Versions Compared

Version Old Version 46 New Version Current
Changes made by

thierry sinassamy

thierry sinassamy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

INFRA & SECURITY : Combining the milestones 2 & 3

Azure Web App : IP restriction and Azure VNET Integration

...

  1. Access restrictions in App Service are equivalent to a firewall allowing you to block and filter traffic. Access restrictions apply to inbound access only (App Service Access restrictions - Azure App Service | Microsoft Learn). (The ability to restrict access to your web app from an Azure virtual network uses service endpoints. With service endpoints, you can restrict access to a multitenant service from selected subnets (Azure App Service access restrictions - Azure App Service | Microsoft Learn).

  2. Virtual Network Integration : It gives your app access to resources in your virtual network, but it doesn't grant inbound private access to your app from the virtual network. Iy is used only to make outbound calls from your app into your virtual network. For inbound private access, we need to refer to private endpoints and so, we need to deploy the ap behind private endpoint (Connect privately to an App Service apps using private endpoint - Azure App Service | Microsoft Learn | Azure App Service access restrictions - Azure App Service | Microsoft Learn)

...

  1. To prevent data exfiltration or the risk of malicious program implantation, we can control the outbound traffic with Azure Firewall. By default, App Service can make outbound request to the public Internet. As our App Service is integrated with Azure VNet, we can control the outbound traffic with Network Security Group to a limited extend (such as target IP address, Port and Protocol) : App Service outbound traffic control with Azure Firewall - Azure App Service | Microsoft Learn

Azure Storage

  1. Require Secure Transfer during the creation of the ressource Storage Account. So, a call to an Azure Storage REST API operation must be made over HTTPS.

  2. Configuration of Firewalls and Virtual Networks : There are 2 configurations to take account…

    1. Configure access from on-premise networks : Configure Azure Storage firewalls and virtual networks | Microsoft Learn
      To allow access to your service resources, you must allow these public IP addresses in the firewall setting for resource IPs (Azure ExpressRoute, VPN).

    2. Configure access from Other Azure Services / Azure Ressources : Configure Azure Storage firewalls and virtual networks | Microsoft Learn
      We can control access to Storage Account over network endpoints, from selected virtual network subnets using private endpoints and not using service endpoints. Virtual Network Service Endpoints are public and accessible via Internet and we don’t want that. On the other side, Virtual Network Private Endpoints use a private IP address to access the Storage Account over the Microsoft backbone network.

...

Info

When you create a private endpoint, the DNS CNAME resource record for the storage account is updated to an alias in a subdomain with the prefix privatelink. By default, we also create a private DNS zone, corresponding to the privatelink subdomain, with the DNS A resource records for the private endpoints : Use private endpoints - Azure Storage | Microsoft Learn

Network & CyberSecurity : Combining the milestones 2 & 3

- Azure security baseline for Azure Cognitive Search | Microsoft Learn

Inbound connection - IP Firewall or Private endpoint (for Azure AI search - Create a Private Endpoint for a secure connection - Azure AI Search | Microsoft Learn)

Outbound connection - Connect through Firewall (for Azure AI Search - Configure an IP firewall - Azure AI Search | Microsoft Learn)

Configure Azure Storage Firewall (Configure Azure Storage firewalls and virtual networks | Microsoft Learn)

Azure Web apps : Connect privately to an App Service apps using private endpoint - Azure App Service | Microsoft Learn, with NAT GATEWAY (Azure NAT Gateway integration - Azure App Service - Azure App Service | Microsoft Learn), control outbound with App Service outbound traffic control with Azure Firewall - Azure App Service | Microsoft Learn; Integrate your app with an Azure virtual network - Azure App Service | Microsoft Learn, access restriction : App Service Access restrictions - Azure App Service | Microsoft Learn

Tutorial: Isolate back-end communication with Virtual Network integration - Azure App Service | Microsoft Learn

static IP restrictions : Azure App Service access restrictions - Azure App Service | Microsoft Learn

Control outbound traffic with NSG : App Service outbound traffic control with Azure Firewall - Azure App Service | Microsoft Learn si notre app est intégré à a VNET. On peut aussi le faire de façon centralisée à travers les abonnements Azure (Azure Firewall Standard features | Microsoft Learn)

...

  1. Finally, we have to configure Network Routing when we use Azure Private Endpoints : Network routing preference - Azure Storage | Microsoft Learn

    1. For traffic flowing to private endpoints, you can add a rule to route that traffic through your Network Virtual Appliance (NVA). You can reuse that rule across all your spokes, Virtual Private Network (VPN) gateways, and Azure ExpressRoute gateways : Azure Private Link in a hub-and-spoke network - Azure Architecture Center | Microsoft Learn

    2. We may need to inspect or block traffic from clients to the services exposed via private endpoints : Azure Firewall scenarios to inspect traffic destined to a private endpoint - Azure Private Link | Microsoft Learn

Azure AI Search

  1. The Network Segmentation boundaries will be established via the deployment of Azure AI Search in a private Virtual Network (VNet) and so, in a specific subnet : Configure Virtual Networks for Azure AI services - Azure AI services | Microsoft Learn

  2. Configuration of Firewalls and Virtual Networks :

    1. No direct connectivity between Azure AI Search and On-Premises Server will be needed. The unique direct connectivity will be implemented between Azure Ai Search and Azure App Service.

    2. The inbound connection should be established through a private endpoint because of the network isolation we want and no Internet traffic will be allowed : Security overview - Azure AI Search | Microsoft Learn

    3. The outbound connection should be established as the following :

      1. Connection as a trusted service for the Storage Account : Connect as trusted service - Azure AI Search | Microsoft Learn

      2. We need to create an outbound connection through a firewall. Here’s the steps to follow : Connect through firewalls - Azure AI Search | Microsoft Learn

image-20240501-203241.pngImage Added

Note

Private Endpoints for Azure AI Search allow a client on a virtual network to securely access data in a search index over a Private Link. The private endpoint uses an IP address from the virtual network address space for your search service. Network traffic between the client and the search service traverses over the virtual network and a private link on the Microsoft backbone network, eliminating exposure from the public internet.

Private endpoints for your search service enable you to:

  • Block all connections on the public endpoint for your search service.

  • Increase security for the virtual network, by enabling you to block exfiltration of data from the virtual network.

  • Securely connect to your search service from on-premises networks that connect to the virtual network using VPN or ExpressRoutes with private-peering.