Join Log in
Score:1
kudlatiger avatar Server

Why VNET required for PaaS services?

br flag
kudlatiger

I am having below setup in Azure cloud where web app is getting secrets from Key Vault as shown below. Managed identity and access policies are enabled

enter image description here

However, our security team recommends us Restrict Network Access To Azure Key Vault Using Firewalls & Vnets.

I can create VNET and restrict access. However, what exactly is this VNET going to do as it is an orphanage. (as shown below). Am I missing something?

enter image description here

81
0 + 0
Score:2
Assil avatar Server
gb flag
Assil

I also had the same question and shared the same concern. The short answer to your question “what exactly is this VNET going to do as it is an orphanage.” Is NOTHING

The detailed answer by @Ken W MSFT is detailed, valuable and perfect. And you already knew that.

Your security team is driven by the fact that Microsoft built-in policies, and Security baselines for Azure key vault and Azure Security benchmark all recommend that you never reach AKV from public internet and therefore reach it ONLY by private link or service endpoint as explained in details above but that all assumes that you have a VNET and VM IaaS which is NOT your case.

It does require someone who looks at a wider view and not follow the recommendations blindly without understanding what they mean.

I say that while I am open to be wrong and challenged but I have seen such dilemmas because I worked and lived in both worlds as Cloud Solution Architect and a Cloud Security Architect.

So, to meet your security requirements you can do one of the two options:

  1. Change your PaaS application into IaaS, have a VM in a subnet in a VNET and make the property configurations like explained above.

  2. Promote the hosting plan to isolated, and integrate your App Service with VNET and have the VNET Access the AKV other resources

as shown in this link

Here is the Guidance for the security that your security team is recommending. but it is way more costly than your solution.

Guidance: When using App Service in the Isolated pricing tier, also called an App Service Environment (ASE) you can deploy directly into a subnet within your Azure Virtual Network. Use network security groups to secure your Azure App Service Environment by blocking inbound and outbound traffic to resources in your virtual network, or to restrict access to apps in an App Service Environment. By default, network security groups include an implicit deny rule at the lowest priority and requires you to add explicit allow rules. Add allow rules for your network security group based on a least privileged networking approach. The underlying virtual machines that are used to host the App Service Environment are not directly accessible because they are in a Microsoft-managed subscription. Protect an App Service Environment by routing traffic through a Web Application Firewall (WAF) enabled Azure Application Gateway. Use service endpoints in conjunction with the Application Gateway to secure inbound publishing traffic to your app.

enter image description here

0 + 0
kudlatiger avatar
br flag
kudlatiger
you nailed it. +1
1
Reply
Score:1
Ken W MSFT avatar Server
gb flag
Ken W MSFT

By adding Key Vault to a VNET you can apply an NSG rule. This will allow you to effectively block access to the Internet. As we call know, cybersecurity takes a layered approach and this is another layer. By default, Key Vault does have Access Policies but these are not turned on and they only block access at the identity level. I don't know what your security requires but I deal with customers in regulated industries and blocking access at the network level is very common.

There are two ways to inject PaaS services into a Vnet in Azure.

Service Endpoints

Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.

Service Endpoint Diagram

Private Link

Azure Private Link enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network.

Traffic between your virtual network and the service travels the Microsoft backbone network. Exposing your service to the public internet is no longer necessary. You can create your own private link service in your virtual network and deliver it to your customers. Setup and consumption using Azure Private Link is consistent across Azure PaaS, customer-owned, and shared partner services.

0 + 0
kudlatiger avatar
br flag
kudlatiger
I agree with respect to security. I understand the benefits of VNET. My question was on how these services are inter-connected. basically, a network diagram would help.
0
Reply
br flag
Greg W
In your example, you can attach an App Service to the VNET. Also, connect the Key Vault to the VNET via Private Link then the App Service will connect to the Key Vault via the VNET.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.