Skip to content

Latest commit

 

History

History
181 lines (141 loc) · 6.74 KB

4.2. Web Apps (App Service).md

File metadata and controls

181 lines (141 loc) · 6.74 KB
Raw

Web Apps

  • PaaS for web applications.
  • Multiple languages and frameworks are supported
    • E.g. ASP. NET, Node.js, Java, PHP and Python
    • Can run any scripts/executables on VMs.
  • You can clone app across regions on premium.
  • You can create from application templates (e.g. WordPress, Joomla, Drupal).
  • Load balancing, auto scaling

App Service Plan

  • The infrastructure app services run on.
  • Defines compute resources.
  • Can be a dedicated VM or shared.
  • ❗ You cannot move it to a different region, but you can clone apps.
  • Multiple web apps can run on same app service plan

DevOps

  • CI/CD from Azure DevOps, GitHub, Docker Hub and other git sources.
    • Enable on app's menu blade -> App Development -> Deployment Options

Deployment Slots

  • Deployment slot: Another web-app that's linked to a web-app
    • dev <=> staging <=> production
  • Standard => 5, Premium => 20 slots
  • All slots have their own names & urls.
  • Advantages:
    • Validate app changes in staging before swap (preview before swap)
    • No cold start
      • Ensures all instances are warned up with no downtime, no request drop
    • If it fails, you can swap back
  • Swapping settings
    • Many settings are swapped, some are not.
    • You can choose some Application Settings to be sticky (won't swapped)

Network

  • Access on-premises data using Hybrid Connections with VNets.
    • You can use to access e.g. to on-prem database.

App Service Environment

  • Clusters servers
    • All the way from front-end load balancers, workers, databases, everything that composes your infrastructure
    • Runs entire configuration in a VNet.
  • Configure inbound network traffic rules
  • Setup a Web Application Firewall in front of your ASE

Application Settings

  • ARR affinity
    • 💡 Turn it off you don't care for states so it scales better.
  • 64-bit
    • ❗ Costs more memory, use it carefully

Always On

  • 📝 Keeps the app loaded even when there's no traffic
  • E.g.
    • When it's on: If VM goes down Azure will try to turn VM on every 10-15 ms.
    • When it's off: VM is brought up when it's needed
  • It has no impact on price as you're paying for the entire VM anyways.
  • 💡 Keep it
    • On: if you want site to be up even when there's no traffic
    • Off: If site does not get much traffic (less than every 20 minutes) as it would then free up resources for other sites to use

Backup

  • Only Standard or Premium tier.
  • You need a storage in same subscription as the app.
  • You can back-up databases as well if connection string exists in app settings.
    • works for: SQL Database, Azure Database for MySQL, Azure Database for PostgreSQL, MySQL in-app
  • You can automate backup with back-up schedule: How often? When? Retention?
  • You can exclude some files.

Snapshots

  • For premium or higher, snapshots are taken automatically.
  • Advantages over back-ups:
    • No file copy errors due to file locks.
    • No storage size limitation.
    • No configuration required.
  • 3 months of snapshots are kept, can only restore for the last 30 days.

Azure Mobile App

  • Native & cross-platform apps with e.g. Xamarin, Cordova, Unity.
  • Can connect to on-premises.
  • Build offline-ready apps with data sync: Syncs when internet is there
  • Some special options:
    • Azure Easy Table: Light SQL on portal.
    • Azure Easy APIs: Code & build directly in Azure portal for Node.js back-end.

App Service Security

Infrastructure and platform security

  • Managed by Azure = You trust Azure
  • Your app service apps are isolated from both the Internet and from the other customers' Azure resources.
  • Communication of secrets (e.g. connection strings) in a resource group does not cross any network boundaries and are always encrypted.
  • All communication between App Service and external resources (e.g. REST) are encrypted.
  • Other protections:
    • Microsoft Threat Management
    • SQL injection
    • Session hijacking
      • Active: Takes over clients position
      • Passive: Monitors the traffic for password etc.
    • Cross-site-scripting: via click or script tags malicious script is executed.

Azure Security Center

  • Natively part of Azure + PaaS services
  • A service in the Microsoft Defender Security Center.
  • Monitors without any deployment
    • Can protect on-prem by installing Microsoft Monitoring Agent (MMA)
  • See Network Map of all VNETs
  • Helps you configure recommended controls
    • E.g. • add firewall • use Azure Active Directory
  • Two tiers: • Free • Windows Defender
Windows defender
  • Formerly known as Azure Security Center Standard tier
  • Allows adaptive application controls and network hardening
  • Regulatory compliance dashboard and reports e.g. monitor policies
  • Microsoft Defender for Endpoint
  • Threat protection for PaaS services and Azure VMs and non-Azure servers
Microsoft Defender for Endpoint
  • Formerly known as Windows Defender ATP and then Microsoft Defender Advanced Threat Protection (ATP)
  • On all VMs out of the box.
  • Protects from malware, DDoS, man-in-the-middle attacks and more.
    • Man-in-the-middle attacks
      • Reroutes communication between two users through the attackers computers without their knowledge.
      • He can monitor and read the traffic before sending it on the intended recipient.

Application security

  • Customers responsibility not Azures.
  • AAD integration, certification management, secure communication with different services etc.

Authentication & Authorization

  • No code authentication
    • App Service can validate user assertions.
    • Uses JWT tokens
      • ADD => authorization header as bearer token
      • Mobile App Client SDKs
    • Federated identity
      • Identity providers
        • Default: AAD, Microsoft Account, Facebook, Google, Twitter.
        • Can be extended with custom providers.

Client certificate authentication

  • Supports SSL certifications.
  • Inbound (TLS mutual authentication)
    • Someone who wants to come to your site needs to present a certificate
    • Use API or Resource explorer to set.
  • Outbound (using a client certificate from your app)
    • Application talks to another server and that servers requires app to have certification.
    • Set in App settings with WEBSITE\_LOAD\_CERTIFICATION key.
  • Resource explorer = Visualizes APIs and manage rules, you can force require inbound certification there you can also set "expect" one.

Static/Dynamic IP restriction

  • Configured in web.config file.
  • Static IP restriction: e.g. geo-fencing
  • Dynamic IP restriction: e.g. DDoS protection
    • You set request frequency & concurrency rules.

Security scanning

  • Via 3rd party "Tinfoil Security"
  • Paid & billed outside of Azure
  • Managed in Kudo => Extensions
  • Use e.g. before you switch slot from production you can see if you introduce any vulnerability.