Internet-facing port 443 in Azure - security concerns

rethon012

4/1/24, 9:12 AM

I want to deploy a microservice on Azure Ubuntu VM using one of following stacks: docker-compose/AKS using Traeffic as reverse proxy.

I'm looking for cheapest but reasonable in terms of security solution.

Will opening port 443 in my VM firewall (rest will be closed) and forwarding it to public IP in Azure create a major risk or break security rules (it will be test environment so things like DDOS doesn't bother me).

Using AKS it will be LoadBalancer service port 443 mapped to Azure Public IP so preety much same approach but without direct control of VM firewall (Kubernetes manages everything else).

There is NSG to only allow Internet inbound for port 443. All microservices will be secure with proper authentication and only services needed for end-users will be exposed via reverse proxy to public internet. I was looking for this type architecture in internet but never found anything.

121

1 + 4

security

virtual-machines

azure-vm

vidarlo

4/1/24, 10:38 AM

What's your security worries? What is the alternative to deploying it this way?

rethon012

4/1/24, 10:52 AM

I was thinking if I really have to deploy azure firewall in front of my vm, or some WAF in terms of public internet access. I also found this and it concerned me a lot https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Network/unrestricted-https-access.html

Greg Askew

4/1/24, 11:33 AM

This sounds suspicious. And you have found documentation that states there are components missing for what you are doing. Now you are shopping it around to see if you can find anyone that agrees that you do not need something external to *your application* that will perform logging and filtering. 99% of decision criteria is cost. You don't provide what the service is doing, types of data, data flows, network diagrams, or any other decision criteria. Except it is a test environment. Are we missing anything?

rethon012

4/1/24, 11:35 AM

I'll provide diagram in a moment with explanation

Score:1

Server

vidarlo

4/1/24, 12:19 PM

There's no yes or no answer to such questions. In short, you have to weigh risks and benefits.

A WAF may make some attacks more difficult. Against other attacks it doesn't make any difference. It has a cost - both in complexity and monetary value.

This is in general true for everything you do - it has costs and benefits.

Running stuff on a machine exposed to the Internet was until a few years ago the common way of doing small-medium deployments; it really only changed with cloud environments.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Internet-facing port 443 in Azure - security concerns

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.