Securing Purposes in Microsoft Azure App Service with NGINX Plus

The rise of cloud computing – and Platform as a Service (PaaS) and Container as a Service (CaaS) choices specifically – is altering the way in which corporations deploy and function their enterprise purposes. One of the vital vital challenges when designing cloud purposes is selecting absolutely managed cloud companies that cut back prices and time‑consuming operational duties with out compromising safety.

This weblog put up reveals you find out how to host purposes on Microsoft Azure App Service and safe them with NGINX Plus to forestall assaults from the Web.

Temporary Overview of Microsoft Azure App Service

Microsoft Azure App Service is an enterprise‑grade and absolutely managed platform that permits organizations to deploy net, API, and cell apps in Microsoft Azure with out managing the underlying infrastructure, as proven in Determine 1. Azure App Service gives the next predominant options:

  • Net Apps allows you to deploy and run net apps in numerous languages and frameworks (ASP.NET, Node.js, Java, PHP, and Python). It additionally manages scalable and dependable net purposes utilizing Web Data Companies (IIS) with complete utility administration capabilities (monitoring, swapping from staging to manufacturing, deleting deployed purposes, and so forth). It additionally gives a Docker runtime for operating net purposes on Linux with containers.
  • API Apps brings the instruments for deploying REST APIs with CORS (Cross‑Origin Useful resource Sharing) help. Azure API Apps could be simply secured with Azure Energetic Listing, social community single signal‑on (SSO), or OAuth, with no code modifications required.
  • Cell Apps gives a quick solution to deploy cell backend companies that help important options akin to authentication, push notifications, consumer administration, cloud storage, and so on.
Determine 1: Azure App Service

With Azure App Service, Microsoft gives a wealthy and quick solution to run net purposes on the cloud. Certainly, builders can develop their purposes domestically utilizing ASP.NET, Java, Node.js, PHP, and Python and simply deploy them to Azure App Service with Microsoft Visible Studio or the Azure CLI. DevOps groups also can profit from Azure App Service’s steady deployment characteristic to deploy utility releases rapidly and reliably on a number of environments.

Purposes on Azure App Service can entry different assets deployed on Azure or can set up connections over VPNs to on‑premises company assets.

Understanding Azure App Service Environments

Mainly, an utility created with Azure App Service is uncovered on to the Web and assigned to a subdomain of azurewebsites.web. For extra safety, you may shield your app with SSL termination, or with authentication and authorization protocols akin to OAuth2 or OpenID Join (OIDC). Nevertheless, it’s not doable to customise the community with wonderful‑grained outbound and inbound safety guidelines or apply middleware akin to an internet utility firewall (WAF) to forestall malicious assaults or exploits that come from the Web.

For those who run delicate purposes in Azure App Service and wish to shield them, you should utilize Azure App Service Environments (ASEs). An ASE is an remoted setting deployed right into a digital community and devoted to a single buyer’s purposes. Thus, you acquire extra management over inbound and outbound utility community site visitors.

With ASEs you may deploy net, API, cell, or capabilities apps inside a safer setting at very excessive scale, as proven in Determine 2.

Determine 2: NGINX ModSecurity WAF filtering site visitors for an Azure ASE

Making a New ASE v2

There are two variations of the ASE: ASE v1 and ASE v2. On this put up we’re discussing ASE v2.

You possibly can create a brand new ASE v2 manually through the use of the Azure Portal, or routinely through the use of Azure Useful resource Supervisor.

When creating a brand new ASE, you need to select between two deployment sorts:

  • An exterior ASE exposes the ASE‑hosted purposes by means of a public IP handle.
  • An ILB ASE exposes the ASE‑hosted purposes on a personal IP handle accessible solely inside your Azure Digital Community. The inner endpoint is what Azure calls an inner load balancer (ILB).

