Key Vault | Aidan Finn, IT Pro

Checking If Client Has Access To KeyVault With Private Endpoint

How to detect connections to a PaaS resource using Private Endpoint.

In this post, I’ll explain how to check if a client service, such as an App Service, has access to an Azure Key Vault with Private Endpoint.

Private Endpoint

In case you do not know, Private Endpoint gives us a mechanism where we can attach a PaaS service, such as a Key Vault, to a subnet with a NIC and a private IP address. Public connections to the PaaS resources are disabled, and an (Azure) Private DNS Zone is used to alter the name resolution of the PaaS resource to point to the private IP address.

Note that communications to the private endpoint are inbound (and response only). The PaaS resource cannot make outbound connections over a Private Endpoint.

My Scenario

The customer has an App Service Plan that has VNet Integration enabled – this allows the App Services to make outbound connections from “random” IPs on this subnet – NSG/Firewall rules should permit access from the subnet prefix.

The App Services on the plan have Private Endpoints on a second subnet in the VNet. There is also a Key Vault, which also has a Private Endpoint. The “Private Endpoint subnet” has an NSG to deny everything except desired traffic, including allowing HTTPS from the VNet Integration subnet prefix to the Key Vault Private Endpoint.

A developer was wondering if connections from an App Service were working and asked if we could see this in the logs.

Problem

The dev in this case wanted to verify network connectivity. So the obvious place to check was … the network! The way to do that is usually to verify that packets arrived at the destination NIC. You can do that (normally) using NSG Flow Logs. There is sometimes up to 25 minutes (or longer during pandemic compute shortages) of a wait before a flow appears in Log Analytics (data export from the host, 10 minutes collection interval [in our case], data processing [15 minutes]). We checked the logs but nothing was there.

And that is because (at this time) NSG Flow Logs cannot produce data destined to Private Endpoints.

We need a different way to trace connections.

Solution

The solution is to check the logs of the target resource. We enable a lot of logging by standard, including the logs for Key Vault. A little bit of Kql-Fu produced this query:

AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT"
| where ResourceId contains "nameOfVault"
| project CallerIPAddress, OperationName, requestUri_s, ResultType, identity_claim_xms_mirid_s

The resulting columns were:

CallerIPAddress: The IP address of the client (the IP address used by the App Service Plan VNet integration, in our case)
OperationName: Things like SecretGet, Authentication, VaultGet, and SecretList
requestUri_s: The URI of the secret being requested
ResultType: Was it a success or not?
identity_claim_xms_mirid_s: The resource ID of the requesting client (the resource ID of the App Service, in our case)

Armed with the resulting info, the dev got what they needed to prove that the App Service was connecting to the Key Vault.

The Azure IaaS Book Of News – December 2022

Here’s all the news that I thought was interesting for Ops and Security folks working with Azure IaaS from December 2022.

Azure VMware Solution

Azure VMware Solution Advanced Monitoring: This solution add-on deploys a virtual machine running Telegraf in Azure with a managed identity that has contributor and metrics publisher access to the Azure VMware Solution private cloud object. Telegraf then connects to vCenter Server and NSX-T Manager via API and provides responses to API metric requests from the Azure portal.

Azure Kubernetes Service

Microsoft and Isovalent partner to bring next generation eBPF dataplane for cloud-native applications in Azure: Microsoft announces the strategic partnership with Isovalent to bring Cilium’s eBPF-powered networking data plane and enhanced features for Kubernetes and cloud-native infrastructure. Azure Kubernetes Services (AKS) will now be deployed with Cilium open-source data plane and natively integrated with Azure Container Networking Interface (CNI). Microsoft and Isovalent will enable Isovalent Cilium Enterprise as a Kubernetes container App offering onto Azure Container Marketplace. This will provide a one-click deployment solution to Azure Kubernetes clusters with Isovalent Cilium Enterprise advanced features.
Generally Available: Kubernetes 1.25 support in AKS: AKS support for Kubernetes release 1.25 is now generally available. Kubernetes 1.25 delivers 40 enhancements. This release includes new changes such as the removal of PodSecurityPolicy.

