Azure : A poor man’s SSL termination (by leveraging Cloudflare)

Introduction

A few weeks back I posted some posts about the Azure Application Gateway. Here I must say I ran into some issues in combination with Rancher. So I was forced to look for alternatives…

One of my requirements was to have a “zero-touch deployment”-capability. Meaning that I did not want to deploy a system where I had to manually change things to get it working.

 

High Level Blueprint

So how would a “poor man’s ssl termination on Azure” look? Basically I’m using Cloudflare as my DNS provider which then provides capabilities like CDN, various SSL options (like SSL Termination = Flexible SSL), WAF, etc. We can start with the free plan, where we can do a redirect to https and do SSL termination.

kvaes-azure-cloudflare-poorman-ssl-termination

In addition, we’ll deploy an NSG (network security = basic azure firewall rule) that is configured to only allow the IP ranges from Cloudflare. This way we speak https on the outside world, and we have to accept that the traffic between Cloudflare and our hosts is unencrypted…

 

Design Decisions

So what did I mock-up to get my issue resolved? I put “CloudFlare” in front of the service that was unable to speak SSL itself (Rancher). Why didn’t I deploy a WAF? In terms of a WAF deployment, I didn’t want the fuss of maintaining the platform underneath. In addition, those things don’t come cheap… Compared to my basic Rancher management layer, that would have been way too much overkill compared to the cost of the layer it was protecting.

I’ve been a Cloudflare customer for a while on my personal domains (and I do love their free plan!). So I looked into the possibility if such a setup would work.

 

 

What do we get out of this setup?

Basically when using the free tier, we get ;

  • SSL Termination
  • An additional DDoS protection layer
  • A transparent CDN (which reduces our bandwidth costs at the Azure side)

 

Can we scale up?

  • We can harden the traffic further by having adding an SSL termination at Azure side too. This has the disadvantages we mentioned earlier (cost & management), though the big plus is that this would remove our weak spot where the traffic is unencrypted between Cloudflare & Azure. For this, I would suggest to set the SSL options to “Strict“.
  • Want a WAF deployment? No problem, scale up to a higher plan depending on your needs. With $20€ (or $200) per month, that is still a steal in my humble opinion…

 

Deep-dive

How did I configure this? Let’s take a look at the technical parts!

On the side of Azure,, I added the CIDR blocks of Cloudflare to the Network Security Group ;

2016-11-09-08_46_05-inbound-security-rules-microsoft-azure

And I also linked a DNS name to my dynamic public IP address ;

2016-11-09-09_58_53-ranchermgmt01-microsoft-azure

On the Cloudflare side, I added a new DNS record pointing to the CNAME in Azure ;

2016-11-09-09_57_08-dns_-kvaes-be-_-cloudflare-web-performance-security

And on SSL level I configured “Flexible” and “Automatic HTTPS Rewrites”

2016-11-09-09_57_20-crypto_-kvaes-be-_-cloudflare-web-performance-security 2016-11-09-09_57_32-crypto_-kvaes-be-_-cloudflare-web-performance-security

And now I’m able to ONLY access my Rancher management interface via HTTPS from the public internet!

2016-11-09-10_00_36-rancher

 

TL;DR

  • Cloudflare can be your “poor mans’s ssl terminator” for Azure
  • The setup has a security weakness. Being that the traffic between Cloudflare & Azure is still unencrypted.
  • Another weakness I’m pondering about is IPV6… So the NSG will need to be enhanced with the IPV6 ranges from Cloudflare.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s