Azure: Is there any vulnerability BETWEEN Web Apps? - security

I been wondering how secure/dangerous could be to run a PHP WebApp (WebApp-A) in Azure when there is another WebApp (WebApp-B that could be a .Net app) running on the same Azure subscription.
Could WebApp-A run some malicious script and affect the server instance of WebApp-B?

There's no way to give a blanket-statement answer regarding malicious scripts, attack surfaces, etc. There are many vulnerabilities showing up daily (which have nothing to do with web apps - just attacks in general).
That said: Every web app in Azure is going to have its own sandbox with its own files, etc. The only thing shared between web apps? The app service plan hosting the web app(s) (you may have multiple web apps on an app service plan). But the only thing they share are things like CPU. Everything from a code standpoint is isolated.
You'd need to take explicit steps to grant access across web apps (e.g. add them to the same vnet).

Related

Azure app services isolation and security

I have multiple App Services hosted on a single App Service plan (Basic Small), which is basically a fully managed VM with all it's resources reserved for me. These are all Asp.Net apps.
As I have plenty of resources still available I'm considering moving my WordPress applications to Azure (each to a new App Service within the same App Service plan.
WordPress unfortunately, has a tendency to get infected every now and then. Also the infection can spread to other websites if they are not properly isolated (infected website may change files of the other websites).
So my question is:
If one of my WordPress websites gets infected are other websites from different App Services, but the same App Service plan also in danger?
The answer to this greatly depends on how you trust Microsoft and their claims.
All Azure Web Apps (as well as Mobile App/Services, WebJobs and
Functions) run in a secure environment called a sandbox. Each app runs
inside its own sandbox, isolating its execution from other instances
on the same machine as well as providing an additional degree of
security and privacy which would otherwise not be available. The
sandbox mechanism aims to ensure that each app running on a machine
will have a minimum guaranteed level of service; furthermore, the
runtime limits enforced by the sandbox protects apps from being
adversely affected by other resource-intensive apps which may be
running on the same machine.
So it should be secure.
https://github.com/projectkudu/kudu/wiki/Azure-Web-App-sandbox

Asp.Net Web API and Azure Web Role

I created a web application using Asp.net web api in azure and i want to consume it with a web role application ! what is the difference between web application and web role and what should i do ! thanks
An azure webapp is a website you host on azure as a normal website.
you don't really have a lot you can do with the machine. Just see it as normal website hosting.
A webrole is part of a cloud service. Which is a bit more flexible. Web roles allow you to install for example applications on the vm you are running your application. The state of the machine is not held so if the machine goes down you lose all data you stored on it. In fact you upload a sort of zip package with the application inside. This installs the app and when something goes wrong a new machine is started and the package is installed again on that new machine. This is also 'an issue' with azure websites.
Here is a good link with some more info + with info on virtual machines which is in fact a layer lower, meaning that you have more control over the machine.
https://azure.microsoft.com/en-us/documentation/articles/choose-web-site-cloud-service-vm/
In most of the scenarios Azure Web App is what you should use. It provides all the capabilities required for almost all websites.
However, Web App may not work in few scenarios e.g.,
When you have a dependency on software or library that you need to bundle with your code
You need to RDP into the machine for some purpose
...
In those scenarios you will have to depend on Web role.

Azure Websites vs Azure Cloud Service Web Role [duplicate]

