AzureSecurity Day4 Compute And Application Service Security

Author: Teri Radichel © 2025 2nd Sight Lab
Azure Security
Day 4: Compute & App Security

Original Copyright Notice
All Rights Reserved.
All course materials (the “Materials”) are protected by copyright under U.S. Copyright laws and are the property of 2nd Sight Lab. They
are provided pursuant to a royalty free, perpetual license to the course attendee (the "Attendee") to whom they were presented by 2nd
Sight Lab and are solely for the training and education of the Attendee. The Materials may not be copied, reproduced, distributed,
offered for sale, published, displayed, performed, modified, used to create derivative works, transmitted to others, or used or exploited
in any way, including, in whole or in part, as training materials by or for any third party.
ANY SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
2

Updated Copyright Notice (2025)
All Rights Reserved.
All course materials (the “Materials”) are protected by copyright under U.S. Copyright laws and are the property of 2nd Sight Lab. They
are provided pursuant to a royalty free, perpetual license to anyone who follows Teri Radichel on social media, is subscribed to
her blog via email, or has purchased or been given a copy of her purchased book.
ANY SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Please read this post before using these materials. Thank you!
Why I am giving away my class materials for free
https://medium.com/cloud-security/why-im-releasing-my-cloud-security-class-materials-for-free-86546c5a025b
2nd Sight Lab is now focused on penetration testing services. Reach out to Teri Radichel on LinkedIn for more information.
https://2ndsightlab.com/cloud-penetration-testing.html
3

Author: Teri Radichel © 2025 2nd Sight Lab 4
Day 4: Compute & Application Security
Overview of Azure Compute
Virtual Machines + Disks
Availability Sets
Scale Sets and Load Balancers
Application Gateway
WAF
Functions (+Secrets in Apps)
Container Instances
Azure Kubernetes Service
Service Bus
API Management
App Service
Application Proxy
Azure Relay

Compute Services
5

Cloud Compute

The Hypervisor
In the cloud, multiple “virtual”
computers run on the same
hardware.
The hypervisor makes this
possible.
In almost every case the cloud
provider manages the hypervisor.
You will want to understand how
the hypervisor is secured.
A compromised hypervisor may allow
access to all VMs on the hardware or for
VMs to access each other.

Hyper-V
Azure uses a built in
Windows hypervisor called
Hyper-V.
Monitor for vulnerabilities in
hypervisors and cloud
infrastructure and what
Microsoft is doing about
them.

Azure tenant isolation
AD authentication.
Network segregation.
Hyper-V provides VM
segregation.
The Azure Fabric
Controller manages
communications from
host to virtual machine.

Operating Systems on Virtual Machines
Each virtual
machine running
in a cloud
environment runs
an operating
system that needs
to be secured
according to best
practices.

Containers
Containers package up all the software for an
application and run it in a sandboxed
environment.
Applications with conflicting software
requirements (software libraries) can run on the
same host.
Each application runs in it’s own environment with
a simulated operating system.
Often a container runs a single service - called a
microservice - but this is not a requirement.
11

Containers vs. Virtual Machines
12

What is a Microservice?
Old School Application: All
the code and libraries
deployed together on an
operating system. One
monolithic application.
Microservices Application:
Code for different
functionality deployed in
different containers.
13

Container registries
Different container registries exist.
Public and private registries.
Facilitate automated deployments.
Only deploy trusted containers.
Consider leveraging private registries.
More on registries tomorrow.
14

Orchestration Software
Often, an application requires multiple containers.
The containers need to communicate on the network.
The application may add and remove containers.
Requests need to be load balanced between containers.
This is where orchestration software comes in.
Different types of orchestration software exists.
Groups of containers in an application are called clusters.
15

Orchestration Functionality
Different parts of the architecture handle
different functions.
For best security, these functions should be
segregated, so one cannot access the other.
Management
Plane:
Functionality for controlling and
managing containers; administrative
dashboards.
Control Plane:
Which path traffic should use. Routing.
Load balancing.
Data Plane:
Logs and proxy service like Envoy and
Service Mesh. Packet forwarding from
one to service to another.
Nginx architecture diagram

NSG
NSG
NSG
17
Three-tier Architecture
Web
Tier
VM
App
Tier
VM
Data
Tier
VM
Internet

Container Networking
With the evolution of containers came
loss of visibility into some network
communications.
Typically applications on different hosts
pass through host-based and network
firewalls.
What about container to container
communication?
This led to the side cars and the concept
of a service mesh.
18