Within the following instance, we’re selecting an ILB ASE to forestall entry from the Web. Thus, purposes deployed in our ASE are accessible solely from digital machines (VMs) operating in the identical community. The next two instructions use Azure Useful resource Supervisor and the Azure CLI to provision a brand new ILB ASE v2:

$ azure config mode arm
$ azure group deployment create my-resource-group my-deployment-name --template-uri https://uncooked.githubusercontent.com/azure/azure-quickstart-templates/grasp/201-web-app-asev2-ilb-create/azuredeploy.json

Securing Entry to Apps in a Publicly Accessible ASE

If, then again, you need your app to be reachable from the Web, you need to shield it towards malicious attackers that may try to steal delicate info saved in your utility.

To safe purposes at Layer 7 in an ASE, you might have two predominant selections:

(You possibly can substitute a customized utility supply controller [ADC] with WAF capabilities, however we don’t cowl that use case right here.)

The selection of answer is determined by your safety constraints. On one hand, Azure Utility Gateway gives a turnkey answer for safety enforcement and doesn’t require you to keep up the underlying infrastructure. However, deploying NGINX Plus on VMs provides you a robust stack with extra management and adaptability to wonderful‑tune your safety guidelines.

Selecting between Azure Utility Gateway and NGINX Plus to load steadiness and safe purposes created inside an ASE requires an excellent understanding of the options supplied by every answer. Whereas Azure Utility Gateway works for easy use instances, for advanced use instances it doesn’t present many options that come normal in NGINX Plus.

The next desk compares help for load‑balancing and safety features in Azure Utility Gateway and NGINX Plus. Extra particulars about NGINX Plus options seem beneath the desk.

Characteristic Azure Utility Gateway NGINX Plus
Mitigation functionality Utility layer (Layer 7) Utility layer (Layer 7)
HTTP-aware
HTTP/2-aware
WebSocket-aware
SSL offloading
Routing capabilities Easy choice elegant on request URL or cookie‑elegant session affinity Superior routing capabilities
IP address-based entry management lists ❌ (have to be outlined on the web-app stage in Azure)
Endpoints Any Azure inner IP handle, public Web IP handle, Azure VM, or Azure Cloud Service Any Azure inner IP handle, public Web IP handle, Azure VM, or Azure Cloud Service
Azure Vnet help Each Web‑going through and inner (Vnet) purposes Each Web‑going through and inner (Vnet) purposes
WAF
Volumetric assaults Partial Partial
Protocol assaults Partial Partial
Utility-layer assaults
HTTP Fundamental Authentication
JWT authentication
OpenID Join SSO

As you may see, NGINX Plus and Azure Utility Gateway each act as ADCs with Layer 7 load‑balancing options plus a WAF to make sure sturdy safety towards widespread net vulnerabilities and exploits.

NGINX Plus gives a number of further options lacking from Azure Utility Gateway:

  • URL rewriting and redirecting – With NGINX Plus you may rewrite the URL of a request earlier than passing it to a backend server. This implies you may alter the situation of information or request paths with out modifying the URL marketed to purchasers. It’s also possible to redirect requests. For instance, you may redirect all HTTP requests to an HTTPS server.
  • Connection and charge limits – You possibly can configure a number of limits to manage site visitors to and out of your NGINX Plus situations. These embody limits on the variety of inbound connections, the speed of inbound requests, the connections to backend nodes, and the speed of information transmission from NGINX Plus to purchasers.
  • HTTP/2 and WebSocket help – NGINX Plus helps HTTP/2 and WebSocket on the utility layer (Layer 7). Azure Utility Gateway doesn’t; as an alternative Azure Load Balancer helps them on the community layer (Layer 4), the place TCP and UDP function.

For extra safety, you may deploy Azure DDoS Safety to mitigate threats at Layers 3 and 4, complementing the Layer 7 menace‑mitigation options supplied by Azure Utility Gateway or NGINX Plus.

Utilizing NGINX Plus with Azure App Service to Safe Purposes

Determine 3 reveals find out how to mix NGINX Plus and Azure App Service to supply a safe setting for operating enterprise purposes in manufacturing. This deployment technique makes use of NGINX Plus for its load balancing and WAF options.

