service endpoint based on a certificate.
Management Certificate:
Required for Certificate based authentication. Copy the value of the
management certificate key from your publish settings XML file or the
Azure portal.
I have created an Xamarin Android App with an Azure App Service back end. When I looked at securing the connection, I don't really care about individual users, but I want to make sure that only someone running my app can access the database. Is there a way to authenticate the app itself rather than individual users? What is the best practice in this scenario?
If you don't care about user, there are a few approaches and the security level may vary. If you want to simplify integration and deployment among Azure services, you should consider using Azure AD as an identity and access management in your entirely system. That said, your back-end and Xamarin app are authorized and authenticated via Azure AD. You need to register your native app in Azure AD which you can refer here https://learn.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-native-client
Another approach is to use certificate-based authorization against Azure Active Directory, which is more controlled and security rather than client secret. In this case, persons installing your app must also install certificate before sending request to Azure App Service and retrieve database from Azure SQL Database. The level of authorization is free of choice, but the first gateway is always Azure AD.
Is it possible to list out the cloud services for azure storage account with out using certification thumbprint . And also get the deployment ID for particular cloud service?
I have connected storage account(based on account key and account name) using azure storage client library and list out the tables and containers. My question is, displays the cloud services for particular storage account with out using certification.
Note: I saw rest api to list out the storage account and services using subscription id with certification.
I am waiting your response.
Is it possible to list out the cloud services for azure storage
account with out using certification thumbprint . And also get the
deployment ID for particular cloud service?
To achieve this, you would need to use Azure Service Management API and API calls need to be authenticated. Using X509 Certificate is one of them (which you don't want to use). Other way to achieve this would be to use Azure Active Directory. You can read more about it here: http://msdn.microsoft.com/en-us/library/azure/ee460782.aspx#bk_ad however authenticating API requests using Azure AD is more complicated than using a certificate IMHO.
What permissions I need to set for the following scenario:
I want to use Azure service bus in order to be able to connect a windows service agent running on premise and a worker role running in azure. The agent itself is a software that will run on different customers premises and communicate with my worker role via service bus. The worker role once per day will send a message to specific (maybe all, maybe few only) customers agent on premise, asking for some data. The agent will return the data to the worker role via service bus. In order to send custom message to specific customer agent I will use topics and subscriptions where every customer agent will lessen to it's specific subscription.
Now in order to build that agent and access service bus I have to make use of the namesapece, issuer name, issuer key which by default it's owner. Well owner has full control everywhere on that service bus therefore I don't want to give the owner credentials and secret key to each customer agent service. That means I have to build custom identity for each customer or a common one for all.
My questions: what do you recommend:
one common service identity for all agents or generate one identity for each agent service?
what is the minimum access I should give to them? I guess Listen and Send right?
We use the Service Bus Relay to expose internal services to third parties. We secure the services using SAS and create a new Shared Access Policy with the appropriate permissions (typically Send, Listen) for each client. On the "Configure" tab in the portal, add a "new policy name" then "save". You can then retrieve the Shared Access Key in the bottom section of the portal.
We found this method easier than generating IDs under ACS.