Envoy by Lyft
Created by Lyft.
Open Source Layer 7 Proxy.
Overcome networking and visibility problems with container applications.
Proxy any type of traffic (e.g. websockets), Filter traffic.
Supports encryption both ways.
IP Transparency.
The cloud providers are all using similar functionality.
19
Sidecar
Micro-
Service

Event Driven Compute: Functions and Batch Jobs
Events trigger code to run
Compute instantiated to complete a task
Terminates after once the task completes
- Functions: Triggered by an event
- Batch: Scheduled jobs to process some data
Essentially containers used to perform a task
Terminate once the task is completed

Serverless applications
Serverless
applications
may use many
cloud-managed
components.
Configure each
component
with zero-trust
in mind.

Compute
Azure has a number of different
compute services
This flow chart from Microsoft
helps you choose which service
works best for your needs or
application.
Secure infrastructure +
Applications.

Managed Services
Let Azure manage the orchestration components.
- Orchestration platforms can be complicated.
- Azure has automated some of the deployment.
- Some best practices implemented for you.
Make sure you check that! And again, what you control…
Consider logs you’ll need to see in case of an incident.
As always understand IAM, networking, and other controls.

VMWare on Azure
Organizations using VMWare already might have existing infrastructure
Standard processes and procedures for VM management
Base images they use as standards
Lift and shift VM environment to Azure
Continue to use familiar tools
Shared responsibility model: Understand what Azure manages
VMWare security best practices still apply

Container Services

Specialized Services
All with their own security settings…

Compute Resource Permissions
On day one we discussed Service Principles for Azure resources.
Compute resources can be assigned managed identities and permissions.
From last class:
Service Principal Manage permissions, lifecycle, secrets, storage
Managed Identity
Azure creates a service principal, manages it, and deletes it
automatically when the associated resource gets terminated.

Managed identity for storage account
In our last class we created a managed identity for a storage account.
Associate this managed identity with a compute resource.
Then commands run on that compute resource will be able to access the SA.

Virtual Machines
29

General Virtual Machine Security
Limit services. Why do I need print spooler running on a VM?
Updates. Keep all software up to date.
Least privilege. for users and applications in VM configuration. Use roles.
No secrets on host. in file system, environment variables, registry.
Ship logs to permanent storage. cloud virtual machines are ephemeral.
Network configuration. Limit connections in host firewall.
OS specific security. Operating systems best practices.
Microsoft and CIS benchmarks. Review security best practices
30

Shared responsibility for VMs
Understand which aspects of
security you are responsible
for vs. the cloud provider.
Microsoft provides the
following chart.
2nd Sight Lab’s advice:
If you can see it and change
it, you likely own it.

Azure-specific VM security recommendations
- MFA and Conditional access
- Virtual Networking; Restrict direct
connectivity
- Collect audit logs (on the cloud platform and
from the VMs)
- Allow access to specific applications only
- Monitor with Azure Monitor
- Encrypt your VM
- Enable endpoint protection
- Install an EDR (endpoint detection &
response) solution
- Threat and vulnerability solution like
Microsoft Antimalware for Azure or Microsoft
Defender for Endpoint
- Patch
- Max inactive time and disconnection policies
- Screen lock for idle sessions
- Controlled installations via tiered admin
access and installation utilities
- Application security
- Control device redirection (printers, etc.)
- Hide local and remote drive mappings
- Prevent unwanted software with App Locker
or similar
- Use Gen2 Azure VMs with Trusted Launch
- Consider using TEEs for sensitive processing
- Secure Boot mode
- Remote attestation via a TPM
- Virtualization-Based Security (VBS) via
Hypervisor-Protected Code Integrity (HVCI) and
Windows Defender Credential Guard
- Windows Defender Application Control
- Backup and Site recovery
- Security policy management and reporting

Virtual Machines
The best way to take a look at
security features for a virtual
machine is to deploy one.
You can run applications on a
VM just like you would a
physical server.
Navigate to the virtual
machines service, click +Create
and Azure virtual machine.

Basics
The first screen is the Basics screen.
You could enter options on this screen,
click Review + create.
In theory that should work, but let’s
look at the details.

Standard Configuration Information
As always enter:
Subscription
Resource Group
Name
Region*
* The region you choose needs to have capacity and your subscription needs
to be allowed to use it and you need to be within your limits.

