Azure policies & Azure firewall

Hi,

I recently blogged about the new Azure Firewall that gives you the possibility to control outbound traffic from resources hosted inside of a VNET. At the time of writing, although the firewall is defined at VNET level, it does not apply automatically to all resources defined in that VNET. Indeed, routing is enforced through a route table that you have to associate to some or all subnets. Continue reading

Advertisements
Posted in Azure, Security | Tagged , , , | Leave a comment

Azure Connectors, the DMZ 2.0?

Hi,

I wanted to write this blog post because I’m often facing hard resistance from customers working with the Cloud and Hybrid Architectures regarding some security aspects.

A very well-known way to secure access to on-premises resources is by using a buffer perimeter called a DMZ, which is something everybody knows, including junior developers because it’s probably as old as the Internet. While this way of working is usually very effective, it is certainly not the most efficient since it usually takes more time to have something new added to the DMZ than to the regular data center or directly in the Cloud (PaaS, Faas). Continue reading

Posted in Azure, Azure Active Directory Proxy | Tagged , , , | Leave a comment

Understanding Azure MSI (Managed Service Identity) tokens & caching

Hi,

Now that Azure MSI turned generally available for App Services and Azure Functions, there is no more excuse not to use it. As a recap, Azure MSI is a great way to develop more secure applications and to setup more secure environments. The reason for this is mostly because it saves you from having to generate credentials (Service Accounts or Apps) yourself. Continue reading

Posted in Azure | Leave a comment

Azure Firewall, a step towards a “managed” NVA?

Hi,

Microsoft recently made Azure Firewall available in public preview. This Firewall as a Service offers a new way to protect and control network traffic via both network and application rules. At the time of writing, Azure Firewall is used to control outbound traffic only. Network rules are similar to what you can do with NSG but application rules allow URL based rules as shown below:

Continue reading

Posted in Azure | Tagged , | 1 Comment

Integrating On-Premises Jenkins with VSTS to deploy to an ILB ASE

Hi,

I recently had to work on integrating an on-premises Jenkins with VSTS in order to use VSTS’s out of the box capabilities to deploy resources to Azure. Although there is quite a good documentation on this topic, you must be able to read between the lines. So, with this blog post, I’m not going to repeat was is described in the article but I’m going to try to fill the gap when it comes to integrating with an on-premises Jenkins and not with a Cloud-based Jenkins, as assumed by the Microsoft documentation. Since an image tells more than a lengthy speech, here is one that sum it up all:

Continue reading

Posted in Azure, DevOps, vsts | Tagged , , , | Leave a comment

My recipe to build secure applications hosted in Azure

Hi,

Here are some tips that might help you building and hosting secure applications in Azure.

Application Architecture: Clients and APIs

Make sure to make a clear segregation between clients and APIs. I’m not a great fan of MVC where the C part is often used as an API layer by developers. I advocate for a clear separation between the client part (could be a mobile APP, a SPA, etc.) and the API layer. The clients and APIs should be hosted in different App Services.

Continue reading

Posted in Azure, Azure Active Directory, Azure Key Vault, Security | Tagged , , | Leave a comment

Azure Security Cheat Sheet

Hi,

Cybersecurity is a concern for everyone today as more and more workloads are connected in a way or another, meaning exposed in a way or another. When it comes to the Cloud, things turn wilder as PaaS, CaaS, FaaS and even IaaS to some extent, represent a paradigm shift. Organizations tend to rely on good old recipes that are perfectly suitable for traditional on-premises systems but not especially a good fit for the Cloud, even when talking IaaS, since the underlying network plumbing does not have much in common with on-premises networks. Moreover, insiders represent a severe security risk but some organizations still think their premises is way more secure than the Cloud, just because, it is within the walls.

Continue reading

Posted in Azure | Tagged , , | Leave a comment