Azure SSL certificate tag - azure

I have uploaded an SSl certificate on the azure portal for my web app.
Is there a way to add key-value tag for the cert? From the documentation, I see tags only for resource-group etc but not for a particular cert.

If you are able to see the certificate in your resource group, just add tag as usual.
On my side, the certificate is hidden because it's managed by Azure. I can show it by clicking the checkbox on top of your resource group.
If after you click the certificate and there is no Tags bar on its panel, you can choose to use cloud shell to add tag. You can find the cloud shell on top right of your portal.
The first time you run it, you may need to create storage for the shell, just follow the steps azure provides. Then we can add tags. Use powershell script as an example, just two commands to achieve your goal.
$r = Get-AzureRmResource -ResourceName certificatename -ResourceGroupName resourcegroupname
Set-AzureRmResource -Tag #{ TagName="TagValue"} -ResourceId $r.ResourceId -Force
Things work on my side. Any further question, just ask.

Looking at the REST API documentation for Create or Update Certificate, looks like it is possible to assign tags to SSL Certificates. I believe this functionality is not exposed on the Portal. I looked up Azure Powershell Cmdlets as well and couldn't find anything there (it is entirely possible that I may have missed out something).
If you need to assign tags to SSL Certificate, you can always use REST API and invoke that API using either writing code or using a tool like Postman. Other thing you should look at is Azure SDK. In all likelihood, you will find some functionality there which will let you assign tags to a SSL certificate.

Related

Unable to update SSL cert while using multiple basic listener using WAFV2 Azure App Gateway

I am having trouble uploading a new SSL pfx certificate onto my WAF V2 application gateway. I currently have 3 basic wildcard listeners setup (*.contoso.com *.fabrikam.com and *.adatum.com for example) and I would like to update the certificate associated with *.contoso.com.
The problem with using the UI is that if I attempt to update and save the certificate on the listener I get an error message indicating "This Basic HTTP listener cannot use the same frontend port as an existing listener". I understand this is likely because using multiple basic listeners is still in preview and can only be setup via powershell or ARM templates. I originally setup the gateway via ARM templates.
I instead attempted to update the listener's certificate using powershell. I first uploaded the pfx cert to a key vault. I then created a user managed identity with azure role assignments for both the app gateway and the key vault. After, I ran the following powershell commands from inside the portal's CLI but got the resulting error message.
PS > Select-AzureRmSubscription -Scope CurrentUser -SubscriptionName "Pay-As-You-Go"
PS > $appgw = Get-AzApplicationGateway -ResourceGroupName "myresourcegroup" -Name "myappgateway"
PS > $secret = Get-AzKeyVaultSecret -VaultName "mykeyvault" -Name "contoso-cert"
PS > $secretId = $secret.Id
PS > set-AzApplicationGatewaySSLCertificate -Name "contoso-cert" -ApplicationGateway $appgw -KeyVaultSecretId $secretId
PS > Set-AzApplicationGateway -ApplicationGateway $appgw
Set-AzApplicationGateway: Application Gateway 'myappgateway' requires a 'UserAssigned' Identity with 'get' access policy to the referenced KeyVault. Please provide so by using top level 'Identity' property.
Why am I unable to update the certificate on the basic listener using powershell? Is there any alternative option I can try in order to set the certificate? Please help
Pretty sure I came across this same issue when looking at the Wildcard Listeners Preview in App Gateway.
I don't have a test environment configured in such a way that I can try this for you at the moment, but I believe the solution was to create a Multisite HTTPS listener (instead of basic) with an arbitrary FQDN, and using the same SSL cert as the one you want to update. Then use that listener to update the SSL cert (you could probably even update the cert at the same time as you create the listener).
Let us know how you get on!

Azure Web App: Cannot add a VNET Restriction Rule using PowerShell when VNET is on a different subscription

I have a web application in azure and I want to make sure that only my build server (or any other VM on the same subnet) are the only ones which are able to access the SCM site. I thought the most obvious thing would be to create an access restriction rule and in fact that works, I am able to create it from the portal with no issue whatsoever.
The problem, however, happens when I try to automate this using powershell. My build server subnet is located on a subscription different from the one where my web application is.
I am executing the following powershell script:
$subnetId = "/subscriptions/$VNETSubscriptionId/resourceGroups/$VNETResourceGroup/providers/Microsoft.Network/virtualNetworks/$buildServerVNET/subnets/$buildServerSubNet"
Add-AzWebAppAccessRestrictionRule -ResourceGroup $webAppRg -WebAppName $webAppname -Name VNETAccess -Priority 1000 -Action Allow -SubnetId $subnetId
And I get the following error:
Add-AzWebAppAccessRestrictionRule : The client '{{my user credential}}' with object id '81fa4eb1-5553-4daa-af44-3c717b19eda2' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/read' over scope '/subscriptions/{{websiteSubscriptionId}}/resour
ceGroups/{{VNETResourceGroup}}/providers/Microsoft.Network/virtualNetworks/{{buildServerVNET}}/subnets/{{buildServerSubNet}}' or
the scope is invalid. If access was recently granted, please refresh your credentials.
The error seems to indicate that the cmdlet is searching for the subnet on the same subscription id than the website instead of the subscription where the subnet is located, since the resourceId string that is being returned on the error messsage has the wrong subscription Id. It is using the one where the website is instead of using the one where the build server is.
What else needs to be done in order to create this rule through powershell?
The error message is confused.
In fact, after my validation, you need to add the -IgnoreMissingServiceEndpoint parameter when adding a subnet from a different subscription. Read this GitHub case WebApp:Add-AzWebAppAccessRestrictionRule.md - incorrect use of subscription context over SubnetId param
When using a subnet from a different subscription, we cannot validate
the subnet to see if the correct service endpoint (Microsoft.Web) has
been set. If you use -IgnoreMissingServiceEndpoint the rule can be
added.