Availability Zones
If you choose the
Availability Zone option
you’ll need to choose a
region that supports AZs.
You can choose multiple
zones and multiple VMs will
be created - one in each
selected zone.
More on Scale Sets and
Availability Sets and in a bit.

Security Type
Choose a security type. The upgraded options cost more, of course.
Trusted launch and confidential computing only work with certain VM
settings.

Trusted Launch Virtual Machines
Secure Boot
vTPM (Trusted Platform Module)
Virtualization-based security
Hypervisor-enforced code integrity
Credential Guard
Defender for Cloud integration
Requires specific VMs.
Some VM features not supported.

Azure Confidential Computing
Protection of data in use
Azure Confidential
Computing Options
- Entire VM or
Application
- Managed and
Unmanaged
- Containers,
Serverless, Databases,
and more

Confidential Computing
SGX enclaves (for apps).
Requires specific VM types
Applications run in enclaves.
Data is encrypted in memory.
The enclave has the key to decrypt the data.
Only decrypted while processed in enclave.
Outside the enclave can’t see the data.
Untrusted code cannot act on the data.

Confidential VMs
- AMD processors
- Hardware enforced boundary
- Customizable attestation policies to ensure host compliance
- Cloud-based OS disk encryption before the first boot (can slow creation,
higher cost)
- VM encryption keys managed by the cloud platform or the customer
- Secure key release with cryptographic binding between the platform’s
successful attestation and the VM’s encryption keys
- Dedicated TPM (Trusted Platform Module)
- Secure boot similar to Trusted VMs
- Only available via certain VM types, OS, and regions

Choose an Image
Next choose an image.
An image is a machine configuration.
The image includes the OS and other settings.
You can choose from:
- Microsoft images
- Marketplace images
- Create your own image

Spot instance
Spot instances can help
save money.
When you choose a spot
instance some additional
options show up.
Choose the price option to
enter the max you want to
pay.
VMs may stop or terminate!

Azure machine sizes
Different machine sizes optimized
for different purposes.
Size names start with letters.
Choose a size appropriate for
your application or VM purpose.
The machine size options at the
time of this writing are shown
here.

Choose a size
Choose a machine size. Note that the default size here says it is unavailable
in the selected zone so it won’t work.
Click See all sizes to check available options.

Check available VM sizes - None?

Expand a section to see the list of sizes
Expand each section to see a list of sizes in each category.
It appears that we can’t choose any size in this region. Let’s try another.

Trial and Error: Southeast Australia

Quotas
Open the portal in a new tab.
Search for quota.
Click compute.

Select region for Quotas
Click on region at
the top.
Select the region(s)
where you want to
deploy resources.

Check Availability
We can create 25,000
VMs in East US in this
account.
We are limited to 10
VMs in the Dv2 family.
Some quotas are self-
adjustable. Others
require a support
request.

Check availability for the B size instances
The prior slide was a B VM type.
Select the appropriate region. Search on B. Availability: 11

Limited Capacity
Sometimes Azure has limited capacity in
a region or AZ. Start to create a support
request to get this analysis. Also check
error messages after creating a VM.
Consider SLAs.

Choose a size; Request a quota increase
Note the cost!

Windows: Username and password
For a Windows VM, enter a username and password.
On a Linux VM you will see different options like create an SSH key.

Inbound port rules
The option to open a port exists on the basic tab. Don’t do it.

OS disk type
Choose OS disk type.
Options:

Deletion and encryption options
Choose whether to delete the disk with the VM.
Note that we need to enable some functionality to use Encryption at host.

Enable end-to-end encryption
Register-AzProviderFeature -FeatureName "EncryptionAtHost" -
ProviderNamespace "Microsoft.Compute"
Check to see when the feature is available:
Get-AzProviderFeature -FeatureName "EncryptionAtHost" -
ProviderNamespace "Microsoft.Compute"

Encryption Options
For data at rest you can choose the MMK, CMK, or both.
Choose the second option: Encryption at rest with a CMK.

Encryption process with encryption sets
Process for using
your own key to
encrypt disk
includes creating a
disk encryption set,
creating a managed
identity and
granting
permissions to
encrypt disks.

Create an encryption set
Search on Encryption Sets.
Click +Create
Choose your region, key vault. + key.

Go to Encryption set
Click Go to resource on your new encryption set. Click the error.
Permissions assigned.

Select your Disk encryption set
It might take a few minutes for this to show up.
Make sure it is in the correct region!

