Cloud Security

Powershell Command New-SelfSignedCertificate `   -certstorelocation cert:\localmachine\my `   -dnsname app.cloudyworld.ca Note: in the "dnsname" change it to your environment. Once you execute above command, copy the thumbprint it generates and paste in the below code marked in bold.    $pwd = ConvertTo-SecureString -String "PASSWORD" -Force -AsPlainText Export-PfxCertificate `   -cert cert:\localMachine\my\ A29C6B4827282DD1C1787CAE3AC9BE1596A56DE3 `   -FilePath c:\appcloudyworld.pfx `   -Password $pwd

By default, Azure Web App are deployed in the multi tenant environment. Enterprise security may require to deploy their web apps in isolated environment for compliance reason. App Service Environment was introduce to address this limitation. With App Service Environment, we will be able to deploy Web App in the secure isolated environment. We have complete control on which app to expose to the external world and which one to keep totally internal. End user is responsible for managing the DNS. Azure Private DNS, Windows Server OS or third party DNS can be used to make web app accessible.   Deploying ASE: Deploying App Service Environment is quite simple, but tricky part is setting up the DNS. We need separate subnet to deploy each ASE.    1. Make sure you have a Subnet dedicated for  each App Service Environment. In this example, i have allocated ASE-SNET subent.  2.  Create a resources  "App Service Environment" 3. Choose or Create Resource Group, E

Integrating Web Apps with virtual network allows us to access the resources which is located within our private network space, however web apps will be still be accessible from internet. App Service Environment could be possible solution if you wish to make your Web App completely private. In this blog I will be discussing the 3 possible use cases. Integrate Web Apps with VNet and verify connectivity between Web App and a VM which is deployed within the same VNet.  Web App Integration in Hub and Spoke  Establish connectivity between On-Prem network and Azure Web App Use Case 1 - Simple We need to have the following things to meet the goal with use case 1. 1. Virtual Network - Ansible-vnet - Address Space -10.0.0.0/16 2. Provision a Gateway Subnet - Address Space - 10.0.1.0/24 3. Virtual Network Gateway - WebApp-GW : SKU - VpnGw1 4. Create Point to Site in WebApp-GW - Address Space : 172.16.201.0/24 5. Since, SKU - VpnGw1 is used, IKEv2 VPN should be unchecked. (

WH Question regarding Azure Sentinel. 1. What is Azure Sentinel ?  Its the Cloud Native SEIM tools which helps to provide the insights into the overall infrastructure. It has multiple data sources which can be connected. By default, it will be connect to the log analytics workbook.  2. Does it has own set of data?  No, all its analytics is based on the KUSTO Query which will be pre-written(git-hub), and run against the data which is already collected by log analytics. Further more, it can have Microsoft native data sources such as Active Directory Logs, or third party products such as Palo Alto, F5.  3. How its differs from Azure Security Cente r?  Azure Security Center is much more focus on providing the health/hygiene of the infrastructure. Its performed the calculation based on the points and presented. Once the recommendation are meet, it changes the score to the acceptable level.  Where as Azure Sentinel is cloud native Security Information and Event Management

Enforce like pattern for naming conventions Allowed region locations Allowed resource types Enforce a naming policy on Office 365 groups in Azure Active Directory Audit Key Vault vaults with no virtual network endpoints Audit diagnostic setting Use approved subnet for VM network interfaces Use approved vNet for VM network interfaces No network peering to Express Route network Allowed application gateway SKU

As Virtual Network is created, Azure automatically create its own route tables for that Virtual Network, so that all the packets which enters the virtual network can traverse within its address prefix and leave the subnet for its destination. These are known as the Default Routes . We can’t modify these routes; however, we can add our custom routes on top of default routes for the traffic leaving the subnet. These custome route is known as User Define Routes . In this case, we are modifying the default behaviour of packets routing but still the internal and external routing of packet is done by virtual network to ensure that our packets are never hijacked.  In another word, we are adding routes and requesting virtual network to routes traffic in the way we want. So far its not possible to route the traffic independently bypassing the Azure Virtual Network routing mechanism and for security reason I do not think this will ever be possible. Common Use Case of UDR:  Every bus