Time
14 hours 28 minutes
Difficulty
Intermediate
CEU/CPE
15

Video Transcription

00:00
Hello, Siberians. Welcome to Lesson 2.1 off model to off this car stated, is that reserva one Microsoft Azure architect design
00:10
so in this video will be covering the following.
00:14
We'll start by introducing what as you keep about ease on as you see as your keyboard. Is a lot of teens on as many capabilities.
00:23
How don't show you a sample scenario that will hopefully help youto understand some use cases for a jockey vote?
00:31
How did it go over some of the core concept of azure key votes service
00:36
are recovering keys, secret and certificate and what is concept as relating to the azure key vote service? Let's get into this.
00:45
First of all, let's describe what has your key votes service piece.
00:49
What exactly is the purpose of the service So as your keyboard a stream Men purposes Number one. It's a key management service
00:57
Number two. It's a secret management service on number three. It's a certificate management service
01:04
so that the three men purposes off azure key vote, and as we go on in this lesson, those purposes will be clever to you as to what they mean
01:15
one for the offender that likes to mention to you about a key vote is that it has amazing integration with order. As your service is on, we'll see some of those in lessons in this model. Sophie's like as your storage as your disk as your half service. Have Natively Butte Integration with Azure Key Vote, for example, With as your deaths,
01:34
the encryption keys can be started. Nigel Key vote will see that in a demo.
01:41
So let's take an example off a treaty application implemented in Has your toe get tau who understand the years case off azure key votes even for that.
01:52
So this sample application as a front and a p I, which collects data about the state of different surfaces. And then it starts the information in an address storage account,
02:02
the middle tier or the application logic, which in this case is running in another veteran machine, then retrieved the data from the storage account Dawson processing according to the program Logic on, then sent out a tweet if there are irregularities with the service. So justice stand that simple application.
02:22
So just how many secret keys or certificates do you think that we need to implement a scenario like this.
02:29
Let's examine this.
02:30
Fost are virtual mission needs an admin password,
02:36
so this could probably be replaced by joining the veteran machine. Tow an active directory domain and then using domain managed identity. But let's say for the skates it's a non domain joint virtual machine
02:51
number to the front and a P I that it's running in azure. Webb needs the storage account key to be able to start the information that it's collecting in that storage account. Also, the application Logic code, which is running within our virtual machine,
03:05
needs distorted account key to be able to retrieve the data that was started by the Front and a p I
03:10
so he could do its own person
03:15
number three for application logic to be able to tweet out the state of the Soviets in It's a Treat our a p i ke
03:23
and let's not forget that the front and a p i if it running https, which is ideally what we want, we need a T l a certificate
03:32
for compliance reasons. We may want a storage accounts to use an encryption key managed by our organization and not the fault Microsoft manage key
03:45
also for security and complaints reasons. Who wants the disks that are attached to a V M to be encrypted
03:53
hole? What we just described a Keys secret certificate, which in each case we don't want to fall into the wrong end on for that still happen. They have to properly manage on their life cycle, properly governed.
04:09
So this is the type of scenario that, as your keyboard can help us to solve. Let's see our jockey vote could help us with solving some off this issues.
04:19
So take, for example, the VM Pass swap.
04:23
This can be start as a secret in Azure Key vote.
04:27
The ham template deployment service can then be given permissions to retrieve the key from key votes of in deployment
04:34
tow. Avoid starving the password in plain text within a template or permit of house.
04:41
This is what it looks like in practice.
04:44
I can see in the diagram on the screen. The secret is start in the key vote, which is the VM password,
04:50
and that will not be referenced in a permit. A foul.
04:56
The arm templates deployment service would then be given permissions that I can reach of the past were at the point of deployment on. Apply that password toe our virtual machine.
05:09
What about this situation off vast storage account key.
05:14
We could start this as a secret in Azure key vote
05:18
the front end application court and meditate. Application logic code could then be granted permissions to retrieve this key from azure key vote at the point off years,
05:30
they could then use the key that they've retrieved to perform different operations against the storage account.
05:36
What about a certificate? In that scenario,
05:40
the D. L s advocate could it'll be generated in azure key Vote as a self signed certificates while Jackie vodka integrate with the top artistic eight provider like digits. It's too, generates the certificates, which can then be retrieved and used by as your Web up.
05:59
So now that we have a good understanding of the proposal, azure key vote and starts off problems I can help us to solve. Let's go ahead and review what exactly the times that we've bean making references to water stems, men. Let's take, for example, the time secrets in azure key votes.
06:18
A secret in azure key vote means the data that on the tinkle bite that our application can store on retrieve implant texts. Now our application can retrieve that implant takes, but it is start encrypted at rest. Put with kids that are protected by H. S. M street hardware security. Most dues
06:39
in azure key votes.
06:41
So examples of what we call secrets and advocate for the past words database connection, strings, storage account, connection string, et cetera.
06:50
So it can be used to support addition off P FX foul. So they used to be an option toe happy FX Thousands secret, but this is not implicated.
07:02
What about Keith
07:05
Kiss in a jockey rode with 1st 0 cryptographic keys that the secrets generated using and how algorithm on specifically referring to asymmetric ese
07:18
this can be imported or generated in azure key votes
07:25
on dhe. One of the good use cases off keys is we can use them to further protect secrets. So sort of like what happens in a Tia Lessin area where years Theis symmetric key to protect the symmetric key. So this is also like a good use case for jerky vote. But what sort of Fargo Vadim does it supports its support. Our essay on elliptic
07:45
called
07:46
Keith
07:46
And when we talk about this, a keys is support. Keys off. 2048 3000 and 72 4096 sizes on for E. C C. Keys it support Peter 56 Pizzeria at four p. 5 to 1 on P 256 k.
08:03
So, by the way, you won't be required to remember those for the exams. From my understanding.
08:13
Finally, let's talk about certificates.
08:16
So this is a much more straightforward seas are simply as a sell off or called T L s certificates. Now we've put changed from public CS.
08:26
We can automatically invoked off the new. This certificates were the key vote that is provided that the public see is supported by azure key votes.
08:37
So it's important to understand that this key vote does not issue public certificates
08:45
it keep vote, does not resell certificate from C s key vote simply provides the ability to simplify the automation off certain tax on certificate. So, for example, in terms off Evelyn on renewing certificates, keyboard can integrate with your top party certificate. Providers
09:05
toe automatically do this, and also it can
09:07
create automatically generate self signed certificates,
09:11
so examples off publicly off public sees that are supported. Nigel Key vote at digits it and Global Sign. So those are supported.
09:20
So I'll go ahead and pause this video here, and then I'll resume the next lesson in this model. Well, talk about the different Sevy stares off key votes on all the useful information that you need to know for your exam.

Up Next

AZ-301 Microsoft Azure Architect Design

This AZ-301 training covers the skills that are measured in the Microsoft Azure Architect Design certification exam. Learn strategies to plan for the exam, target your areas of study, and gain hands-on experience to prepare for the real world.

Instructed By

Instructor Profile Image
David Okeyode
Cloud Security Architect
Instructor