I work in a small startup that is only hosted in Azure and I was wondering the best way to secure everything.
I use the below services
Web Apps (public facing)
Virtual machines - Running apps and services
Sql Sever
Service Bus
Storage Account.
The web apps and the Vms need to communicate with the other three services.
Below is what we are currently doing. Is this correct and if not can you provide any resources to work from?
Service bus - This is currently accessed using the connection string and is stored in the app settings of the web app and VM.
Storage Account - This is currently accessed using the connection string and is stored in the app settings of the web app and VM.
Sql server - This is currently using the firewall to Allow access to Azure Services plus restricting it to client machines that need to access the DB's through SSMS
VM - this is restricted using Network Security Groups to only allow client machines to RDP on.
I would appreciate any help that can be provided.
Edit
Things that i am worried about are:
Sql Server allow access to azure. I can turn this off but then the website will need to be added to the firewall and as i understand it the ip address is not static. Is it a security concern to leave this on?
Storage accounts, the connection string allows unlimited access to the account. You can lock this down with SAS to ip addresses but it has the same issues as the sqlsvr when connecting from the website. Also the SAS is time based how is it renewed?
Sql Server allow access to azure. I can turn this off but then the website will need to be added to the firewall and as i understand it the ip address is not static. Is it a security concern to leave this on?
By default, “Allow access to Azure services” is turned on, enabling this feature would allow any traffic from resources/services hosted in Azure to access the database.
Storage accounts, the connection string allows unlimited access to the account. You can lock this down with SAS to ip addresses but it has the same issues as the sqlsvr when connecting from the website. Also the SAS is time based how is it renewed?
A shared access signature can take one of two forms: Ad hoc SAS and SAS with stored access policy. We could re-specify the start time, expiry time, and permissions to get a new ad hoc SAS. When we associate a SAS with a stored access policy, the SAS inherits the constraints - the start time, expiry time, and permissions - defined for the stored access policy, we could modify the stored access policy to revoke the SAS or get a new SAS based on new stored access policy.
For more information about Shared Access Signatures (SAS), you could read this article.
Regarding access to the SQL server from your web apps:
They are using up to four outbound IP addresses when connecting to external services. You could limit the SQL server access to those.
Read this article to find them.
That won't completely close down foreign access to the SQL server, other people's web apps are using the same four outbound IP addresses.
Related
Scenario: We have an Azure cloud environment that contains three (Prod,Test,Dev) PaaS database servers (PostgreSQL Flexible Servers). Each server exists in its own VNet. The SQL data tables found in each server contain sensitive information. Let's say we require an external user (eg. a contractor, consultant) to access the data tables in a secure way, with MFA enabled. What would be a secure & simple way of enabling this?
Some options I can think of:
Share database server credentials with external user (high risk of credentials being misplaced. No MFA option?):
Whitelist user IP address against Azure firewalls
Send PaaS server credentials to external user via email or SMS.
They connect using an SQL client on their machine.
External user to use VM via Bastion:
Add external user to Azure AD
Turn on MFA for user in AD
Create VM in Azure, with SQL client software installed (ie. pgAdmin for PostgreSQL)
Configure access to the 3 PaaS servers (Prod, test, dev) from the VM
Set up Bastion server with access to VM
Enable user to access VM via Bastion server
Second option incurrs extaa costs for the VM and Bastion of course. Are there any other methods I should consider?
In Azure Storage there's a section called Firewalls and Virtual Networks. May I know if I can use it for the following usecase ?
I have a video uploaded to the blob, and I need only a set of selected users who has logged in to the application view my video.
My WebAPI application is hosted as a Azure WebApp. Can I use the IP address where the WebApp is hosted to create a rule in the Firewalls and Virtual network section below to only allow access to Storage if the user request the URL via the WebApp.(Let's say /viewVid/myvideo.mp4 )
In case if the User copies the URL of the Video (by inspecting the HTML code), and paste it on the browser will the user be able to view the video as the request is not coming via the WebApp ?
Note: Overall objective is to prevent a User from copying a URL (by inspecting the HTML code) and downloading or viewing the video.
Firewalls and VNet NSG's will are network level restrictions so they will not give you the user-level restrictions you are looking for. You can use them to limit your surface area but to implement what you are asking for, you need to implement authentication.
Azure Blob Storage supports Shared Key, Shared Access Signatures (SAS), Azure Active Directory (AAD), Active Directory Directory Services (ADDS) and Anonymous public access. The most secure way is to implement AAD with user delegation. If you are not able to store the users for this application in AAD then you should look at SAS. SAS token can be time-bound and restricted to certain IP addresses.