What are the material differences between the new Azure Web Sites and the traditional Azure Web Roles for an ASP.NET MVC application? What reason would I choose a "web site" over a "web role" or vice versa?
Let's assume that I would need equal capacity in either case (e.g. 2 small instances). The prices seem comparable other than the fact that there is a 33% temporary discount for web sites while they are in their preview period.
Are there things that I can do with a "web site" that are difficulty or impossible with a web role? For example, does it become easy to put multiple web sites in a single set of VMs using "web sites"? Do I lose anything with a "web site" vs a "web role"? Ability to fine tune IIS? Ability to use the Cache service locally?
Web Roles give you several features beyond Web Apps (formerly Web Sites):
Ability to run elevated startup scripts to install apps, modify registry settings, install performance counters, fine-tune IIS, etc.
Ability to split an app up into tiers (maybe Web Role for front end, Worker Role for backend processing) and scale independently
Ability to RDP into your VM for debugging purposes
Network isolation
Dedicated virtual IP address, which allows web role instances in a cloud service to access IP-restricted Virtual Machines
ACL-restricted endpoints (added in Azure SDK 2.3, April 2014)
Support for any TCP/UDP ports (Web Sites are restricted to TCP 80/443)
Web Apps have advantages over Web Roles though:
Near-instant deployment with deployment history / rollbacks
Visual Studio Online, github, local git, ftp, CodePlex, DropBox, BitBucket deployment support
Ability to roll out one of numerous CMS's and frameworks, (like WordPress, Joomla, Django, MediaWiki, etc.)
Use of SQL Database or MySQL
Simple and fast to scale from free tier to shared tier to dedicated tier
Web Jobs
Backups of Web Site content
Built-in web-based debugging tools (simple cmd/powershell debug console, process explorer, diagnostic tools like log streaming, etc.)
With the April 2014 and September 2014 rollouts, there are now some features common to both Web Apps and Web Roles (and Worker Roles), including:
Staging+production slots
Wildcard DNS, SSL certificates
Visual Studio integration
Traffic Manager support
Virtual Network support
Here's a screengrab I took from the Web Sites gallery selection form:
I think Web Apps are a great way to get up and running quickly, where you can move from shared to reserved resources. Once you outgrow this, you can then move up to Web Roles and expand as you need.
EDIT 2014: For what it's worth, a lot of the info in this answer is no longer correct - see comments.
Add more to #David response:
With Windows Azure Websites, you don't have control over IIS or web Server because you are using a resources slice along with hundreds of other website on the same machine, you are sharing resources like any other so there is no control over IIS.
The big difference between a website shared and Azure web role is that a web-site is considered process bound while roles are VM bound.
Websites are stored on a content share which is accessible from all the "web servers" in the farm so there is no replication or anything like that required.
Windows Azure websites can not have their own host name instead they must use websitename.azurewebsites.net only and you sure can use CNAME setting in your DNS provider to route your request exactly same with previous Windows Azure Role only when they are running in reserved mode. CNAME setting is not supported for shared websites.
I've just posted a comprehensive blog post on this very subject at http://robdmoore.id.au/blog/2012/06/09/windows-azure-web-sites-vs-web-roles/.
An excerpt from my conclusion: If you need enormous scale, SSL, Asian or West US data centres, a non-standard configuration (of IIS, ports, diagnostics, security certs or start up scripts), RDP or cost-effective Worker Roles (combined with your Web Role) then you are going to have to stick to Web Roles for now.
Otherwise, Web Sites is a great option!
Azure Web Role is like a virtual private host. You get a VM that acts as your web server, and you own that VM instance.
Azure Web Sites are like an elastic shared hosting service. You deploy your app to a web server that is not controlled by you and which also servers other users' sites. You can scale your site up and down (at some extra charge) to make it more elastic as your resource needs shift.
There is one more scenario that is up the air: After these 500 exceptions are eliminated, they haven't said anything about the ability of Azure Websites to handle wildcard CNAME's. Several of us are using Nate's Web Role Accelerator in Cloud Services, becuase a one-line hack provided wildcard subdomain capability in Nate's software. We can't move these wildcard subdomain apps until we know that Azure Websites will be able to handle them. If it won't ever be able to do that, then it goes down as a positive on the Web Role side of the equation. Also of note is that with pricing being exactly the same (after the preview discount expires), I'm not sure I want to give up my access to RDC and Event Viewer (just to mention two things).
