can I have a real time threat protection on azure app services - azure

I have azure app service where I am running a tomcat application, is there a way / or any in-build anti-malware option is available if not how to implement threat protection in this app service

Azure App Service uses the same Antimalware solution used by Azure Cloud Services and Virtual Machines but it is completely managed by our Engineering team on regular basis.
Also as a PAAS service we currently donot provide anti-malware scanning as a customer facing service. The implementation of A/V on our service has gone through, and will continue to go through, changes as we tune it for its primary purpose. Its primary purpose is to protect the service itself (PAAS) from viruses.
If you have custom requirement of having providing anti-virus scanning then IaaS VMs should be the choice as they have installable extension for virus scanning and the choice of different A/V technologies.
You can check the documentation in the below link:
https://learn.microsoft.com/en-us/azure/security/azure-security-antimalware Screen shot of the information under Architecture section of the link.
https://learn.microsoft.com/en-us/azure/app-service/app-service-security-readme

For now, there is no native virus scanning / anti-malware feature on Websites. However you could implement it with third party API like ClamAV or the extension in Azure App Service named with Tinfoil Security.
There are two ways to integrate Tinfoil Security to you app and this is the introduction, first you could refer to this doc ,I tried this way however It show Failed to purchase. So maybe you could try another way. Under Development Tools in your App choose Extensions , click Add button then Choose Extension, on the list there is a Tinfoil Security , that's what we need. I tried this way, it could be integrated to my App.

Related

Azure App Services Antimalware?

Having read
"The Microsoft Antimalware Client and Service is installed by default in a disabled state in all supported Azure guest operating system families in the Cloud Services platform.
...
When using Azure Websites, the underlying service that hosts the web app has Microsoft Antimalware enabled on it. This is used to protect Azure Websites infrastructure and does not run on customer content."
here: https://learn.microsoft.com/en-us/azure/security/azure-security-antimalware
it appears that although the underlying execution environment is scanned and protected, nothing prevents the deployment of infected files (contrary to the response given here: https://stackoverflow.com/a/44805995/8354791).
And therefore the service needs to enabled.
It also appears this can only be done so via powershell, using the Set-AzureServiceAntimalwareExtension command, as per https://stackoverflow.com/a/25847270/8354791 and Powershell: Add Diagnostics/Antimalware to Azure PaaS Cloud Service using ExtensionConfiguration Parameter
Q: the link is a bit old (2015). Is powershell still the only way to turn on debugging for an App Service?
Q: is the analysis of the above text correct that MS is scanning its own environment, but exclude the scanning of files deployed to their services?
Q: is there a cost to enabling this service?
Q: What is the relationship to Malware Assessment (https://learn.microsoft.com/en-us/azure/log-analytics/log-analytics-malware)? Is that a more current way of scanning Web Apps?
Q: this is a manual approach, using Powershell. Is there a link to understanding how to enable this service using an CI/CD deployed ARM template?
Q: I see this service is mentioned as a solution for scanning deployed code files -- but can this service be used to scan Blobs where uploaded media would be stored?
I know I've asked a lot of questions...but hopefully you agree they are all tightly related...
Thanks immensely!
Azure App Service is a managed platform. Microsoft Antimalware Client and Service is enabled by default on app service instances, there is no user action that allows enabling/disabling this feature for apps hosted in App Service.
All of the documentation you are referencing is about "Azure Cloud Services" and "Azure VM's" and not Azure App Service. Here is the security documentation for Azure App Service: https://learn.microsoft.com/en-us/azure/app-service/app-service-security-readme
Malware Assessment is part of OMS suite and its an additional tool for managing large deployments and detecting instances that might be affected by malicious code.

