Architecture-center: Security Best Practices questions - is it already secure as proposed or we need more security assets in place?

Created on 28 Oct 2019 · 4Comments · Source: MicrosoftDocs/architecture-center

This components are already secure due to the fact of having HTTPS (SSL enforced) and AD authentication? or would it be convenient to add a subnet with NSG on the non visible to internet assets (resource group, SQL azure, etc...)? and would a App Gateway with WAF or Azure Frontdoor be convenient to add security?

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 84bcf722-abb3-69b8-8073-15ae4a6890de
Version Independent ID: 7b2010c6-696d-de66-8e56-8ac5d3e54526
Content: Basic web application - Azure Reference Architectures
Content Source: docs/reference-architectures/app-service-web-app/basic-web-app.md
Service: architecture-center
Sub-service: reference-architecture
GitHub Login: @MikeWasson
Microsoft Alias: pnp

Pri1 architecture-centesvc cxp product-question reference-architectursubsvc triaged

Source

joslat

All 4 comments

@joslat Thanks for reaching out. We are currently investigating into the issue and will update you shortly.

ChiragMishra-MSFT on 28 Oct 2019

👍1

Hi Chirag, thanks for responding. My question does not report any "issue". I am just asking how much secure is this "reference implementation" with just SSL and Azure AD authentication.

joslat on 28 Oct 2019

@joslat Web Apps deployed to Azure App Service are already heavily secured since most of the underlying services like VMs, Storage, Network, etc. are abstracted and list in this doc do mention security you can add at the application level. Also, the app service security doc has more ways to further secure your app.

As for protecting non-azure services, placing them in VNETs (with NSGs) is indeed more secure. Do note that you might have to change tiers depending on the service you are using for deploying them into a VNET.

Some services support VNET Service Endpoints and App Service supports VNET Integration.

Another way to protect other resources is by using features like Managed Identity for authentication for calls from your app service to other resources.

PramodValavala-MSFT on 30 Oct 2019

👍1

@joslat Just following up here... Hope my previous comment helps.

Since there is no doc update required here, we will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.

PramodValavala-MSFT on 31 Oct 2019

Was this page helpful?

0 / 5 - 0 ratings