Azure Web Sites enables you to build highly scalable web sites quickly on Azure. You can use the Azure Portal or the command-line tools to set up a web site with popular languages such as .NET, PHP, Node.js, and Python. Supported frameworks are already deployed and do not require more installation steps. The Azure Web Sites gallery contains many third-party applications, such as Drupal and WordPress as well as development frameworks such as Django and CakePHP. After creating a site, you can either migrate an existing web site or build a completely new web site. Web Sites eliminates the need to manage the physical hardware, and it also provides several scaling options. You can move from a shared multi-tenant model to a standard mode where dedicated machines service incoming traffic. Web Sites also enable you to integrate with other Azure services, such as SQL Database, Service Bus, and Storage. Using the Azure WebJobs SDK preview, you can add background processing. In summary, Azure Web Sites make it easier to focus on application development by supporting a wide range of languages, open source applications, and deployment methodologies (FTP, Git, Web Deploy, or TFS). If you don’t have specialized requirements that require Cloud Services or Virtual Machines, an Azure Web Site is most likely the best choice.
Cloud Services enable you to create highly-available, scalable web applications in a rich Platform as a Service (PaaS) environment. Unlike Web Sites, a cloud service is created first in a development environment, such as Visual Studio, before being deployed to Azure. Frameworks, such as PHP, require custom deployment steps or tasks that install the framework on role startup. The main advantage of Cloud Services is the ability to support more complex multitier architectures. A single cloud service could consist of a frontend web role and one or more worker roles. Each tier can be scaled independently. There is also an increased level of control over your web application infrastructure. For example, you can remote desktop onto the machines that are running the role instances. You can also script more advanced IIS and machine configuration changes that run at role startup, including tasks that require administrator control.
Virtual Machines enable you to run web applications on virtual machines in Azure. This capability is also known as Infrastructure as a Service (IaaS). Create new Windows Server or Linux machines through the portal, or upload an existing virtual machine image. Virtual Machines give you the most control over the operating system, configuration, and installed software and services. This is a good option for quickly migrating complex on-premises web applications to the cloud, because the machines can be moved as a whole. With Virtual Networks, you can also connect these virtual machines to on-premises corporate networks. As with Cloud Services, you have remote access to these machines and the ability to perform configuration changes at the administrative level. However, unlike Web Sites and Cloud Services, you must manage your virtual machine images and application architecture completely at the infrastructure level. One basic example is that you have to apply your own patches to the operating system.
See updated and comprehensive comparison from this link: http://azure.microsoft.com/en-us/documentation/articles/choose-web-site-cloud-service-vm/
Azure Websites, Web Workers and Virtual Machines are three different computing approaches available on Windows Azure. They differ in the level of control and responsibilities:
Azure Website have lowest level of control, but you don't care about keeping in health virtual machine and IIS, because Azure stuff do this for you
Web Roles give you more control (traffic manager, remote desktop), but more administration is possible on your side which means that you can break something via remote desktop for example
Virtual Machines gives you full control of VM, so require the most administration efforts.
There is no one best choice, because it depends on what level of control you need, what features you need and what you want to leave Azure stuff to maintain. And it is big topic..
Please look at this articles for more information to make more informed choice:
http://www.windowsazure.com/en-us/documentation/articles/choose-web-site-cloud-service-vm/
http://davidpallmann.blogspot.com/2012/06/reintroducing-windows-azure-part-2.html
It boils down to tradeoff between ease of use and capabilities.
Two more things I found was cost of getting SSL for a custom domain site and Multi-tenant configurations.
For website you need to pay monthly on top of standard instance (Small instance is the cheapest option). This means in order to get custom domain https would cost you ~70/month for small instance plus ~41/ month for SSL that supports all browser.
For WebRole you can get XS instance and add your own SSL for free, which means ~$15 per month
and you have a custom domain with SSL.
For multi-tenant website check out
Multi-tenant Azure dynamic wildcard CName
A web role is a virtual machine that hosts multiple websites
This is a common question, and I would like to give out an excerpt from msdn.
Access to services like Caching, Service Bus, Storage, SQL Azure Database- WebSite:Yes WebRole:Yes
Support for ASP.NET, classic ASP, Node.js, PHP- WebSite: Yes WebRole:Yes
Shared content and configuration- WebSite:Yes WebRole:No
Deploy code with GIT, FTP- WebSite:Yes WebRole:No
Near-instant deployment-WebSite:Yes WebRole:No
Integrated MySQL-as-a-service support-WebSite:Yes WebRole:Yes
Multiple deployment environments (production and staging)-WebSite:No WebRole:Yes
Network isolation-WebSite:No WebRole:Yes
Remote desktop access to servers-WebSite:No WebRole:Yes
Ability to run programs with elevated permissions-WebSite:No WebRole:Yes
Ability to define/execute start-up tasks-WebSite:No WebRole:Yes
Ability to use unsupported frameworks or libraries-WebSite:No WebRole:Yes
Support for Windows Azure Connect/ Windows Azure Network-WebSite:No WebRole:Yes
To get a more in detail, visit this link: http://blogs.msdn.com/b/silverlining/archive/2012/06/27/windows-azure-websites-web-roles-and-vms-when-to-use-which.aspx

