Application Security (part 3 of 3)

By Ashwin Venugopal -

 


To read part 1 please click here
To read part 2 please click here


Managed Identities

Managed Identities for Azure resources is the new name for the service formerly known as Managed Service Identity (MSI) for Azure resources feature in Azure AD and provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.

The managed identities for Azure resources feature is free with Azure AD for Azure subscriptions, there's no additional cost.

How managed identities for Azure resources works?

There are two type of managed identities:

  • A system-assigned managed identity is enabled directly on an Azure service instance and when the identity is enabled, azure creates an identity for the instance in the Azure AD tenant that's trusted by the subscription of the instance. The lifecycle of a system-assigned managed identity is directly tied to the Azure service instance that it's enabled on and if the instance is deleted, Azure automatically cleans up the credentials and the identity in Azure AD.
  • A user-assigned managed identity is created as a standalone Azure resource and after the identity is created, it can be assigned to one or more Azure service instances. The lifecycle of a user-assigned manged identity is managed separately from the lifecycle of the Azure service instances to which it is assigned.     

Internally, managed identities are service principles of a special type, which are locked to only be used with Azure resources. Also, when a user-assigned or system-assigned identity is created, the Managed Identity Resource Provider (MSRP) issues a certificate internally to that identity.

Your code can use a managed identity to request access tokens for services that supports Azure AD authentication. Azure takes care of rolling the credentials that are used by the service instance. 

How a system-assigned managed identity works with an Azure VM?

  1. Azure Resource Manager receives request to enable the system-assigned managed identity on a VM.
  2. Azure Resource Manager creates a service principle in the Azure AD tenant for the identity of the VM that's trusted by the subscription.
  3. Azure Resource Manager configures the identity on the VM by updating the Azure Instance Metadata Service identity endpoint with the service principle client ID and certificate.
  4. After the VM has an identity, use the service principle information to grant the VM access to Azure resources. 
  5. Your code that's running on the VM can request a token from the Azure Instance Metadata service endpoint, accessible only from within the VM: http://169.254.169.254/metadata/identity/oauth2/token
  • The resource parameter specifies the service to which the token is sent.
  • API version parameter specifies the IMDS version, use api-version=2018-02-01 or greater.          

      6. A call is made to Azure AD to request an access token by using the client ID and certificate                      configured in step 3. Azure AD returns a JSON Web Token (JWT) access token.

      7. Your send the access token on a call to a service that supports Azure AD authentication.

Web App Certificates

You can restrict access to your Azure App Service app by enabling different types of authentications for it. One way to do it is to request a client certificate when the client request is over TLS/SSL and validate the certificate. This mechanism is called TLS mutual authentication or client certificate authentication.

Enable client certificates

To set up your app to require client certificates, you can switch on the Require incoming certificate by selecting configuration > General Settings from the Azure Portal or you need to set the clientCertEnabled setting for your app to be true.

Exclude paths from requiring authentication

To allow certain paths to remain open for anonymous access, you can define exclusion paths as a part of your application configuration. Exclusion paths can be configured by selecting Configuration > General Settings and defining an exclusion path. 

Access client certificate

When forwarding a request to your app code with client certificates enabled, App Service injects an X-ARR-ClientCert request header with the client certificate. App service does not do anything with this client certificate other than forwarding it to your app. Your app code is responsible for validating the client certificate.


To read part 1 please click here
To read part 2 please click here





Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more