How to maintain Security for AZURE web app?
Azure app service security best practices:
Azure Active Directory (AD) Authentication:App Service provides your Identity Provider with an OAuth 2.0 service .OAuth 2.0 focuses on customer developers ' simplicity while providing specific permission flows for web apps, desktop apps, and mobile phones. Azure AD uses OAuth 2.0 to enable access to mobile and web app to be approved.
Restricted access based on position:
Limiting access is imperative for organizations to implement data access protection policies. You may use Role-Based Access Control (RBAC) to grant permissions to users, groups and web applications in a specific field. The need to learn and least privilege protection principles are evident.
Key protection:
If you lose your subscription keys it doesn't matter how good your protection is. Azure Key Vault helps secure cryptographic keys and secrets which cloud web app and services use. With Key Lock, keys and secrets can be encrypted using hardware-protected protection modules (HSMs) keys. You can import or generate keys into HSMs for added assurance.
Incoming sources restriction:
It has a virtual network integration feature that allows you to exclude IP addresses from incoming sources via network security groups (NSGs).If you are unfamiliar with Azure Virtual Networks (VNETs), this is a feature that allows you to place all of your Azure online training resources in a non-internet, routable network over which you have access control. You can also dynamically limit IP addresses by configuring the web.
Developing a secure web app:
PREREQUISITES:
You must have an active subscription to Azure. If you don't have a free account, you can sign up. Stage 1: Build a web app from Azure.Navigate to Portal Azure.Search for a mobile app using the Search Box, found at the top of the page.The results shall be as follows:
Deploying the web app:
To get the application up and running, certain software needs to be installed: A code editor to change and display the application code. Visual Studio Code is an open source solution.
Azure CLI, on your computer for production.
Git on the machine. Git is used to copy local source code.
Jq, a user friendly UNIX tool for querying JSON.
To deploy the tools for the sample app, you need an Azure subscription. If you don't have an Azure subscription, a free account may be created to test the sample app. You are able to deploy the App to Azure after downloading these devices.
Setting up the environment:
Use this command:
git Copy git clone https:/github.com/Azure-Samples/sample-linux-python-app tutorial-project to transfer into the directory, use this command:
copy cd tutorial-project / scripts
There are files in the scripts folder that are unique to the framework you are using. As the Azure CLI is already enabled, sign in at the command prompt to the Azure account by executing this CLI order:
Azure CLI Copy az login
The deploy-powershell.ps1 and deploy-bash.sh deployment scripts contain code which deploys the entire application.
If you are running the deploy-powershell.ps1 file on PowerShell by typing./deploy-powershell.
ps1 REGION RESOURCE GROUP NAME to replace the region and resource group name with the correct Azure region and resource group name and
If you are running the deploy-bash.sh file on Linux by typing/deploy-bash.sh REGION RESOURCE GROUP NAME, you will need to render the file executable by using the deploy-bash.sh script. The examples can be deployed individually or with the rest of the components by running the deploy files.
Guidelines for implementation:
You can break the deployment script into four phases. Each phase deploys and configures a resource in the architecture diagram that is Azure.
The four stages are:
Build Key Vault for Azure.
Deploying Azure Postgresql Database.
Assing Azure web apps are run on Linux.
Install Web Gateway with firewall for web application.
Using configuration from previously deployed resources, each process builds on the preceding one.
Throughout this segment, you build and deploy an Azure Key Vault instance which is used to store secrets and certificates.
Once the deployment is complete, you have deployed an Azure Key Vault instance on Azure.
To deploy Azure Key Vault using Azure CLI:
Declare the Azure Key Vault variables. Register a provider with Azure Key Vault.For instance build the resource category. Build the instance Azure Key Vault within the resource group generated in phase 3.
function Get-Hash() {
return (New-Guid).Guid.Split('-')[4]
}
az provider register -n Microsoft.KeyVaultaz
keyvault create --name $kvName `
--resource-group $ResourceGroup `
--location $Location `
--verbose
$pgUsername = "$($env:Username)$(Get-Hash)"
$pgPassword = (New-Guid).Guid
az keyvault secret set --vault-name $kvName `
--name PGUSERNAME `
--value $pgUsername `
--verbose
az keyvault secret set --vault-name $kvName `
--name PGPASSWORD `
--value $pgPassword `
--verbose
Web application firewall:
It's not recommended in mobile apps that you show resources directly on the internet to the outside world. Load balancing and firewall rules provide the incoming traffic with greater protection and control and help you handle it.
Deploying an instance of the web app Gateway:
Build the resource group to house the gateway.
Provide a virtual network in which to connect to the gateway.
Build a subnet inside the virtual network for the gateway.
Provide an IP address for public use.
Provide the key to service.
Enable firewall for the web app the gateway.
az keyvault certificate create --vault-name $kvName `
--name $certName `
--policy `@policy.json `
--verbose
az keyvault secret download --file $filePath `
--encoding base64 `
--name $certName `
--vault-name $kvName `
--verbose
$pfxFile = Get-PfxData -FilePath $filePath
$certPassword = Get-Random
az keyvault secret set --vault-name $kvName `
--name CERTPASSWORD `
--value $certPassword `
--verbose
$signPassword = ConvertTo-SecureString $certPassword -Force -AsPlainText
Export-PfxCertificate -PFXData $pfxFile -FilePath $certPath -Password $signPassword
Previous script does the following.
Creates a new self-signed Azure certificate.
Downloads the certificate auto-signed as a base64-encoded format.
Generates a password for the certificate which is signed.
Exports the certificate as a password-signed PFX-file.
Store the password for the certificate in Azure Key Vault.
Therefore the application firewall is enabled.