Jason Haley

Ramblings from an Independent Consultant

Web Apps 2019 from Boston Code Camp 31

It has now been a week since Boston Code Camp 31, where I presented my new Azure Web Apps 2019 talk. I originally structured the talk to introduce things that have change or are changing in the near future in Azure Web Apps (according to announcements at Ignite last year) – which all assumed a basic knowledge of Web Apps. However there was a good percentage of people in the crowd that didn’t have that basic knowledge … so I spent more time walking through features in the tour of Web Apps than planned. Which meant I didn’t have the time for the full set of demos I had wanted to go through. There were also quite a few questions – which I though was well worth missing some of the demos.

If you attended the session and want to know more detail about the demos: I am modifying the talk to a hands on session for the Boston Area Global Azure Bootcamp (Burlington location) on April 27 – so you can come and walk through the code yourself!

The power point can be found here: AzureWebApps2019.pptx 

This was the second time I’ve given this talk. The first time I gave the talk I used one of my github repos for the code sample, but I recently found Joonas Westlin’s Github repo that is more complete than mine: Azure Managed Identity demo collection so this time I used his code. Thanks Joonas!

Here are some notes for you incase you missed it.

Newer Features

This section of the presentation is to highlight some of the things that have been added via the Azure Portal that you would find useful to know if you haven’t been in the portal for a little while to notice.

Changes on App Settings blade
  • Now called Configurations
  • Has tabs for fitting on one page better
  • FTP configuration (added last year)
  • HTTP/2 Support (added last year)
  • Settings and connection string values are now hidden by default
  • Advanced Edit allows you to edit multiple settings quickly in a json format (this is new)
Custom domains and SSL Settings blade
  • HTTPS Only (added last year in two places)
    • Custom domains blade
    • SSL Settings blade
  • Minimum TLS version is now configurable (added last year)
Networking blade
  • Can now add IP Restrictions (white listing) for you web app
    • Supports IP v4 and v6
  • Can handle the IP Restrictions for web app and kudu site separately (this is new)
Deployment slots blade
  • Improved UX
  • Combined the Testing in production features
Deployment Center blade
  • Improved UX
  • Search and filter repositories
  • Revamped log files

Securing Web Apps

This section of the presentation was to highlight how to use two new-ish features to make your web app more secure: managed identity and VNET integration (preview).

SNAGHTML447ca7

Managed Identity
  • Identity blade in Web Apps
    • System Assigned
    • User Assigned
  • Allows Azure resources to authenticate to other resources without storing credentials
  • Deployment slots have different identities
  • Best to work with by adding to an AAD security group
New VNet Integration (Preview)
  • Does not use Point to site VPN (this is new and in preview)
  • Requires unused subnet with 32 addresses
  • App and VNet must be in the same region
Virtual Network Service Endpoints
  • Extend your VNet to Azure services
  • Available with:
    • Storage
    • SQL DB
    • Key Vault
    • SQL Data Warehouse
    • PostgreSQL
    • MySQL
    • Cosmos DB
    • Service Bus
    • Event Hubs
Azure Key Vault
  • For storing your
    • secrets
    • keys
    • certificates
  • Has IP Firewall
  • Integrates with VNet (via service endpoint)
  • Access policies
    • Manage identity permissions
      • Users
      • Managed Identities
Azure Storage
  • Encrypted at rest – can now bring your own key (this is new)
  • Soft delete (this is new)
  • Has IP Firewall
  • Integrates with VNet (via service endpoint)
  • Access control
    • Manage identity permissions
      • Users
      • Managed Identities
SQL DB
  • Has IP Firewall
  • Integrates with VNet (via service endpoint)
  • Can grant SQL DB access to managed identity or AAD security group
Demo steps
  1. Walk through local development using managed identity
    1. Add local user to storage
    2. Add local user to SQL DB and client IP firewall
  2. Create a managed identity for web app
    1. Enable System Managed Identity in web app
    2. Create AAD group and add new managed identity as a member
  3. Connect web app to VNet
    1. Create VNet and subnet
    2. Enable Service endpoints on subnet
    3. Create NSG for SQL out and add to subnet
    4. Turn on VNet Integration (Preview) in Web App
  4. Connect Key Vault to VNet
    1. Configure Access policies for managed identity or AAD Group
    2. Configure VNet
  5. Connect storage to VNet
    1. Configure Access policies for managed identity or AAD Group
    2. Configure VNet
  6. Connect SQL to VNet
    1. Configure network rule and add to VNet
    2. Add AAD Group to SQL DB via sql
Resources

Samples: https://github.com/juunas11/Joonasw.ManagedIdentityDemos

What is new in Azure App Service networking
https://bit.ly/2FTre8Y

In the security trenches of Azure SQL Database and Azure SQL Data Warehouse
https://bit.ly/2S7wdIX

Tutorial: Secure Azure SQL Database connection from App Service using a managed identity
https://bit.ly/2RkdJAh

Learn how to protect your data in Azure Storage with new features and capabilities
https://bit.ly/2WjP96m

Manage keys, secrets, and certificates for secure apps and data with Azure Key Vault
https://bit.ly/2HEfZCU