Antivirus for Azure App Services

If a malicious user tamper with the file placed in AppServices and incorporate the virus, is there a way to know that? For example, installing antivirus software on a virtual machine and keep it in the same way.
http://stackoverflow.com/questions/38387004/antimalware-for-azure-app-services
I am looking at this URL for reference and I understand that using Tinfoil Security meets the requirements. However, Tinfoil Security can not be used because the license I use is Japanese CSP.
https://www.microsoft.com/en-us/TrustCenter/Security/ThreatManagement
I also saw this URL, but my English skill is not adequate, so my understanding may be less than enough. Therefore, I need some details. Was "Azure cloud service" written as "Azure cloud service and virtual machine's Microsoft antimalware" include AppService? I thought that only the cloud service was covered. For example: https://azure.microsoft.com/en-us/services/cloud-services/
I am checking whether the file size and timestamp has been changed in the AppServices web job, but please let me know if there are things that can be covered with the functions provided as a service of Microsoft.
Azure App Service uses the Anti-malware solution used by Azure Cloud Services and Virtual Machines.
This is mentioned here: App Service Security
This further points to the following article: Microsoft Antimalware for Azure Cloud Services and Virtual Machines
For extended scenarios Tinfoil was provided as an additional option. If that is not available to you, then using Azure Cloud Services (Web Roles) is more inline with your requirement.

Web app onboarding to Azure Web Marketplace

We checked this documentation - https://blogs.msdn.microsoft.com/appserviceteam/2016/08/26/onboarding-to-azure-web-marketplace on how to onboard our web apps in the Azure marketplace and also the GitHub link - https://github.com/SunBuild/web-app-marketplace
We have contacted MSFT on how to host our application which has an API and WCF applications as sub-applications.
MSFT replied that sub applications are not currently supported in through this onboarding model.
So, we are trying to onboard the three applications individually and link them in the Azure marketplace. We are not sure whether this will work or if this is possible.
In the sample applications in the GitHub link - https://github.com/SunBuild/web-app-marketplace, they have a hosting plan JSON file for the web app resource. Can we link the applications using this hosting plan JSON file?
We could not find any information or definition related to this hosting plan file - https://github.com/SunBuild/web-app-marketplace/blob/master/WebApp-SQLDatabase/DeploymentTemplates/Website_NewHostingPlan_SQL_NewDB-Default.json
Does anyone tried this before or know how to do this?
sub applications are not currently supported in through this onboarding model.
From the documentation, we could know if web app need Virtual application setting to be configured for web app, we will not be able to on board the application.
we are trying to onboard the three applications individually and link them in the Azure marketplace. We are not sure whether this will work or if this is possible.
In my view, if you on board these application individually, it may not enable us to bundle multi individual applications to make them link with each other. You could contact with Azure marketplace support team.
We could not find any information or definition related to this hosting plan file - https://github.com/SunBuild/web-app-marketplace/blob/master/WebApp-SQLDatabase/DeploymentTemplates/Website_NewHostingPlan_SQL_NewDB-Default.json
In the link you posted, we could find that it is an Azure Resource Manager (ARM) template that is used to define resources you want to deploy. This article explained about the Azure Resource Manager template, please refer to it.