Encrypt Disks via CLI
Note: To encrypt boot disks and data disks
with CLI use the VolumeType parameter
In PowerShell: Set-
AzVMDiskEncryptionExtension
Linux: VolumeType must be set "Os",
"Data", or "All" and supported by the
Linux distribution.
Windows: defaults to All; if the
VolumeType parameter is present must
be set to either All or OS.

Encryption consideration
Default encryption:
If you encrypt and backup disks to a storage account using the microsoft
managed key, anyone with access to the storage account can start a VM and
attach that disk.
Better:
Use your own managed key and limit access to use that key. Only people
with access to use the key can attach the disk to a VM and access the data.

Encryption Unsupported For
At the time of this writing encryption is not available for the following:
- Basic or classic VMs
- Azure service manager model instead of resource manager model
- A series family
- Less than 2 GB memory
- Disabling linux encryption
- Windows software RAID
- VM scale sets and Linux - can only encrypt the data drive not the OS
- Azure Files and NFS
- Custom Linux images

Network options
On the network tab choose a VNET in
the same region or create a new one.
In this case, a VNET was created with
the key vault in this region and we’ll
use that to allow access to the key.
Create a new NSG. We’ll add zero-trust
network rules here instead of allowing
the whole Internet to access admin
ports.
Delete network resources with VM.

Management Options
Boot diagnostics
OS guest diagnostics
System managed identity
Login with Azure AD
Enable Auto-shutdown
Enable hotpatch
Manual or automatic updates

Diagnostics
Boot diagnostics: Determine why a machine won’t boot.
OS guest diagnostics: Get metrics every minute to monitor performance.

Identity & Auto-shutdown
A system managed identity
can be created and assigned
permissions. The identity
will be deleted when the VM
terminates.
Login using Azure AD.
Auto-shutdown allows
selecting a time to
automatically terminate the
VM.

Advanced options
Install extensions for additional functionality
Have Azure install applications (preview)
Custom data and user data to run scripts
Host groups
Capacity reservation
Proximity placement group

Extensions
Various extensions
exist that users can
install on VMs to add
functionality.
Always ensure that
extensions are
coming from trusted
sources and evaluate
prior to use in
production.

Scripts on startup
Custom and user data
enable passing scripts and
configuration files to VMs
on startup.
Custom data is passed in
during provisioning.
User data is accessible
throughout lifetime of VM.

VM Group Options
Host Groups: Collection of
dedicated hosts
Capacity reservation group:
Reserve capacity in a
particular region.
Proximity placement groups:
Create hosts in this group to
keep them physically located
near each other.

Tags
You can add a tag to many
resources to help you identify
them in the future.
Some organizations have a
standardized or automated
tagging policy.
More on that when we talk
about governance and costs
in the next class.

Check out any validate errors
In this case, it appeared to be an Azure bug as capacity exists in this account
and a low priority core was not applicable in this case.

Validation passed
Once validation passes, you should be
able to create your VM.
Note that you can also download a
template to create this same VM
automatically in the future.
The template will likely need to be
tweaked but is a good starting point.
More about those templates in the next
class.

Review your virtual machine
Once your machine is
fully deployed you can
review the settings.
On this screen you can
see your IP addresses
and other details such
as encryption.
Notice that the OS disk
is not encrypted in this
case.

Deletion
Make sure to delete
any unnecessary
resources when you
delete your VM.
Orphaned resources
may be leveraged,
leaked, or incur
unnecessary costs.

Azure VM Security
As you can see… many, many details to creating a secure VM!
Understand all the options available.
Define standard, secure, base configurations including:
- Networking
- IAM
- Location
- Encryption
To name a few. Consider a dedicated team to manage base VMs.

Obtain an access token with managed identity
Remember anyone with access to the VM can do whatever the VM can do.
All code/scripts running on a virtual machine can request and retrieve tokens for
any managed identities available on it.
Example of obtaining access token on VM using curl and metadata IP:
curl 'http://169.254.169.254/metadata/identity/oauth2/token?
api-version=2018-02-01&resource=https%3A%2F
%2Fmanagement.azure.com%2F' -H Metadata:true -s

Test the command at in the Azure shell
You can test the curl command to obtain an oauth token in the Azure shell:
It works the same way it would on a VM. (Partially redacted token.)

Use the token to call Azure APIs
Once a user or application obtains a token, it can be used to call any Azure
API the token is allowed to call.

