Azure Container Instances (ACI) Security

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

8 hours 33 minutes
Video Transcription
Hello, Siberians. Welcome to this lesson on your container Instances, Security. This lesson is part of the sixth Badu Off the is that 500 Microsoft Azure security technologist costs now for simplicity are referring to the aggravation s c i going forward.
Some quick information on what will be covering in this lesson will start out with an overview off a C. I would end this cause the concept off container groups in a c A. Will discuss some key security best practices on finally
but dread demonstration off using a service principle to authenticate SC High to essay out for image deployments. As you can see, this less will be a combination off discussion on demonstration.
So let's get right into this
as your container instances offers the fastest and simplest way to run a continent Hajer. And what this means is that the severance provides a way for us to run continent images would doubt having to provision or maintain virtual machines
was simply defined in the Web browser or using a command line to the resources that we need on Microsoft
automatically provisions and manages the back and fast continent. Instances also offers significant startup benefits over years in virtual machines to run a containerized workloads. Containers can be started in seconds, with doubt needs to provision and manage GM's.
What types of content advised applications is the service idea, for it is ideal for isolated, continent sized workloads
that does not require full content orchestration that a service like a K has a larger community service provides. So, in other words, just simple applications that perform single tasks maybe like beauty jobs or task automation. We have benefit greatly from the service,
they say. I also supports put Windows and Lennox containers, and what we do is with simply specified on the line operating system type
when we want to create a content groups. Just a bit off. Caveat. On the last point, they asked some functionalities that are only supported for Lennox containers, not for Windows containers. As your continent Instances supports this concept off content. A group,
a container group, is a collection off continents that are shadowed to run on the same
Austin machine containers in a container group. She ever sauces because the run on the same most that's understandable. They also she a local network, the share storage volumes they even share the same life cycle. So if you're familiar with the concept off parts in communities, this is similar to that.
So the many years case for content groups is for content advised application workloads than needs to run together,
like in the example off the diagram on the screen we have a continent group which to continent instances running on the same most machine. The first containerized workload was the Web Fontaine on its reachable on Port 80. Very public DNS address. The second Containerized Workloads runs the data back end, which is exposed internally
on the sequel Sever Part, which is part one for territory.
And it also has an agile fascia mounted for persistence.
Let's look at some security best practices for a C. I. The first best practice deploy into a private Vettel network where we deploy a C. I. We have the option to specify whether it will be public, another what's deployed on the azure platform
or whether it will be private. In other words, deployed in a customer manage virtual network.
If there is no need for our continent instance to be public, make it private because that gives more control from a network traffic perspective. The second best practice exposed only the parts that are needed, regardless off whether our continent instance is private or public.
We have a configuration option to decide which parts will be exposed,
and the best practice is to expose on the departs that actually needed. For example, in the scenario that we have in the diagram, there is no needs toe. Expose the data Continent instance
called Best practice. Use a service principal toe authenticates toe a See how you know the water content of registry on not the admin user. So where we are automating the deployment off images start in as a container registry are container instance, we needs to authenticates to see how to be able to pull those images.
Best practice is to use a service principle
instead of the admin user, because the service principle allows us to have more granular auditing that allows us to identify which continent instance made a call on this leads us nicely into the demonstration, so he has a visual representation of what are between in the demo. I have a content of registry
that has a continent image start within it. The first Ronaldo is our create
a keyboard service. Instance on how they create on as your 80 service principle on a service principal secret key on our stop all of this information in the Kiva. I'll grant the service principle that I created the pool HVO to the content of registry. How then Deploy continent instance by programmatically
often in the values off the application. Heidi
on the secret from key vote and I'll provide this information to the container incense Devin deployment on during the deployment Continent. Instance, we use the up i d toe authenticate to the content of registry to pull the image for running. So how the tacit are between our between from the cloud shell,
what all these are opened. The editor and I have a foul that have prepared to be using for the task. Also, I'll be providing you with a supplemental link that contains instructions
to follow. True with the task that I'm doing in this demonstration. So what are these are great on upon the father Darby using on our go ahead and I light the fost for commands.
The foster it command should be used to set variables on the FARC commander be used to create a key. Roaches in the key vote create command. So what are these? Are just modified the name of to give out a beat.
So I have a unique name so wide, and I like that right Click copy,
then Vice Lincoln Paste and press enter to. That's
so the key vote is fully created now. So the next thing that our battalion is RB creating a service principle on a secret key and I'll be starting them in the key votes
now to do that, I'll just clear the screen the beats on. Are we running this next set of commands to do that? So what are we doing here? Is I'll be using the Is that keyboard secrets, said Commands, to set a secret and a key vote. But I'll be passing into that value
that's based on the output off, creating a service principle. So let's go ahead and do that. So worried and I like that are right click and copy than are right. Click and pitch that on our press. Enter to that, and now it's finished creating the secret.
So the next year they'll be doing this. I'll be creating another secret. But this time it's gonna have the value off the application. Heidi,
which are great and I like that are right. Click on that and click and copy how clear the screen again,
right click on Click on pastes on our press. Enter to that and now this now sets the value off my help. I d on the secret key in the Kiva. If I want to very fight up, I can go over here. I can go on the key votes. I can select the key roads that was created. I can go on the secrete and I should be able to see so secret
one for the half I d and work for the secret. So let's go back to Cloud Shell
on the next one. That I'll be Dean is I'll be obtaining the Loggins ever for the content of registry because we need that to be able to do the deployment on. I'll be using the Is that a see? Our show can manage to do that, and I'll be passing in information off my continent registry name that I start in the variable here earlier,
so I'll go ahead and I lights. That's
and I'll guide, invite, click to copy eats and then I'll right click to pace that ANA press ended. That's and that's now sets the value off my a c R Logan Sever. I can grind and verify that by going in Echo
Is he out? It's too dollar sign
is see uh,
le Guin sever and you can see it's got that value in there. So now everything is looking Get one float off in that I want to mention to you is when I created theseventies principal Hey, earlier I also give it permission to the content of registry toe have the approval on I can verify what I did by going back to the Cotto
on going to content of registry
selected my content of registry. And if I go under access control on go on devil assignment, I should be able to see that the savage principle that I created as the top Ruvo assigned to this continent registry So what? That means that any application that presents this application I d and its equivalents secret key
will be able Teoh as Jim this roll off a CIA pro next thing that I'm gonna be doing this, I'm gonna be creating my continent instance And they should be to find out task. So be creating the continent. Instances in the is that continent create command. But we're gonna be passing in the value off the
SCR Logan Sever and the image that we want to pull alongside would provide incontinent instance
with information from key vote, which includes information about the application I d. On the secret key so I can use thes identity to go pull down the image from continent registry so wide on my lights, that right click and that and click on copy
how clear the screen, right click and African pastes. And that would take a few seconds slash minutes to run. So they only took a few seconds to complete. But once it completed, he can see that I have the output off the EFC udn.
If I glide on eye lights, that
and if I right click. And if I go to go to that you are well on, you can see. So what happened is continent instances use the service pre support authenticates to see how pull down the image and this deploy to the image he has some supplemental links for further studies on the topics covered in this lesson. The very first link contains
instructions on how to complete the task that I just did in the demonstration.
He has a summary of will be covered in this lesson. We started out with an overview off azure container instances.
Well then discussed the concept of continent groups in the C. I
could discourse some S e i security best practices
and finally went straight. Demonstration off using service Pre supports, authenticate. See eye to see out for image pool.
Thanks very much for watching on. I'll see you in the next lesson.
Up Next