Hello, Siberians. Welcome to this lesson on APP service security.
This lesson is part of the fifth Madu Off the is that 500 Microsoft Azure security technologist cast
some quick information on what will be covering in this lesson.
We'll start with an overview off azure APP service.
Well, then discussed best practices like the sibling insecure protocols
implementing client authentication and authorization application, Secret management and network security.
Let's get into this.
So let's review some of the men. Point about the APP service
fast. It's a managed service for Austin Web applications. FBI applications on mobile back end in Hajer
on by managed with men that we don't have to worry about operating system maintenance that was taking care off for horse by the platform on. It's done in a way that is transparent to us.
With AB service, we have the option off Austin, a halfs as cold as containers.
We also have flexibility in options toe deploy ah ha applications
we can deploy directly from get up as your repose bit bucket one. Drive dropbox or even using FTP.
Here's some security best practices for as your half service
fost the several insecure protocols.
config. Our client authentication and authorization
Implement secrets, management and forth
Implement network security. Let's look at this best practices in more details.
It's the best practice to disable unencrypted connections on insecure TLS protocols. So the first point here is to disable http
on absolutes Makes this easy by providing a turnkey option that we can use to enforce https on this way on secured requests A turned away before they even reach our application called
We can also enforce Onley security. Unless visions
tell us 1.0 is no longer considered secure by industry standards
have service as a conflict a vision option to disable this.
We should also look to the sable FTP
half service support both ftp an ftp s for court deployment on If we're using this method, we should be using FTP s instead off FTP
or better still, if when No, using this method, we can disable but protocols.
When it comes to client authentication,
we can implement our own authentication and authorization solution All we can allow Absar visto Undo this for horse. We can offload that task up service
have service supports a model called the Easy Art Mahdi
which Anders Web requests before handling them off to a application called As you can see in the diagram on the screen
and this way, the more you can authenticate request on deny on authorized requests before they even reach our court.
The model also supports multiple indication providers like a Joy D Microsoft account, Facebook, Google and Twitter,
which we get to applications secrets like database connection strings. AP I talking on private keys. It's no good practice to start them in court
by yourself doing that. What we want to do is to start them in Azure Key, vote on, then reference them in the application service configuration settings.
Here's an example off a secret reference in key votes
on Here's an alternative methods to reference the same secret. In Key Vote,
which we gets the network security. We can implement something called Started I P restrictions, which is essentially and allow the least off I P addresses
by the fault half service accept requests from all I P addresses from the Internet,
but we can limit this access to a small subset off I P addresses if we so choose.
That depends on our application use case
If we have a requirements to implement network isolation, we can use the isolated price into off AB service. To achieve this,
this gives complete network isolation by running a applications inside a dedicated APP service environment, and it runs these in the private virtual network.
Harder tears off AB service rather application on a shared network. Infrastructure
on what that means is that the sauces like Public I P addresses front and look balances I shared with other tenants. So if we do not want to do this, we can use the isolate that here.
We can also use a Web application firewall to protect applications, a guest Web application. Common traits like sequel injection on across I scripted.
We have too many options for Web application Firewall In Hajer,
we have the application gets way plus wife, which we can use to implement while from a regional perspective.
And we have as a front door plus wife, which we can use to implement wife from a global perspective.
He has some supplementary things for further studies on the topics covered in this lesson,
and here's a summary of what we covered.
We started with an overview off as your job service who didn't discourse. Best practices like dissembling, insecure protocols,
implementing client authentication and authorization
application. Secret management on network security.
Thanks very much for watching, and I'll see you in the next lesson.