Protect the credentials and limit risk!
Application security is paramount!
An attacker could get onto a VM, run curl, and obtain credentials.
Limit access to the VM on the network.
Limit outbound access that allows lateral movement to other VMs.
Disallow curl requests from external IPs using host-based firewall.
Reduce permissions given to VMs to limit blast radius and risk.

Availability Sets
86

Availability Sets
Availability sets are a logical grouping of VMs.
Each VM is assigned an update domain and a fault domain.
Update domains indicate VMs that can be rebooted at the same time.
Fault domains define VMs which share the same power source and switch.
Use an Availability Set to achieve the requirements to get the 99.95 SLA.

Fault Domains - like racks in a data center
Distribute location
of your virtual
machines to avoid
outages.

Availability sets
To create an availability set, search for
the service, click on it, and then click +
Create.

Create an availability set
This screen shows the options you
can select when creating an
availability set.
Choose the region where you want
to create virtual machines.
You can also choose a placement
group in advanced options. As you
recall that places machines
physically close to each other.

View the details of your new availability set.
Once your AS is created, view the details.

Alternatively create with a VM
You may need to adjust
permissions to select your
new availability set when
you create a virtual machine
or wait for it to show up
here.
You can also create a new
availability set when you
create a VM.

View the availability set configuration

Availability set virtual machines
In your availability set configuration click on virtual machines
View virtual machines in the set.

Scale Sets
95

Virtual Machine Scale Sets
Managed a group of load-balanced virtual machines.
The number of VMs grows and shrinks based on your configuration.
- Based on demand
- Based on a schedule
Adds high availability to applications
Consistent VM configurations
Automated integration with Azure Load Balancer or Application Gateway

Orchestration Mode
Uniform Orchestration mode:
Uniform template for scaling - use Scale Set API not VM API
Data residency for single region only in Southeast Asia and Brazil South
Flexible Orchestration mode:
Combine the scalability of virtual machine scale sets in Uniform
orchestration mode with the regional availability guarantees of availability
sets.
Orchestration of standard VMs instead of scale set VMs.

Load Balancers
Route traffic to your application.
Monitor the health of VMs.
Send traffic to an available VM.
Stop sending traffic to a failing VM.
Not really a security appliance.
Provide an additional layer which helps.
98

Vertical Scaling vs. Horizontal Scaling
Vertical Scaling:
Get a bigger server.
Redeploy the application
Horizontal Scaling:
Add another node.
Application distributes processing across the nodes.
99

Scale Sets
Auto scaling configuration
Machine Image
Minimum and maximum
If load increases, new VMs
If decreases, VMs shut down
If a VM fails, deploy new
Horizontal scaling
100

Application Gateway
102

Types of Azure load balancers
We covered some load balancers that operate at the network layer.
Next, we discuss the Application Gateway which operates at OSI layer 7.

Application Gateway
The Azure Application
Gateway operates at
layer 7 and routes
traffic based on URIs or
host headers instead of
IP addresses.
V2 SKU: autoscaling,
zones, static VIPs,
mTLS, key vault
integration and more.

Autoscaling
Define your instance counts
HTTP2 support
105
Create application gateway

Options for different SKUs

Frontend and backend pool
Traffic comes in on an IP
Redirected to backend
resources

Configure the backend pool.
Choose your scale set for
your backend pool.
Make sure your scale set
resides in the same region
and network.
Set up a separate subnet for
your application gateway.

Routing rules
App developers will define rules to
send different URIs to different back
end services.

Troubleshooting
Setting up load balancers can
be very tricky.
Networks need to allow the
traffic between the application
gateway and the different
services to which it needs to
redirect traffic.
Ensure that traffic rules don’t
expose backend components.

WAF
111

Web Application Firewall (WAF)
A web application firewall operates at layer 7 in the OSI model.
That means the packet has made it through all other network security.
Packets are reassembled into web requests.
Requests are inspected for potential threats before passing to the web
server.
Block malformed requests, OWASP top 10 attacks, IPs and Domains.
Is this the best layer in the stack to block IPs and Domains?
112
112

Where processed affects performance and errors
113
WAF
NACL
Consider amount of processing until blocked. Block known bad as soon as possible.
113

Azure WAF
Web applications are the gateway to your cloud.
Attacks on web applications can lead to account takeover.
Consider the metadata service and Oauth tokens discussed in a prior slide.
WAF works with three services:
- Application Gateway (Regional)
- Front Door (Global)
- Azure CDN (Microsoft now recommends Front Door instead of CDN)
Tries to fend off common application layer attacks.

