Configure SSL/TLS certificates
- Primary characteristics of certificates assigned to Azure services:
- X.509 v3 format
- Signed by a trusted CA or self-signed
- Subject name matches fully qualified domain name (FQDN) of the target service:
- FQDN must include a custom domain name
- Use of platform-assigned domain names (e.g. cloudapp.net) is not allowed
- Minimum of 2048-bit encryption
- Implementing self-signed certificates: - Windows: New-SelfSignedCertificate (replaces deprecated makecert.exe) - Linux: ssh-keygen
Configure managed service identity for app services
- Primary characteristics of managed service identity:
- Represents an Azure AD identity
- Is platformed-managed (eliminates the need to rotate secrets)
- Facilitates authentication by applications that Azure services are hosting
- Supports two types of identities:
- System-assigned: an identity autoassociated directly with a specific Azure service
- User-assigned: a standalone identity that allows association with multiple Azure services
- System-assigned: an identity autoassociated directly with a specific Azure service
- Implementing managed service identity:
- Azure portal: directly from the blade of the target Azure service
- Azure PowerShell
- Azure CLI
- REST API
Implement PaaS firewall rules
- Primary characteristics of Platform as a Service (PaaS) firewall:
- Supports a number of Azure PaaS services, including Azure Storage
- Default allow (all networks)
- Operates on the network level (proper authorization to the target service is still required)
- Configuring PaaS firewall:
- To restrict traffic from the internet:
- Specify one or more IP address ranges from which traffic will be allowed
- To allow traffic from specific subnets of virtual networks only:
- On virtual network subnets, create virtual network service endpoints
- On the PaaS firewall, specify subnets of virtual networks
- To restrict traffic from the internet:
Configure Azure services to protect web apps
- Primary characteristics of Azure Front Door Service:
- Facilitates defining, managing, and monitoring global routing for traffic targeting web apps
- Operates at layer 7 of the OSI model (HTTP/HTTPS)
- Uses anycast with split TCP and the Microsoft global network to optimize performance and reliability -Implementing AFD for web apps:
- Create an AFD instance
- Add application backend and backend pools
- Add routing rules
Configure Azure Application Security Groups
- Primary characteristics of ASGs:
- Serve as an extension to NSGs
- Eliminate the need to reference IP address ranges in NSGs
- Allow grouping of Azure VMs based on their workload, regardless of their IP address
- Are assigned to network interface cards (NICs) of Azure VMs
- ASG constraints:
- All NICs associated with the same ASG must be connected to the same virtual network
- You can’t specify multiple ASGs as a source and/or destination of an NSG rule
Top comments (0)