I developed an internal portal that is relevant to the engineering team. I restricted access to the portal by implementing Sign in With Google and as expected it is only accessible to our organization email-ids only. Now, I want to host the portal and we use Google Cloud Platform. I want to further restrict access to the portal within the organization.
What are the possible solutions to host the portal internally using Google Cloud Platform? If I host the portal and gave access to public, what could be the possible security implications?
If I understand well your concept, you are running a Web portal to authenticate your organization users to access your Frontend application, which retrieves information on a GCS bucket to be displayed on this Web page.
In this situation, the Identity-Aware Proxy (docs) that could fit your needs.
The IAP lets you manage access to applications running in the App Engine standard environment, App Engine flexible environment, Compute Engine, and GKE. IAP establishes a central authorization layer for applications accessed by HTTPS, so you can adopt an application-level access control model instead of using network-level firewalls or VPNs. When you turn on IAP, you must also use signed headers or the App Engine standard environment Users API to secure your app.
In this link you can see a quick example of how you can control access to your web apps and VMs in GCP using the IAP feature.
Related
In Azure Storage there's a section called Firewalls and Virtual Networks. May I know if I can use it for the following usecase ?
I have a video uploaded to the blob, and I need only a set of selected users who has logged in to the application view my video.
My WebAPI application is hosted as a Azure WebApp. Can I use the IP address where the WebApp is hosted to create a rule in the Firewalls and Virtual network section below to only allow access to Storage if the user request the URL via the WebApp.(Let's say /viewVid/myvideo.mp4 )
In case if the User copies the URL of the Video (by inspecting the HTML code), and paste it on the browser will the user be able to view the video as the request is not coming via the WebApp ?
Note: Overall objective is to prevent a User from copying a URL (by inspecting the HTML code) and downloading or viewing the video.
Firewalls and VNet NSG's will are network level restrictions so they will not give you the user-level restrictions you are looking for. You can use them to limit your surface area but to implement what you are asking for, you need to implement authentication.
Azure Blob Storage supports Shared Key, Shared Access Signatures (SAS), Azure Active Directory (AAD), Active Directory Directory Services (ADDS) and Anonymous public access. The most secure way is to implement AAD with user delegation. If you are not able to store the users for this application in AAD then you should look at SAS. SAS token can be time-bound and restricted to certain IP addresses.
Also, you should take a look at Azure Media Player. Microsoft Azure Media Services (AMS) is an extensible cloud-based platform that enables developers to build scalable media management and delivery applications. Media Services is based on REST APIs that enable you to securely upload, store, encode, and package video or audio content for both on-demand and live streaming delivery to various clients (for example, TV, PC, and mobile devices).
Links
https://learn.microsoft.com/en-us/azure/storage/common/authorize-data-access
https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
https://learn.microsoft.com/en-us/azure/media-services/previous/media-services-content-protection-overview
I belieave that you can use app service Vnet integration feature for your project to restricted network access to storage account.
Right now we have AD set up so access to our App Service is authenticated. But we need the website to have local access to some special applications. Since we can't install applications on an App Services, I THINK that means we need to run the website on a VM.
If that's the case, I'd like to not lose the ability for Azure AD to authenticate access to our VM. I'm sure we can use Azure AD to authenticate us while we RDP to the server, but can it also be used for when we expose our Web Application over HTTPS from the server?
Since we can't install applications on an App Services, I THINK that
means we need to run the website on a VM
Even though a VM is the simplest one, you do have other options to at least consider. Here is Microsoft's documentation comparing the various options along with scenario based recommendations.
Azure App Service, Virtual Machines, Service Fabric, and Cloud Services comparison
Quick Note:
Amongst the options discussed, avoid Cloud Services (classic) as far as possible, as they are legacy and on their way out. Also, if you still choose Virtual machine, do consider Virtual Machine Scale Sets for better scale and management options.
I'm sure we can use Azure AD to authenticate us while we RDP to the
server, but can it also be used for when we expose our Web Application
over HTTPS from the server?
Yes, it can be used even when you expose your web application over HTTPS from the server. Exposing over HTTPS would only involve opening up the port through NSG rules and SSL settings for your application in IIS. This will not impact you ability to RDP into the VM.
I have a MS Azure ASP.NET Core 2.x WebApp that uses standard Identity based authentication.
I would like to restrict access to the website to only a certain set of people.
I need the entire website to be hidden unless you pass some kind of authorization gate. The requirement, however, is that the gate should not interfere with the standard ASP.NET Core Identity authentication/authorization mechanisms.
Essentially, we have a website that needs testing by a distributed team, but we don't want the site to be visible to non-members.
TIA!
Your best bet is going to be using the network-level control that comes with an ILB App Service Environment. If that's too pricey, try the IP restrictions feature on the public app service.
I'm building a service that allows to enter activation keys in a desktop application, which will then call a web service to check the key and return a license. This call does not require authorization.
The web application is running as Azure "App Service". I'm afraid someone will be trying to "guess" activation keys and slow down my service. (I'm not afraid they will be able to correctly guess, they are long enough).
Do Azure WebApps have some kind of automatic rate-limiting or DOS-protection, or do I need to configure/code this myself?
If I have to do it myself, can you point me into the right direction?
As far as I know, we could use Dynamic IP Restrictions in web app.
The Dynamic IP Restrictions Extension for IIS provides IT Professionals and Hosters a configurable module that helps mitigate or block Denial of Service Attacks or cracking of passwords through Brute-force by temporarily blocking Internet Protocol (IP) addresses of HTTP clients who follow a pattern that could be conducive to one of such attacks. This module can be configured such that the analysis and blocking could be done at the Web Server or the Web Site level.
About how to config this feature. We could remote connect to the azure web app IIS and set it.
About how to remote connect web app IIS, you could refer to this article.
More details, you could also refer to this blog.
I published my web app into Azure web application but I want to provide the security for this application.
I know by using HTTPS we can provide security for web application. I read this link before posting question here.
Rather than using https, are there any other techniques for providing security to web site or web application?
As this document mentioned about the Security Level in Azure App Service:
Infrastructure and platform security - You trust Azure to have the services you need to actually run things securely in the cloud.
Application security - You need to design the app itself securely. This includes how you integrate with Azure Active Directory, how you manage certificates, and how you make sure that you can securely talk to different services.
For Infrastructure and platform security, Azure would isolate your App Service apps and communication of sensitive datas (e.g. sql connectionstring, appId, appSecret,etc.) are always encrypted. Also, App service would provide threat management protects App Service resources from malware, DDoS, MITM, and other threats.
For Application security, you need to develop, manage your application in a security way. The frequent threats would as follows:
SQL Injection
Session hijacking
Cross-site-scripting
Additionally, you could leverage integration with Tinfoil Security to perform penetration testing on your app and follow the instructions to fix possible vulnerability. For a better understanding of it, you could refer to this official tutorial about secure an app in Azure App Service.