Azure WAF + Front Door
Centralized protection for web
applications
Standard and premium tier
Policies with custom or
managed rules
ALLOW, BLOCK, LOG, REDIRECT
Detection & prevention mode
See documentation for types of
rules

Azure WAF + Application Gateway
Integrates with Azure Application
Gateway
Based on OWASP core rule sets
Create WAF Policies: custom
rules or managed rulesets.
Different policies for different
apps; protect multiple apps with
one policy.
Logs to Azure Monitor
116
116

Creating a WAF with Application Gateway
We saw the option to create a WAF with Application Gateway earlier.
In those steps we saw where we could add an existing WAF policy or create a
new one.

Create a WAF Policy
Search for WAF policy
Select the service.
Click Create +

Basics
Global (Front Door)
Regional (Application Gateway)
Policy state (enabled or not)
Detection or prevention mode.

Choose managed rulesets

Tuning the Azure WAF
Monitor for blocked traffic
Set the scope for a rule
● Global
● Site
● URL
Use exclusions
Custom Rules
Monitor failures in App Insights, Azure Monitor Workbook for AWF
The image on this slide is part of a video you can watch - link in notes

Policy settings

Add custom rules
Optimally add
custom rules.

Associate an Application Gateway or Front Door
We chose to create a regional policy so here we can associate this policy with
an application gateway. We can also skip this step and add it to an
application gateway later when we create one.

Functions
125

Serverless
Serverless is not lack of servers, but
you don’t have to manage them.
Developers like that they can just
drop their code into a function and
it runs.
Functions are useful because code
can execute in response to events.
Only pay for compute while it runs.
Start function:
If …
then
while x <
20
do
something
End
Stop function.

Azure Functions
Under the hood, a function is likely
run on a container.
The difference is the code runs and
then the functions terminate.
You only pay for the time the
compute service ran.
Functions have limits - if you go
beyond them your program may
terminate prematurely.
127

Create a Function App

Create a storage account

You can create a function in a private network
You can create a
function in a
private network
but note the
requirements on
this screen.
You’ll need to pay
for a Dedicated
App Service plan.

Enable monitoring

View your app
Click Review + Create.
Wait for your app
provisioning to
complete.
After that point you
can review your
function app and see
the options in the left
menu.

Add a function
Click
Functions in
the left menu.
Choose
“Develop in
portal” from
the
Development
environment
drop down.

Choose the Time trigger template.
Azure offers a number of
templates for common functions.
Choose the “Time trigger”
template which will execute your
code at a specified time interval.
Name your function and choose a
schedule or use the default.
Click Create.

Take a look at your new function
After your function gets created click on Code + Test to view the code.

Test your Function

Networking
Click networking in
the left menu to
see your
networking
options.
Click on Access
restrictions to
create inbound
traffic restrictions.

Create networking rules as required
Add network
rules to allow
traffic as
needed to
access your
function.

Identity
Click Identity on the
left menu.
Here you can add a
managed identity or
user assigned
identity to your
function and assign
permissions to take
actions in your
account.

Code to retrieve a key vault secret
Test code - do not use in production!
using System;
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
string keyVaultName = "your_keyvault_name_here";
string secretName = "your_secret_name_here";
var kvUri = "https://" + keyVaultName + ".vault.azure.net";
var client = new SecretClient(new Uri(kvUri), new
DefaultAzureCredential());
var secret = await client.GetSecretAsync(secretName);
log.LogInformation($"secret {secret}");

Add your own code and test it

Container Instances
142

Container Instances
Run containers in the cloud without having to manage servers.
Unlike functions, containers continue to run.
For example, you could host a webserver in a container.
A container is simpler to manage than a VM.
If you choose to use container instances, some responsibility shifts to Azure.
Understand which responsibilities are yours.
Ensure the cloud platform meets your security control requirements.

Create a container
instance

Networking
Here we have some networking
options.
Note that private networking is
not available with availability
zones.

Advanced - Environment variables
Set advanced options.
Best practice is to not store secrets in environment variables!

Review your container and menu options
IAM
Networking
Identity
These options
should look
familiar by now!

