Cloud Azure Meetup Article
by Seven Peaks on Apr 8, 2022 12:40:00 PM
Another Seven Peaks Speaks was held on March 23, 2022. This time our four speakers will be talking about “How to deploy & secure your application in Azure” for efficient Azure app migration.
The meet-up started with Giorgio Desideri, Tech Lead Cloud Solutions at Seven Peaks Software, and the topic that he will be talking about is “Develop Security & Compliances in Azure.”
Starting with Azure accounts, Giorgio explains the foundation that there are 3 prices of Azure accounts: free, Office 365 and Premium account. Users, services, applications and devices can be regulated by roles or groups and these are related with policy. There are 4 types of user including guest, member, Microsoft 365 (Enterprise) and work/consumer account (Azure B2C).
The identity type of services is divided into:
- Manage Identity, which can be a system-defined or a user defined
- Service Principal (Application Registration)
- Enterprise Application
Later Giorgio went deeper with database & application and how can we apply secure development. The developer is the key for database security. He ends his session with some take away points.
First, we have to consider the requirements and check the Azure account . Then, regulate the Access Management of the identities, such as the audiences, permissions, methods and operation. Lastly, knowledge & practice, monitor & alerts and together with review & enforcement are important traits to have for a better secure development.
Mean, the Mid-Level Java Developer and Phu, the Junior .NET Developers, are the next speakers. This meetup is their first time as a speaker for Seven Peaks Speaks!
Mean introduced us to Azure Function concepts by using car analogy. If Azure Function is a car, triggers, such as HTTP Triggers, will be a key to start the car. Each Azure Function can have only one trigger type.
There are so many trigger types out there, so Mean selected 6 common types to present to us.
- HTTP Trigger Type: the Azure Function will be triggered whenever there is a HTTP request
- Blob Trigger Type: the Azure Function will be executed whenever there is an update to the Blob storage
- Event Hub Trigger Type: will get executed whenever we have an event in Azure
- Time Trigger Type: will be used when the time schedule is reached
- Queue Trigger Type: will get executed when there is any queue in Azure
- Azure Cosmo Trigger Type: will be triggered when there is any changes in the document
To use the triggers and binding, Mean shows us an example situation when a user requests for a room availability for a condominium. When the user clicks on the website, the Azure Function (HTTP Trigger type) will be triggered and try to send the data from the user to the back office team, “SendGrid”.
Phu talks about the security in-transit , which divided into 4 topics, Function Access Keys, Authorization Scopes, Authentication/Authorization and Networking (Azure Private Endpoint).
Authorization scopes are separated into 3 scopes:
- Anonymous scope: no keys are needed and can be used by anyone
- Function scope: have to assign a key to the function
- Admin level scope: needs master key to access
For Networking, there are many ways to secure your function inside the network, however, Phu suggested that Azure Virtual Network is simple, yet effective.
Mean closed this section with “Security At-Rest” which is based on identity-based security. In the Azure universe, identity-based security is also known as managed identities because it’ll let Azure manage the security for us. Furthermore, she shared many useful tips that she learned from her past experience with us!
Azure App Migration
The last session for that night is Devsecops with Azure App Migration with EF6 presented by Nicolas Pierson, the Solution Architect from Seven Peaks Software.
Firstly, Nicolas quickly summarized the concept of Agile and DevOps practices to us before jumping to how Seven Peaks Software’s working process looked like with a diagram. To improve our performance, Nicolas showed us the feedback loop where he started with gathering feedback, analyzing it and making some changes by acting on these feedbacks. Also, follow up with his teammates for new feedback to continue the whole process.
Because DevOps practices bring developers, QAs and Ops to collaborate in order to release software faster, there is a checklist to make sure that all security requirements are met. Nicolas summarized the DEVSCOP Checklist from Microsoft into 6 bullet points:
- Create a cross-functional DevOps team to manage, build and maintain your workload.
- In the planning and design of the DevOps process, it is important to involve the security team to detect any security risks.
- Define CI/CD roles and permissions clearly together with minimizing the number of people who can access to resources or secure information.
- Configure quality gate approvals in DevOps release process.
- Integrate scanning tools within CI/CD pipeline.
- No infrastructure changes, provisioning or configuring, should be done manually outside of IaC.
Here are some tools that can be used in the development process for a more reliable and secure deployment process:
- Code: SonarQube – Static code analysis
- Container: Azure Security Center
- Container Orchestration: Kube-score, Config-lint
- Infrastructure: Tfsec, Horangi Warden