What is the difference between Azure Web Site and Azure Cloud service

We are looking to host a website (some css,js, one html file but not aspx, one generic handler).
We deployed in as:
1) Azure Web Site
2) Azure Cloud Service
Both solutions work. There is a question though: which way of hosting it is better and why? Second thing: as there might be a lot of traffic - which solution would be cheaper?
Thanks in advance,
Krzysztofuncjusz
You may want to review this article that explains the primary differences. Web Sites are best for running web applications that are relatively isolated (that do not require elevated security, remote desktop, network isolation...). Cloud services are more advanced because they give you more control over web sites while still remaining flexible. And VMs are for full control over applications that need to be installed and configured (like running SQL Server for example).
I think that main difference in abilities to modify VM and possibility to configure scalability. Web sites is something like classic hosting, without ability to login by rdp. Cloud Services allows you to configure VM and if necessary setup scalability and availability.

What is the difference between an Azure Web Site and an Azure Web Role

What are the material differences between the new Azure Web Sites and the traditional Azure Web Roles for an ASP.NET MVC application? What reason would I choose a "web site" over a "web role" or vice versa?
Let's assume that I would need equal capacity in either case (e.g. 2 small instances). The prices seem comparable other than the fact that there is a 33% temporary discount for web sites while they are in their preview period.
Are there things that I can do with a "web site" that are difficulty or impossible with a web role? For example, does it become easy to put multiple web sites in a single set of VMs using "web sites"? Do I lose anything with a "web site" vs a "web role"? Ability to fine tune IIS? Ability to use the Cache service locally?
Web Roles give you several features beyond Web Apps (formerly Web Sites):
Ability to run elevated startup scripts to install apps, modify registry settings, install performance counters, fine-tune IIS, etc.
Ability to split an app up into tiers (maybe Web Role for front end, Worker Role for backend processing) and scale independently
Ability to RDP into your VM for debugging purposes
Network isolation
Dedicated virtual IP address, which allows web role instances in a cloud service to access IP-restricted Virtual Machines
ACL-restricted endpoints (added in Azure SDK 2.3, April 2014)
Support for any TCP/UDP ports (Web Sites are restricted to TCP 80/443)
Web Apps have advantages over Web Roles though:
Near-instant deployment with deployment history / rollbacks
Visual Studio Online, github, local git, ftp, CodePlex, DropBox, BitBucket deployment support
Ability to roll out one of numerous CMS's and frameworks, (like WordPress, Joomla, Django, MediaWiki, etc.)
Use of SQL Database or MySQL
Simple and fast to scale from free tier to shared tier to dedicated tier
Web Jobs
Backups of Web Site content
Built-in web-based debugging tools (simple cmd/powershell debug console, process explorer, diagnostic tools like log streaming, etc.)
With the April 2014 and September 2014 rollouts, there are now some features common to both Web Apps and Web Roles (and Worker Roles), including:
Staging+production slots
Wildcard DNS, SSL certificates
Visual Studio integration
Traffic Manager support
Virtual Network support
Here's a screengrab I took from the Web Sites gallery selection form:
I think Web Apps are a great way to get up and running quickly, where you can move from shared to reserved resources. Once you outgrow this, you can then move up to Web Roles and expand as you need.
EDIT 2014: For what it's worth, a lot of the info in this answer is no longer correct - see comments.
Add more to #David response:
With Windows Azure Websites, you don't have control over IIS or web Server because you are using a resources slice along with hundreds of other website on the same machine, you are sharing resources like any other so there is no control over IIS.