How do you configure Azure Function authentication by code?

I want to configure the authentication for my Azure function via code, be it powershell, ARM template or an API? is this possible?
i'm under the impression that an Azure Function is nothing more then an App Service so i would assume it resolve around there.
https://learn.microsoft.com/en-us/powershell/module/az.websites/?view=azps-2.0.0#app_service - there doesn't seem to be anything in the powershell.
https://resources.azure.com/ doesn't seem to give much information.
Here is some documentation on how to use managed identities for App Service and Azure Functions: https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity
You could create an PowerShell function app with MSI (Managed Service Identity) enable in a consumption plan. Here is some documentation (https://azure.microsoft.com/en-us/resources/templates/101-functions-managed-identity/) on how to do that.
Once the function app is created, you can grant it access to a given resource https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azroleassignment?view=azps-2.0.0#examples
Lastly, the PowerShell function app comes with a profile.ps1 which contains code to authenticate against Azure via MSI out the box.
# Authenticate with Azure PowerShell using MSI.
# Remove this if you are not planning on using MSI or Azure PowerShell.
if ($env:MSI_SECRET -and (Get-Module -ListAvailable Az.Accounts)) {
Connect-AzAccount -Identity
}
Please give it a try and let us know if you run into any issues.
Azure Functions Authentication are still pending. Currently AFAIK there is not a way to add authentication via code except with the Function Host Keys
You can track the issue here in Github
Using terraform is a really good way of configuring these, a good example is below. Also az CLI 'az webapp auth' seems to have really good support now. PowerShell still seems to be lagging behind.
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app

Make Azure Functions not publicly accessible?

Currently my functions are accessible publicly. Is there a way to make it so that they can only be accessed via something else, like an API gateway, and not directly? I tried adding a VNET via the "networking" blade but I don't think that did anything (I could still call the functions publicly)...I think that just makes it so the functions could access resources on a private network. I didn't see any options in the settings to make the IP private. I'm not very well versed in networking related issues, so apologies if I'm being unclear.
The built-in keys support is meant to provide an option for this. You can require all requests to include an API key which is only shared with resources you care about. In fact, all HTTP-triggered functions require a key by default. You would have to explicitly choose to remove this requirement.
Keys aren't a networking solution though, and if you leak the keys, someone could access your APIs (until you roll the keys). You are correct that the VNet support is point-to-site, meaning it can access resources, but the function app is not protected itself. An App Service Environment would solve that, although Kai's comment on the original question is correct - ASE is not yet available for Functions.
In addition to keys, you could look at using App Service Authentication / Authorization to require an AAD service principal. This is effectively like a key, but has additional benefits if you are modeling other entities in AAD. Unless you know you need this, though, I would stick with keys.
With CORS functionnality you can restrict access to your Azure Function. To configure this, check the following link : Azure Function Settings, at the CORS section.
You can apply access restrictions to an Azure Function. The documentation can be found here.
You can use PowerShell AZ module to create a rule (or the portal if you prefer).
Add-AzWebAppAccessRestrictionRule `
-ResourceGroupName "ResourceGroup" `
-WebAppName "AppName" `
-Name "Ip example rule" `
-Priority 100 `
-Action Allow `
-IpAddress 122.133.144.0/24
Docs for Add-AzWebAppAccessRestrictionRule can be found here.
IP restrictions can be used to restrict access to whitelisted IPs. You can do it via the the Portal -
https://learn.microsoft.com/en-gb/azure/app-service/app-service-ip-restrictions
or in the web.config with ipSecurity

New deployment slot for azure websites

Is there a REST API call to create a new deployment slot in Azure website?
I am not able to find anything here.
You can do this using the Azure PowerShell cmdlets. For example, I tested this with a site named "cloudallocweb" in East US and then used the following command to create a new deployment slot in the cloudallocweb site.
New-AzureWebsite -Name "cloudallocweb" -Location "East US" -Slot "test"
Peeking into what the New-AzureWebsite cmdlet is doing in the command above, I found this POST operation which is basically the Create a web site REST API. Notice that it is passing the WebSpace setting (matching in the URL), which I don't see documented in the REST API.
At any rate, it appears the Create a Web Site REST API is what you need. This makes sense considering that a deployment slot is really just a web site. You may also take a look at the List Webspaces API to find the right web space value for your site.
Following the steps above, the new deployment slot will appear under the original site as shown here. You can then swap the deployment slots using the portal, REST API, or the Switch-AzureWebsiteSlot cmdlet.

Resources