Also, you should take a look at Azure Media Player. Microsoft Azure Media Services (AMS) is an extensible cloud-based platform that enables developers to build scalable media management and delivery applications. Media Services is based on REST APIs that enable you to securely upload, store, encode, and package video or audio content for both on-demand and live streaming delivery to various clients (for example, TV, PC, and mobile devices).
Links
https://learn.microsoft.com/en-us/azure/storage/common/authorize-data-access
https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
https://learn.microsoft.com/en-us/azure/media-services/previous/media-services-content-protection-overview
I belieave that you can use app service Vnet integration feature for your project to restricted network access to storage account.
My company developed a business suite which is not a SaaS platform now. We're in beta mode now and will launch V2 within next 2 months. Currently we are creating instance for interested clients (free for a year) but getting questions that their data is secured. Now, my question is, since we are creating their instances on our Azure platform,is there a way to make sure that we won't be able to access their data anyway?
Thanks in advance!
Some of the security setup you can configure and present are -
Configure firewall rules to restrict access to db based on the originating IP address of each request. You can share the firewall settings that only specific Virtual Machines/Computers have access to the client's database.
Authentication to the database. We can remove any SQL authentication(username/password based) and configure only Azure Integrated security for the applications accessing the database. Best practice would be using service accounts to access the db. You can showcase this too.
For security concerns I'm planning to not allow Azure services to communicate with Azure services but the services it is only working with.
For example, I've some web apps that uses Azure SQL Databases. Should I only add the outbound IP addresses of Azure Web Apps in the Azure SQL server firewall?
or I need to do something else?
This is not as easy as it should be. SQL Azure is not designed to be virtual network friendly so your only options are "Allow all Azure services" or hard-coded IPs. Unless your web apps have static IPs however, this won't be possible without writing a custom updater for the database which picks up IP address changes.
You could install a SQL server onto a VM and use virtual private networks, otherwise, make sure the login credentials are secure and accept the fact that an Azure client from anyone could attempt to connect to your database server.
The best way to lock down your SQL Database is with AAD Integration, and Managed Service Identities. Azure will provision an AAD identity for your application, and only code running in that application will be able to generate an Access Token for that Identity. Then you can provision it as an AAD user in your SQL Server.
This has the (large) added benefit of removing the secrets from the application, so you don't have to configure your application with a Client Secret, or a SQL Login/Password.
You can also run your App on a VNet, and configure your SQL firewall to only permit access from that VNet using Virtual Network service Endpoints For Azure SQL Database.
Or use the newer and much better Private Link for Azure SQL Database.
Some of the ways to secure the connection to the sql database that could be considered in this case are -
As you mentioned you are already thinking of configuring a firewall to whitelist the allowed IP addresses. The firewall could be configured both on the sql server level and the database level(we can use SSMS to configure the firewall at the database level).
We can encrypt data. Of course this would be encryption at rest. And the good news is the application connecting to the database need not change to query encrypted data.
The third way would be the traditional way(even if we were not using azure db) we would prevent unauthorized access by creating users/roles/permissions.
A very nice feature I found Azure db provides is the Threat Detection Capability. If you turned that on we would be notified of the possible vulnerabilities of the current db/server setup. And also where can we make improvements to fix those issues.
Connect your Azure function with your SQL DB using private endpoints and VNET integration. Your app service will need to be standard or premium. Even Premium function plan will do. This LINK talks about it.
Authenticate your azure function on your SQL DB using managed identities. See this link for info on how to do that. Managed identities
In short yes.
You can possibly make this more secure by creating vnet connection from the web app and creating a service endpoint for SQL. I'm not sure that will work, but worth a try.
We have created mutiple API Apps for our application. However these API Apps are connected to the internet so we need to protect them. We have chosen for an API Key, but we would like to have the API disconnected from the Internet, such that only our own applications can access them. Is there a way to disconnect them from internet access?
Each API App is automatically connected to the Internet and this can not be disabled. If you want to have an isolated environment you will have to create an App Service Environment. This will create an environment for with mutiple zone that can contain mutiple App Service Providers. It also create a virtual network that protect the resources in the ASE. You can configure the virtual network using access rules to only allow a certain IP address or none at all.
For more information about Azure Service Environment see: https://azure.microsoft.com/en-us/documentation/articles/app-service-app-service-environment-intro/