Using Azure MobileServices library with my own LAN WebApi

I am currently doing some research for the development of a mobile application for our company that should support offline data sync (on an iPad). We have explored many possibilities including PhoneGap/Cordova, Xamarin and simply native iOS development. Xamarin, for many different reasons, seems to be our best choice, so my question will assume we will develop in Xamarin.
I was looking into a library for managing offline data synchronization and the most obvious solution is Microsoft Azure MobileServices. However, my company is Canadian, and apparently it's hard to trust (legally) our data to clouds based in the US. Since we already deployed internally our WebApi on our intranet, I figured there was probably a way to point the MobileServices library to our own WebApi. I have read about the Azure Hybrid Connection possibility, but our data still conveying through Microsoft servers might not be a possibility. So, my question is this:
Is there a way to configure the Microsoft.WindowsAzure.MobileServices Client library to point directly to our intranet, RESTful WebApi backend, without going through any Microsoft Azure servers ?
I understand that, in order to be able to use the Client librairies seamlessly, we probably would have to adapt our WebApi to implement the necessary .net Backend interfaces. I'm mostly wondering if it's even possible as the MSDN documentation on the libraries all seem to point to direct connections to their servers (no possibilities to configure your own connection strings) and all instructions redirect you to their Azure Mobile Services website.
Thank you.
If you look at the API for your mobile client, you'll notice that the Azure Mobile Services Client SDK only cares about two things:
new AzureMobileClient( url, appkey)
...where it's hosted shouldn't be a concern. Everything else is just configuration.
If you want to host the Azure Mobile Services Backend on your own servers, technically you could do this, but there are likely a few caveats. Microsoft has announced that they will be launching a Canadian Azure data center, but we won't see it until 2016.
In the meantime, here's how you can host the services locally. Note that I have not tried to emulate all of the features of Azure Mobile Services (aka Zumo) so your mileage (or kilometerage) will vary.
Hosting Locally:
From a technical feasibility, you absolutely can run the services locally. I know this because you can create the Azure Mobile Services Backend project from within Visual Studio and run it locally for development purposes. This is what our development team does for testing their mobile applications.
Note that you can create the Azure Mobile Service backend directly from within Visual Studio: New Project -> Cloud -> Azure Mobile Service. You can also download the exact same template (pre-configured with your URL and ApplicationKey) directly from the Azure dashboard: Create -> Mobile Service.
Obviously, if you're hosting it on your server it will be up to you to configure and use a proper SSL certificate for your site.
ZUMO Permissions:
By default, the security roles on the server are turned off. So if you're locking down any of your methods using the [AuthorizeLevel] attribute these settings will be ignored at runtime. If you need to enable this feature you can do so by modifying the WebApiConfig.Register() method and marking the site as self-hosted: config.SetSelfHosted(true).
Configuration:
From a configuration perspective, the Azure Mobile Service dashboard provides several tabs for configuring Identity, Push Notifications, Connection Strings and App Settings. Sadly, you won't have a dashboard, but all of these settings have a corresponding value in the local web.config. Any value you provide here is automatically overwritten in Azure, but they're used when running locally.
The minimum settings you'll need to configure are listed here. The ApplicationKey you can distribute with your ZuMo client, but the MasterKey is for the Admin authorization level so you'll want to keep that secret. The MobileServiceName is used by the EntityFramework for your database schema and what appears in the URL of your site.
<add key="MS_MobileServiceName" value="myzumosite" />
<add key="MS_MasterKey" value="masterkey" />
<add key="MS_ApplicationKey" value="appkey" />
Values that start with a MS_ prefix map to corresponding values in the Azure Portal. MS_GoogleClientID and MS_GoogleClientSecret map to the Google Identity values in the dashboard, for example.
Any other value in the AppSettings node is immediately accessible via the ApiServices.Settings property and corresponds to the Settings node in the Azure dashboard.
Database connection strings continue to exist in the connectionStrings node. The same is true for azure notification hub.
Database:
Obviously, the database you configure will be up to you as well. Permissions and User accounts are also obvious. There may be some minor differences between the SQL Azure syntax for Entity Framework database migration scripts that you'll need to worry about. (I've discovered the database migration scripts don't work from the Package Manager, but they do work when the database scripts are run when your website starts)
Caveats:
You will not have a nice dashboard for monitoring performance of your site, reviewing logs or changing runtime settings
You will not be able to scale out your site immediately; Scaling and deployment will be your problem
Deployment configuration is your responsibility (Project -> Publish won't be available unless you configure it)
Not sure if you'll be able to use Azure Active Directory as an authentication scheme, though from the sounds of it that won't be a concern. You can write your own authentication providers: Microsoft's Zumo library only supports a handful, but the underlying Owin.Security package that Microsoft uses supports several dozen systems!
Your site will need to be publically visible to your mobile clients
Push Notifications should work, but you will be using Azure's notification hub for this.
I have no idea where ApiServices.Log will go
The easiest path to take would be to:
Create the Mobile Service in Azure to get the notification hub and settings preconfigured
Download the starter site from the dashboard
Configure the web.config as mentioned here.
It's not possible to simply configure WAMS Client library to work with your own WebApi Backend.
But WAMS library is available at github, so I'm sure you can reuse a lot of code from the WAMS project, especially if you want to use a PCL project.
To route your data securly through Azure, you could think about setting up express route. Additionally, for last weeks update, it's possible to apply a custom domain to the WAMS Backend, including your own certificate to secure your connection.

