Azure App Service Security
Azure App Service provides robust security features to protect applications and their data. The security framework includes an integrated Authentication and Authorization module, compliance with industry standards, and various options for securing data in transit and at rest.
Authentication and Authorization
The Authentication and Authorization module in Azure App Service simplifies user authentication through various identity providers, such as:
- Azure Active Directory
Key Functions of the Module
- User Authentication: Authenticates users with the specified provider.
- Token Management:
- Stores, validates, and refreshes tokens.
- Session Management: Manages the authenticated session for users.
- Identity Injection: Injects identity information into request headers for the web application.
How It Works
- A request from a client browser is sent to the Azure App Service front-end.
- This request is then forwarded to the Authentication and Authorization module, which handles:
- Token management
- Session management
- Other authentication logic outside the web app code.
This separation means you don’t need to modify your application code to enable authentication and authorization.
Additional Security Features
In addition to authentication and authorization, Azure App Service includes several security features:
- Compliance Standards:
- Azure App Service is compliant with ISO, SOC, and PCI standards, ensuring that your application environment meets necessary regulatory requirements.
- If processing credit card information, ensure that your application layer also complies with PCI standards.
- IP Address Whitelisting:
- Limit access to your App Service from specific trusted IP addresses by configuring whitelisting in the Azure portal.
- SSL Communication:
- Enable SSL to encrypt data in transit, ensuring secure communication between clients and your application.
Managed Service Identity (MSI)
Managed Service Identity is a recent feature that allows your Azure App Service to access other Azure services securely without needing to manage credentials.
- How It Works:
- Create an identity for your app in the Azure portal, which triggers the creation of a service principal in Azure Active Directory.
- For example, when accessing a secret from Azure Key Vault, your app can submit a token with the proper access policy to retrieve the secret at runtime.
App Service Environments Security
Using App Service Environments (ASE) provides additional security features, including:
- Network Security Groups (NSGs):
- Control incoming traffic to your App Service using NSGs to define rules for allowed or denied traffic.
- Web Application Firewall (WAF):
- Protect your web applications from common exploits and vulnerabilities using a WAF based on OWASP core rule sets.
Enabling Authentication with Azure Active Directory for Web Apps
Follow these steps to enable Azure Active Directory (AAD) authentication for your Azure App Service:
Step 1: Access Authentication/Authorization Settings
- Open your API App in the Azure portal and click on Authentication/Authorization.
Step 2: Enable Authentication
- Toggle the authentication switch to On.
Step 3: Set Authentication Action
- Select Login with Azure Active Directory for the action taken when a request is not authenticated.
Step 4: Configure Azure Active Directory
- Configure Azure Active Directory settings in express mode, then click Create followed by Save.