Determine 3: NGINX Plus load balances site visitors to purposes in an Azure ASE

The deployment combines the next parts:

  • Azure Digital Community (VNet) – Represents a digital community within the Azure cloud devoted to your group. It gives a logical isolation that permits Azure assets to speak securely with one another in a digital community. Right here, we’ve got outlined two subnets: Inner for net purposes that aren’t uncovered on to the Web and Waf for NGINX Plus and the infrastructure that underlies it.
  • Azure App Service Atmosphere – This pattern deployment makes use of two pattern net purposes  – Net App 1 and Net App 2 – to show find out how to safe and cargo steadiness totally different net apps with NGINX Plus. In NGINX Plus, you distribute requests to totally different net purposes by configuring distinct upstream blocks, and do content material routing elegant on URI with location blocks. The next reveals the minimal NGINX Plus configuration that meets this aim (right here all requests go to the identical upstream group):

    upstream backend {
        server IP-address-of-your-ASE-ILB;
    }
    
    server {
        location / {
            proxy_set_header Host $host;
            proxy_pass http://backend;
        }
    }
  • NGINX Plus – Load balances HTTP(S) connections throughout a number of net purposes. Deploying NGINX Plus in a VM provides you extra management over the infrastructure than different Azure companies supply. For instance, with a VM you may select the working system (Linux or Home windows) which runs inside an remoted digital community. Certainly, Azure VMs can be found for all the Linux distros that NGINX Plus helps (besides Amazon Linux, for apparent causes).
  • Azure VM scale units – VM scale units are an Azure compute source that you should utilize to deploy and handle a set of equivalent VMs. You possibly can configure the dimensions of the VM and assign the VM to the appropriate VNet. All of the VMs that run inside the size set are load balanced by an Azure Load Balancer that gives TCP connectivity between the VM situations. Right here, every VM within the scale set is predicated on the NGINX Plus picture accessible from Azure Market. Scale units are designed to supply true autoscaling.

Azure additionally helps source teams as a simple solution to group the Azure assets for an utility in a logical method. Utilizing a source group has no influence on infrastructure design and topology, and we don’t present them right here.

NGINX Plus Excessive Availability and Autoscaling with Azure VM Scale Units

An Azure VM scale set provides you the facility of virtualization with the power to scale at any time with out having to purchase and keep the bodily {hardware} that helps scaling. Nevertheless, you’re nonetheless accountable for sustaining the VM by performing duties akin to configuring, patching, safety updating, and putting in the software program that runs on it.

Within the structure proven in Determine 4, NGINX Plus situations are deployed for energetic‑energetic excessive availability inside an Azure VM scale set. An energetic‑energetic setup is nice as a result of all the NGINX Plus VMs can deal with an incoming request routed by Azure Load Balancer, providing you with price‑environment friendly capability.

Determine 4: Azure VM scale set with Azure Load Balancer load balancing site visitors to NGINX Plus

With Azure VM scale units, you can too simply arrange autoscaling of NGINX Plus situations elegant on common CPU utilization. You should take care to synchronize the NGINX Plus config information on this case. You need to use the NGINX Plus configuration sharing characteristic for this goal, as described within the NGINX Plus Admin Information.

Abstract

By utilizing Azure App Service on your cloud purposes and NGINX Plus in entrance of your net apps, API, and cell backends, you may load steadiness and safe these purposes at a worldwide scale. By utilizing NGINX Plus at the side of Azure App Service, you get a totally load‑balanced infrastructure with a excessive stage of safety towards exploits and assaults from the net. This ensures a sturdy design to run essential purposes in manufacturing in a safe means.

Assets

Net Apps overview (Microsoft)
Introduction to the App Service Environments (Microsoft)
Create an utility gateway with an internet utility firewall utilizing the Azure portal (Microsoft)
Examine options in NGINX Open Supply and NGINX Plus (NGINX)
HTTP Load Balancing (NGINX)

Visitor co‑writer Cedric Derue is a Resolution Architect and Microsoft MVP at Altran. Visitor co‑writer Vincent Thavonekham is Microsoft Regional Director and Azure MVP at VISEO.

Leave a Reply

Your email address will not be published. Required fields are marked *