The big difference between a website shared and Azure web role is that a web-site is considered process bound while roles are VM bound.
Websites are stored on a content share which is accessible from all the "web servers" in the farm so there is no replication or anything like that required.
Windows Azure websites can not have their own host name instead they must use websitename.azurewebsites.net only and you sure can use CNAME setting in your DNS provider to route your request exactly same with previous Windows Azure Role only when they are running in reserved mode. CNAME setting is not supported for shared websites.
I've just posted a comprehensive blog post on this very subject at http://robdmoore.id.au/blog/2012/06/09/windows-azure-web-sites-vs-web-roles/.
An excerpt from my conclusion: If you need enormous scale, SSL, Asian or West US data centres, a non-standard configuration (of IIS, ports, diagnostics, security certs or start up scripts), RDP or cost-effective Worker Roles (combined with your Web Role) then you are going to have to stick to Web Roles for now.
Otherwise, Web Sites is a great option!
Azure Web Role is like a virtual private host. You get a VM that acts as your web server, and you own that VM instance.
Azure Web Sites are like an elastic shared hosting service. You deploy your app to a web server that is not controlled by you and which also servers other users' sites. You can scale your site up and down (at some extra charge) to make it more elastic as your resource needs shift.
There is one more scenario that is up the air: After these 500 exceptions are eliminated, they haven't said anything about the ability of Azure Websites to handle wildcard CNAME's. Several of us are using Nate's Web Role Accelerator in Cloud Services, becuase a one-line hack provided wildcard subdomain capability in Nate's software. We can't move these wildcard subdomain apps until we know that Azure Websites will be able to handle them. If it won't ever be able to do that, then it goes down as a positive on the Web Role side of the equation. Also of note is that with pricing being exactly the same (after the preview discount expires), I'm not sure I want to give up my access to RDC and Event Viewer (just to mention two things).
Azure Web Sites enables you to build highly scalable web sites quickly on Azure. You can use the Azure Portal or the command-line tools to set up a web site with popular languages such as .NET, PHP, Node.js, and Python. Supported frameworks are already deployed and do not require more installation steps. The Azure Web Sites gallery contains many third-party applications, such as Drupal and WordPress as well as development frameworks such as Django and CakePHP. After creating a site, you can either migrate an existing web site or build a completely new web site. Web Sites eliminates the need to manage the physical hardware, and it also provides several scaling options. You can move from a shared multi-tenant model to a standard mode where dedicated machines service incoming traffic. Web Sites also enable you to integrate with other Azure services, such as SQL Database, Service Bus, and Storage. Using the Azure WebJobs SDK preview, you can add background processing. In summary, Azure Web Sites make it easier to focus on application development by supporting a wide range of languages, open source applications, and deployment methodologies (FTP, Git, Web Deploy, or TFS). If you don’t have specialized requirements that require Cloud Services or Virtual Machines, an Azure Web Site is most likely the best choice.
Cloud Services enable you to create highly-available, scalable web applications in a rich Platform as a Service (PaaS) environment. Unlike Web Sites, a cloud service is created first in a development environment, such as Visual Studio, before being deployed to Azure. Frameworks, such as PHP, require custom deployment steps or tasks that install the framework on role startup. The main advantage of Cloud Services is the ability to support more complex multitier architectures. A single cloud service could consist of a frontend web role and one or more worker roles. Each tier can be scaled independently. There is also an increased level of control over your web application infrastructure. For example, you can remote desktop onto the machines that are running the role instances. You can also script more advanced IIS and machine configuration changes that run at role startup, including tasks that require administrator control.
