Securing PaaS – Overview

Solution architecture

Below is a diagram of the solution architecture you will build in this lab. Please study this carefully, so you understand the whole of the solution as you are working on the various components.

The High-level architecture diagram has two sides: Public internet, and Azure. The architecture includes an App Service Environment and Azure Virtual Machines that utilize service endpoints to allow access to the SQL DB and Azure Storage.

The solution begins with a deployed template of typical and not so typical resources. Due to time restraints during deployment you will have an internal (versus an external facing) App Service Environment (ASE). The ASE will have no app service plans or apps deployed to it. It is also not accessible from the outside world. You will configure an application to be deployed using the Azure DevOps machine and Visual Studio to deploy to the ASE after creating an app service plan. Once deployed, you will then configure the Application Gateway to point to the new ASE hosted App. Once configured, you will perform a typical web-based attack on the environment in a detection-only mode to see the requests pass to your web application. Once you understand how this process works, you will then enable the Web Application Firewall to filter requests based on the OWASP 3.0 standard and see that those requests are in fact blocked.

Separately, you will explore how Azure Identity Access and Management (Azure IAM) works and how those access permissions are separate from policies that may live within the actual Azure resource (such as with Azure Key Vault). You will learn how to remove sensitive information from your various resources such as Azure Functions and Web Applications and place them in the Azure Key Vault for both deployment and runtime use.

As a final step, you will learn how to perform queries against Log Analytics to populate a Power BI report based on your Web Application Firewall events.

About engsoon

Eng Soon is a 4-time Microsoft MVP and has nearly 5 years of experience building enterprise system in the cloud.He is also a Certified Microsoft Azure.Eng Soon also have strong technical skills and analytic skill. As a developer, Besides the development task, he also involved in Project Management, Consulting, and Marketing. He has a passion for technology and sharing what he learns with others to help enable them to learn faster and be more productive. He also took part as speaker in many nationwide technical events, such as Conference, Meetup and Workshop. Currently, looking for opportunity in Cyber Security which include Cloud Security and Application Security.

View all posts by engsoon →

Leave a Reply

Your email address will not be published. Required fields are marked *