Preparing for production

Azure App Services

Florin Angelescu

Azure Cloud Architect

Application architecture

 

Environment variables for configuration

 

 

 

• Hardcoding settings into the source code is dangerous and inflexible
• Update only the environment variable
• App doesn't need redeployment
• Developers do not expose sensitive details in code

Using key vault for secrets

 

• Central, secure store for sensitive information
• We can reference Key Vault secrets by name
• Azure retrieves and injects the secret into the Function environment

Granting access to the function

 

• The Function needs permission to actually fetch the secret from Key Vault
• A Managed Identity for the Function App can be authorized to access other services

¹ RBAC, SAS keys, and other topics are covered in our "Implement Azure Security for Developers" course.

Granting access to the function

• We can grant access via:
  • RBAC (Role-Based Access Control)
    • Assigning the Function's identity a role like Key Vault Secrets User
  • Access Policies
    • We explicitly allow the identity to read certain secrets

¹ RBAC, SAS keys, and other topics are covered in our "Implement Azure Security for Developers" course.

Connecting the storage account

• RBAC with Managed Identity
  • The recommended way
  • The Function's identity is given a Storage Blob Data Contributor role
• SAS keys
  • Temporary tokens that grant scoped access
  • Can be rotated and also stored in Key Vault

Connecting the storage account

• SAS keys can be generated at the level of individual blobs or containers
• Align security with business needs
  • RBAC for simplicity and governance
  • SAS keys for fine-grained control or cross-tenant access

Wiring everything together

 

Let's practice!

Azure App Services