(AKS)
148

Terminology
Pod A Pod is a Kubernetes abstraction that represents a group of one or more
application containers and some shared resources for those containers.
Node A node is a physical or virtual worker machine. A pod always runs on a node. A
node can run multiple pods.
Cluster A set of nodes that run containerized applications.
Kublet A process responsible for communication between the Kubernetes Master and
the Node; it manages the Pods and the containers running on a machine.
Container
Runtime
Responsible for pulling the container image from a registry, unpacking the
container, and running the application. (e.g. Docker)
Master Manages nodes. Kubernetes master automatically handles scheduling the pods
across the Nodes in the cluster.

Terminology - Continued
API Server Validates and configures data for the API objects which include pods, services,
replicationcontrollers, and others. The API Server services REST operations and
provides the frontend to the cluster's shared state through which all other
components interact.
Control Plane Manages the worker nodes and the Pods in the cluster. In production
environments, the control plane usually runs across multiple computers and a
cluster usually runs multiple nodes, providing fault-tolerance and high
availability.
Data Plane The running containers.
etcd Contains all the cluster state. If someone can modify etcd they can modify the
cluster.
Kube-Proxy Forwards traffic to nodes in a load-balanced architecture.

Kubernetes is a
complicated set of
components used to
manage containers
across resources in a
scalable manner. AKS
takes care of some of
the heavy lifting by
providing a managed
platform.

Create a Kubernetes cluster

Basic Options
Many options for Kubernetes customers.
Lots of components and potential expense.

Node pools
Create node pools to handle
workloads.
Note that you can encrypt
with the default Microsoft
managed key or a customer
managed key.

Choose to use Kubernetes RBAC or Azure AD.
Kubernetes
has RBAC
functionality,
or you can
use azure
AD.

Networking options

Container registry, Monitoring, Policy
More
options.
Consider
using a
private
registry.
Leverage
monitoring
and policy.

CSI driver
Allows Kubernetes to work with Azure without exposing kernel functions.

Service Bus
159

Event Vs. Message Services
Event: A lightweight notification of a condition or a state change. The
publisher of the event has no expectation about how the event is handled.
Message: Raw data produced by a service to be consumed or stored
elsewhere. The message contains the data that triggered the message
pipeline. Consumer sends a response when done processing the data.

Azure Service Bus

SAS and TLS version
Leverage SAS
with a Shared
access policy
and shared
access key.
Set the
minimum
TLS version.

Encryption

Networking Options
Choose appropriate
networking options.
Restrict to specific IP
addresses.
Restrict to your VNet if you
choose.

Identities and IAM
Use a managed or
user-assigned
identity.
Define least-
privilege RBAC
permissions.

API Management
166

What is an API?
API stands for Application Programming Interface.
A web browser makes a request to a web server for a web page.
An application can use the same protocols to request an API to perform an
action or retrieve data.
167

What’s an API Gateway?
Sits between the APIs and the applications that call them.
- Security checks
- Authentication
- Performance
- Monitoring
- Logging
- APIs in private networks
- Defense in depth
168

API Management
API Routes
Auth
Rate limits
Transforms
Caches
Logs and metrics
Monitoring
169

API Management Policies
Azure provides some additional policies to help you protect APIs
- Enforce existence of HTTP header
- Limit API calls by key
- Limit calls by subscription
- Restrict calling IPs or CIDRs (whitelist)
- Set usage quotas by subscription
- Set usage quotas by key
- Validate JWTs
170

Security Controls
Create policies for APIs
As with other services:
- Architecture
- Encryption
- Networking
- IAM
These controls are probably starting to feel familiar!
With the API gateway ensure backend services are not unnecessarily
exposed.

API Management Tiers
Different tiers exist for the API
Management service.
Note that not all tiers have Azure
AD integration and some other
security-related options.
Consider the tier your application
requires and the associated cost.

API Security
Standardize authentication if possible
Monitoring
WAF and pentesting - a lot of the same attacks that work on web applications
Don’t assume people can’t find your API! It will be attacked
Ensure all APIs in your application require authentication AND authorization
Proper JWT validation and scope checks
Use the correct OATH flow
Limit access via networking and IAM

App Service
174

App Service
Service for hosting managed web applications
Domain name registration
Patches for operating systems and frameworks
Containerization
DevOps optimization
Application templates
API and Mobile support

Create a Web App
Choose language, version and and other
standard Azure settings.
Deploy code using:
- VSCode
- Azure CLI
- Local Git
- Zip file
Many security considerations: code integrity,
security best practices for different
languages

