Azure IoT Hub – Generating & using SAS tokens for a device

Introduction

Today we’ll talk about two connection flows you can do with an IoT setup when using keys. An alternative might be to use certificates, but I won’t cover that one today.


When talking about keys, there are two common patterns ;

  • one where the IoT device has a symmetric key (used to generate SAS tokens)
  • another where the IoT device is only provided with the SAS token (which is generated by another service)

Continue reading “Azure IoT Hub – Generating & using SAS tokens for a device”

Advertisements

Azure Networking : Blueprint patterns for enterprises

Introduction

When moving to the cloud, one cannot imagine this without some kind of network integration. Taking a look at “Infrastructure-as-a-Service”, there are several common patterns that are utilized by enterprises. Today we’ll discuss these patterns…

 

Typical Network Maturity Models

Embarking on a cloud journey? You’ll typically go through the following patterns depending on your “maturity level” in working with the cloud ;

  1. “Island” : The first approach is typically “the island”. The VMs reside in a VNET that is not connected/integrated with any other networks, except for (maybe) the internet.
  2. “Forced Tunneling” : The first step towards integration is “forced tunneling”. Here you want to access “On Premises” resources, though the mass of the resources on Azure do not justify the investment into a “Network Virtual Appliance” (AKA Firewall). Here you set up a “UDR” (User Defined Route, AKA Static Route), where you force all traffic to go back to the “On Premises” network.
  3. “Single VNET with DMZ” : One step beyond “forced tunneling”, is moving towards the typical DMZ-alike pattern, where you setup a HA-pair of “Network Virtual Appliances” and segregate network zones.
  4. “Hub & Spoke”-model : Growing even further, you’ll have multiple subscriptions. Setting up “NVAs” on all of those can be quite expensive. In terms of governance, this also a nice model, where you can consolidate all network integration into a segregated subscription/vnet.

The advantage of these patterns is that you can evolve into another pattern without breaking anything in terms of design.

Continue reading “Azure Networking : Blueprint patterns for enterprises”

Azure : IT Governance in the cloud

Introduction

During the weekend I saw the following tweet passing by …

Apparently, a hosting company (allegedly) got all their data wiped by an ex-admin. Now I can imagine people thinking that this is something that is part of the territory when it boils down to cloud. So I wanted to write a blog post entailing what you do to set up a governance structure in Azure. Here I’m aware that the above tweet is more related to the security aspect of governance, it’s a part of it nevertheless.

 

Governance?!?

Let’s get started on our scope… IT Governance can cover a lot of ground. In essence, the goal is to assure that the investment in IT generates business value and the risks that are associated with IT projects are mitigated. Though I found that CIO.com has a nice definition on it ;

Simply put, it’s putting structure around how organizations align IT strategy with business strategy, ensuring that companies stay on track to achieve their strategies and goals, and implementing good ways to measure IT’s performance. It makes sure that all stakeholders’ interests are taken into account and that processes provide measurable results. An IT governance framework should answer some key questions, such as how the IT department is functioning overall, what key metrics management needs and what return IT is giving back to the business from the investment it’s making.

So let’s take a look at how we can put an enterprise-grade structure around the management of Azure!

 

TL;DR = Azure Enterprise Scaffold

For those who want to skip the post below… When talking about governance in Azure, the best place that summarizes it the following page in our documentation ; “The Azure Enterprise Scaffold“.

Continue reading “Azure : IT Governance in the cloud”

How to integrate Azure MySQL with PHP (on an Azure Webapp)

Introduction

When you deploy a MySQL in Azure, you should know that by default this enforces the usage of SSL on your connection.

And this is for due reason! You really do not want to create your database connection unencrypted. Though this is something that comes as something new to most PHP deployments, so let’s take a look at how to tackle this!

Continue reading “How to integrate Azure MySQL with PHP (on an Azure Webapp)”

Single Page Webapp : How to secure your app and your API with Azure Active Directory

Introduction

A few months ago I did a post on using PHP to connect to the Azure management API. And a week ago I did a demo on how to secure a “classic” webapp with Azure Active Directory. Today we’ll look how to secure a single page webapp by using Azure Active Directory. For the post of today I’ll be using two webapps ;

  • Front end ; a small webapp based using AngularJS
  • Backend ; also a small webapp based on PHP, which will serve the API calls made from the front end

Why does this kind of setup differ from a “classic” approach? With single page apps, we see a very clear segregation of  backend & front end. When the backend & front end are combined, we often see more simple mechanisms used, often based on session information. When the two are clearly separated, we’ll need to authenticate to both individually… I’ve often seen the error where organizations just protect the front end, as this is where the user logs in. And they forget to secure the backend API… An unsecure API means that everyone who can access that API will be able to retrieve (or delete/adjust) the data served by that API. Let that one sink in!

 

Flow of the day

So what will we be doing today?

  1. A user access our front end
  2. If the user is not authenticated, (s)he will be redirected to Azure Active Directory (AAD) to login
  3. AAD will redirect (on success) with an authorization token
  4. We’ll inject this authorization token into the calls made to the backend (to prove your identity)
  5. The backend API will validate the authorization token and verify it against the issuer (AAD)

 

Continue reading “Single Page Webapp : How to secure your app and your API with Azure Active Directory”

Protecting your webapp with Azure Active Directory WITHOUT adjusting any code…

Introduction

Sometimes we come across applications that needed some basic form of protection, but (sadly enough) the code base did not allow it. Today we’ll see how we can enable authentication / authorization on your web app, -without- altering any code! We’ll be doing this capability from the web app service itself, without the code noticing anything of this.
Enable / Configure the Azure Active Directory Authentication

Let’s start by doing to our web app and looking for the “Authentication / Authorization” section.

2017-03-01-14_27_51-authentication-_-authorization-microsoft-azure

We’ll enabling the “App Service Authentication”. As we do not want guests, we’ll select “Log in with Azure Active Directory” as a way to force authentication. Next up we’ll configure the Azure Active Directory ;

2017-03-01-14_28_04-authentication-_-authorization-microsoft-azure

Continue reading “Protecting your webapp with Azure Active Directory WITHOUT adjusting any code…”

Azure : A poor man’s SSL termination (by leveraging Cloudflare)

Introduction

A few weeks back I posted some posts about the Azure Application Gateway. Here I must say I ran into some issues in combination with Rancher. So I was forced to look for alternatives…

One of my requirements was to have a “zero-touch deployment”-capability. Meaning that I did not want to deploy a system where I had to manually change things to get it working.

 

High Level Blueprint

So how would a “poor man’s ssl termination on Azure” look? Basically I’m using Cloudflare as my DNS provider which then provides capabilities like CDN, various SSL options (like SSL Termination = Flexible SSL), WAF, etc. We can start with the free plan, where we can do a redirect to https and do SSL termination.

kvaes-azure-cloudflare-poorman-ssl-termination

In addition, we’ll deploy an NSG (network security = basic azure firewall rule) that is configured to only allow the IP ranges from Cloudflare. This way we speak https on the outside world, and we have to accept that the traffic between Cloudflare and our hosts is unencrypted…

 

Continue reading “Azure : A poor man’s SSL termination (by leveraging Cloudflare)”