Virtual Machines enable you to run web applications on virtual machines in Azure. This capability is also known as Infrastructure as a Service (IaaS). Create new Windows Server or Linux machines through the portal, or upload an existing virtual machine image. Virtual Machines give you the most control over the operating system, configuration, and installed software and services. This is a good option for quickly migrating complex on-premises web applications to the cloud, because the machines can be moved as a whole. With Virtual Networks, you can also connect these virtual machines to on-premises corporate networks. As with Cloud Services, you have remote access to these machines and the ability to perform configuration changes at the administrative level. However, unlike Web Sites and Cloud Services, you must manage your virtual machine images and application architecture completely at the infrastructure level. One basic example is that you have to apply your own patches to the operating system.
See updated and comprehensive comparison from this link: http://azure.microsoft.com/en-us/documentation/articles/choose-web-site-cloud-service-vm/
Azure Websites, Web Workers and Virtual Machines are three different computing approaches available on Windows Azure. They differ in the level of control and responsibilities:
Azure Website have lowest level of control, but you don't care about keeping in health virtual machine and IIS, because Azure stuff do this for you
Web Roles give you more control (traffic manager, remote desktop), but more administration is possible on your side which means that you can break something via remote desktop for example
Virtual Machines gives you full control of VM, so require the most administration efforts.
There is no one best choice, because it depends on what level of control you need, what features you need and what you want to leave Azure stuff to maintain. And it is big topic..
Please look at this articles for more information to make more informed choice:
http://www.windowsazure.com/en-us/documentation/articles/choose-web-site-cloud-service-vm/
http://davidpallmann.blogspot.com/2012/06/reintroducing-windows-azure-part-2.html
It boils down to tradeoff between ease of use and capabilities.
Two more things I found was cost of getting SSL for a custom domain site and Multi-tenant configurations.
For website you need to pay monthly on top of standard instance (Small instance is the cheapest option). This means in order to get custom domain https would cost you ~70/month for small instance plus ~41/ month for SSL that supports all browser.
For WebRole you can get XS instance and add your own SSL for free, which means ~$15 per month
and you have a custom domain with SSL.
For multi-tenant website check out
Multi-tenant Azure dynamic wildcard CName
A web role is a virtual machine that hosts multiple websites
This is a common question, and I would like to give out an excerpt from msdn.
Access to services like Caching, Service Bus, Storage, SQL Azure Database- WebSite:Yes WebRole:Yes
Support for ASP.NET, classic ASP, Node.js, PHP- WebSite: Yes WebRole:Yes
Shared content and configuration- WebSite:Yes WebRole:No
Deploy code with GIT, FTP- WebSite:Yes WebRole:No
Near-instant deployment-WebSite:Yes WebRole:No
Integrated MySQL-as-a-service support-WebSite:Yes WebRole:Yes
Multiple deployment environments (production and staging)-WebSite:No WebRole:Yes
Network isolation-WebSite:No WebRole:Yes
Remote desktop access to servers-WebSite:No WebRole:Yes
Ability to run programs with elevated permissions-WebSite:No WebRole:Yes
Ability to define/execute start-up tasks-WebSite:No WebRole:Yes
Ability to use unsupported frameworks or libraries-WebSite:No WebRole:Yes
Support for Windows Azure Connect/ Windows Azure Network-WebSite:No WebRole:Yes
To get a more in detail, visit this link: http://blogs.msdn.com/b/silverlining/archive/2012/06/27/windows-azure-websites-web-roles-and-vms-when-to-use-which.aspx

Resources