App Service Plan Tiers
Free and Shared tiers run applications on shared VMs.
Standard and Premium tiers run on dedicated VMs.
How will your application be segregated from potential attackers if running
on a shared VM? That is the same concern people had initially when moving
to the cloud and VMs ran on shared hosts.
Concerns: Container escape, resource exhaustion, cross-container access

Be aware of external data shares and privileges
Local drives
Network drives (UNC shares)
File access across multiple instances
Network access via application code (to access databases, etc.)
Limited capacity for private loopback (one app cannot see another’s)
Named pipes
Frameworks default to less secure settings (.NET with full trust)
Apps can spawn shells but should be restricted to own environment

Application Proxy
179

Application Proxy
Publish on-premises
applications for
remote users.
Layer 7 access
sometimes promoted
as a VPN alternative.
Doesn’t protect all
network traffic, but
limits access to a
specific application.

Access controlled by software not network
device.
IdP to track users and info
Device directory to track
devices allowed to access
the network
Admins configure access
policies.
Grant or deny access to
specific applications, not IP
addresses or hosts.

Authentication Options
Azure Application Proxy can authenticate to apps using the following:
- Integrated Windows Authentication (Kerberos)
- Header-based authentication
- Forms or Password based authentication
- SAML authentication

Benefits
All access is outbound
Authenticated
Terminated and re-established at proxy
Conditional access
Security analytics
Remote access as a service
Intune integration (Microsoft’s device management solution)
DDOS protection

Architecture
Application proxy in the cloud manages access to applications.

Types of Applications
Application Proxy can support a number of types of applications:
- Rest APIs
- Remote Desktop (RDS)
- Web Sockets
- Native client applications with Microsoft Authentication Library (MSAL).
URLs may contain alternate ports, not just 80 and 443, for application access.

Caveats
May not be able to shut off access at the network layer.
Depending on the security of the proxy service.
Traffic sent to a public cloud service, not maintained in private network.
Can use with Azure Peering and Express Route or VPN.

Azure Relay
187

Azure Relay
Similar to Application Proxy grants but access to specific services.

Azure Relay offers two connection methods:
189
Hybrid vs. WCF Relay
Hybrid WCF Relay
Charges per connection WFC charges per message
HTTP & Web Sockets Legacy: Remote Procedure Calls
Multi-Platform .Net - uses Relay Binding

Developers write code on each side of connection
On the server side, developers write a
listener that listens for Azure relay
connections.
On the client side, developers write code
to connect to the Azure Relay service.
Consider firewall bypass…

Architecture
Request is sent to the Azure
Relay service.
Passes through various load
balancers and is evaluated to
determine where to route the
request.
Request is routed to the
listening client.
Auth via AD or SAS.

Create a Relay

Choose Hybrid or WCF Relay

Create Hybrid Connection
Give it a name.
Check Requires Authorization
(If you don’t your granting public access)
Enter some metadata if you want that will
be sent with the connection such as the
development team and contact information.

Hybrid Connection URL
Your new hybrid connection has a URL people will use to connect to it.
The programmers use this URL within their applications to make
connections.

Set up a Shared Access Policy (SAS)
Click on Shared access policies to set up permissions for hybrid connection.

Add two access policies

HCM requires:
TCP access to Azure over port 443.
TCP access to the Hybrid Connection endpoint.
The ability to do DNS lookups on the endpoint host and the Service Bus
namespace. In other words, the hostname in the Azure relay connection
should be resolvable from the machine hosting the HCM.
Can test with the HCM Agent on Windows Server 2012+

Hybrid Connection Manager: Networking
Limit access to Hybrid
connection using
network controls.
Allow access only from
your own IP address or
another IP4V address
or CIDR.

Private Endpoint
You can use a private endpoint connection with Azure Relay.

Summary
In this section we looked at some Azure compute resources.
Understand what you can and cannot control for each service.
Make sure you enable diagnostics and logging for each compute resource.
Each service will have recommended best practices from Azure to follow.
Go through and understand each setting for each service you use.
Ensure that you protect against unwanted configurations (more to come).
Understand the implications of proxies and relays.
Consider how you will design resilient architectures (more on this to come).

AzureSecurity Day4 Compute And Application Service Security

More Related Content

Similar to AzureSecurity Day4 Compute And Application Service Security (20)

More from 2nd Sight Lab (20)

Recently uploaded (20)

AzureSecurity Day4 Compute And Application Service Security

Editor's Notes