DEV Community

loading...
Cover image for Securing Azure SignalR +Azure App Service - Part 3

Securing Azure SignalR +Azure App Service - Part 3

Jayendran Arumugam
MCT | Cloud Architect | Azure | AI Eng | DevOps | Stackoverflow | Technical Writer | Learner | @Gartner
ใƒป4 min read

Hope everyone is safe and well ๐Ÿ˜Š

I thought of discussing azure signalr using terraform in this part, but today I found a very interesting things from azure signalr authentication which is not yet officially documented by Microsoft. So, I'm going to discuss that in this part.

Using Managed Identity

Now a days its common and best practice to use managed identity as much as you can to avoid using the keys/connection string/password in your application or event vault. So, I also would want to use managed identity for authentication from my azure app service to the Azure SignalR resource. This has been explained so well at here

image

So I thought it would be super simple to implement this in my POC until I hit one road block, letโ€™s see what is the problem and how can we solve that.

Enabling Managed Identity for my POC

If you have followed this series from the beginning, you already noticed that I was doing a POC where I am trying to securely connect my azure signalr from my azure web app. If you missed the earlier parts, no worries please check this Part 1 and Part 2 before going further into this part.

As of now my architecture will look like

Alt Text

And my azure signalr NAC will look like

image

I have securely connected my azure signal from my azure web app, but my authentication is still using the connection string with accesskey.

The typical azure signalr connection string will look like this.

Endpoint=https://<resource-name>.service.signalr.net;AccessKey=AsNsXs1UdfdfdererereNXa7VOVvPmZnHqnm2iCG6WTom31nXE=;Version=1.0;
Enter fullscreen mode Exit fullscreen mode

In order to enable the managed identity, I followed the above MS doc and did like the steps like below

  1. I need to enabled the system assigned identity for my azure web app Alt Text

  2. Assign the above system assigned identity as SignalR App Server role in my azure signalr IAM. Please note that this role is still in Preview image

  3. Update my connection by replacing the accesskey with AuthType=aad. So, my new connection string will be

Endpoint=https://<resource-name>.service.signalr.net;AuthType=aad;Version=1.0;
Enter fullscreen mode Exit fullscreen mode

The problem that I hit

After enabling the managed identity when I tried to test my app I got 500 Internal Server Error for the negotiate connection

image

hmm.. not much useful error/information to debug further. So, I have enabled the Application Insights to see where the failure is occurring.

image

image

So the actual error is

Failed in authorizing AccessKey for 'https://xxxxx-signalr-01.service.signalr.net', will retry in 3 seconds.
Enter fullscreen mode Exit fullscreen mode

The real 403 Forbidden endpoint is.

https://signalrsevice.service.signalr.net:443/api/v1/auth/accessKey?serverId=xxxx
Enter fullscreen mode Exit fullscreen mode

Stack trace:

Microsoft.Azure.SignalR.Common.AzureSignalRRuntimeException:
at Microsoft.Azure.SignalR.AadAccessKey+<UpdateAccessKeyAsync>d__23.MoveNext (Microsoft.Azure.SignalR.Common, Version=1.8.1.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.GetResult (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Microsoft.Azure.SignalR.AccessKeySynchronizer+<UpdateAccessKeyAsync>d__13.MoveNext (Microsoft.Azure.SignalR.Common, Version=1.8.1.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)
Inner exception System.Net.Http.HttpRequestException handled at Microsoft.Azure.SignalR.AadAccessKey+<UpdateAccessKeyAsync>d__23.MoveNext:
Enter fullscreen mode Exit fullscreen mode

Let us understand the error

If you read the error properly you will understand what is going wrong.

From the forbidden endpoint it seems that azure signalr is trying to call a REST API to Azure AD to get the token (for Managed identity) behind the screen

https://signalrsevice.service.signalr.net:443/api/v1/auth/accessKey?serverId=xxxx

Joining the dots / Fixing the Issue

So letโ€™s step back and think about our NAC control configuration
image

In this we have allowed only Server Connection from our private endpoint, there are a couple of other connections also visible in the dropdown. such as

  • REST API
  • TRACE API

image

Perfect, lets enable the REST API connection also from our private endpoint. Now our NAC will look like

image

Thatโ€™s it, I have waited for 30min, and my application is working as expected.

Interesting fact

The documentation about REST API and TRACE API is still not available public or under development phase. So, it is kind of difficult to get the relevant information for now about these two APIโ€™s.

Workflow

Alt Text

Permanent fix from Microsoft

I reached out to azure signalr team about this, and I got the response like

We would get rid of API calls in AAD authenticating process, which means if our customerโ€™s use our future SDK, they will not have to enable REST API explicitly.
We will make it internally in our server connection, instead of sending a rest API. This change would take 1-2 months and the newly released SDK will be like 1.9.x. it will be documented in future release.

Overall Architecture

Alt Text

Discussion (0)