Advantages of hosting a mobile app back-end in Azure Mobile Services over Azure Websites

I have a WebAPI back-end for a mobile, and want to host it in Azure.
I am having a hard time figuring out the real differences between AMS and Websites.
All the articles I read about the subject talks about changes and benefits in general, and I want to understand specifically which new features AMS provides, and the benefits of hosting in AMS.
Authentication
In AMS I see the "IDENTITY" tab in azure portal. From what I understand, those 3rd party configs allow me to authenticate my users easily with google,FB etc. But this is just making the process more convenient and configurable via UI. In Websites, I can achieve the same functionality pretty easily using code from ASPNet.Identity and OWIN libraris.
Push Notifications
Again looking at AMS in the "PUSH" tab, I can see two mechanisms. The Notification Hub and 3rd party section.
The Notification Hub is nothing special to AMS, and I can get the exact same functionality when hosting in Websites.
The 3rd party section allows me to configure credentials to push services from Apple and Google (APNS,GCM...) and together with libraries in AMS namespace I can easily write code to communicate with those services.
But When hosting in Websites, in my back-end I can use open source libraries. For example, Moon-APNS to talk to APNS.
Scale
As far as I understand, both Websites and AMS allows the same scale functionality (One calls it Units and the other Instances).
Are there any big differences I missed?
Are any of the claims I made are incorrect?
It would be great if anyone could shed some light on the matter, specifically addressing all the 3 issues (Auth,Push,Scale).
That's a question I often get when I present Mobile Services at user group events.
For a .NET developer, there's nothing really special about Mobile Services since everything it offers, you can do it with a Website.
Mobile Services really shines for non .NET developers since you can have a complete mobile backend by writing scripts running on Node and Mobile Services abstract all the database and REST complexity.
I will likely get downvoted since I'll express a personal opinion but anyways: I see no obvious reasons for using Mobile Services if you're coding a .NET backend.
I think you are exactly the target customer for Azure Mobile Apps. You will get all of the power of having your own Azure Website (now rebranded as Azure Web App), with the additional convenience and client libraries of Mobile Services.
One feature of the client library that you may not have noticed is the cross-platform offline data sync capability. That's usually hard to build on your own, and we have an implementation that's conceptually consistent across all client platforms. (Plus, if you use Xamarin, you can share code between your client implementations.)
To be clear: Azure Mobile Services is NOT deprecated, and will not be until long after GA (general availability) of Azure Mobile Apps. Azure Mobile Apps is currently in preview.
The other big benefit of Mobile Services that you haven't mentioned is the client libraries for Android, iOS, Xamarin, and Cordova. If you already have a REST client library in your app and don't need to worry about multiple client platforms, then Azure Web Sites sound like a good way for you to go.
AMS by itself is built on top of Azure Websites. So you can actually implement everything in an Azure website that is available in AMS.
However, the good thing about AMS is that it allows you to quickly build the backend for a mobile app with CRUD operations, authentication/authorization and also provides client side libraries for different type of clients e.g., HTML, C#, etc. so we don't have to manually make the HTTP calls.
If you have need to implement the above functionality in Web API, it is quite an effort. Isn't it?

Resources