Azure Backup

General Availability of Cross Zonal Restore of Azure Virtual Machines from Azure Backup: With the preview of Cross Zonal Restore of Azure VMs, Azure Backup offers a compelling set of durability options for your backup data including ZRS for intra-region high durability. Aidan’s note – you should consider this with regions such as Norway East where the paired region is unavailable to 99.9% of customers.
How to automate On-Demand Azure Backup for Azure Virtual Machines using PowerShell: Aidan’s note – A solution to enable more frequent VM backups than otherwise possible, but make sure frequency doesn’t overlap with backup job time.

Azure Virtual Desktop

Announcing the Public Preview of AVD Insights at Scale: This update provides the ability to review performance and diagnostic information across multiple host pools in one view. Aidan’s note – no additional diagnostics settings are required.
Confidential Virtual Machine support for Azure Virtual Desktop now in Public Preview: Azure Virtual Desktop has public preview support for Azure Confidential Virtual Machines. Confidential Virtual Machines increase data privacy and security by protecting data in use.
Announcing general availability of RDP Shortpath: RDP Shortpath improves the transport reliability of Azure Virtual Desktop connections by establishing a direct UDP data flow between the Remote Desktop client and session hosts. This feature is enabled by default for all customers. Aidan’s Note – I haven’t looked into this but there may be networking issues where firewall’s/routing are deployed.
Announcing general availability of FSLogix 2210: This latest version is focused on three core features, six bug fixes, and two general updates.

Virtual Machines

Public preview: New Memory Optimized VM sizes – E96bsv5 and E112ibsv5: The new E96bsv5 and E112ibsv5 VM sizes part of the Azure Ebsv5 VM series offer the highest remote storage performances of any Azure VMs to date. The new VMs can now achieve even higher VM-to-disk throughput and IOPS performance with up to 8,000 MBps and 260,000 IOPS.
Generally Available: Azure Dedicated Host – Restart: Azure Dedicated Host gives you more control over the hosts you deployed by giving you the option to restart any host. When undergoing a restart, the host and its associated VMs will restart while staying on the same underlying physical hardware.

Governance

Public preview: Use tag inheritance for cost management: You no longer need to ensure that every resource is tagged or rely on resource providers to support and emit tags in their billing pipeline for cost management. Aidan’s Note – Restricted to EA/MCA … which unreasonably sucks. The latest example of “cost management” excluding other customers.

App Services

Generally available: Static Web Apps Diagnostics: Static Web Apps diagnostics will help you diagnose what went wrong and will show you how to resolve the issues.

Storage

Public preview: Azure NetApp Files cross-zone replication: The cross-zone replication feature allows you to replicate your Azure NetApp Files volumes asynchronously from one Azure availability zone (AZ) to another in the same region.

Azure Site Recovery

Public Preview: Azure Site Recovery Higher Churn Support: Azure Site Recovery (ASR) has increased its data churn limit by approximately 2.5x to 50 MB/s per disk. With this, you can configure disaster recovery (DR) for Azure VMs having data churn up to 100 MB/s. This helps you to enable DR for more IO intensive workloads.

Networking

General availability: Feature enhancements to Azure Web Application Firewall (WAF): Azure’s global Web Application Firewall (WAF) running on Azure Front Door, and Azure’s regional WAF running on Application Gateway, now support additional features that help organizations improve their security posture and make it easier to manage logging across resources.

Miscellaneous

Public Preview : Introducing Multi-Region Replication for Azure Key Vault Managed HSM: The feature allows you to extend a managed HSM pool from one Azure region to an other thereby enhancing the availability of mission critical cryptographic keys with automated key replication and maximizing read throughput and latency with the closest available region.

Errors When You Add A Cert To Application Gateway Listener From Key Vault

This post is dealing with a situation where you attempt to add a certificate to a v2 Azure Application Gateway/Firewall (WAG_v2/WAF_v2) from an Azure Key Vault. The attempt fails and any further attempt to delete/modify the certificate fails with this error:

Invalid value for the identities ‘/subscriptions/xxxxxxx/resourcegroups/myapp/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myapp-waf-id’. The ‘UserAssignedIdentities’ property keys should only be empty json objects, null or the resource exisiting property.

Application Gateway v2 and Key Vault

Azure Key Vault is the best place to store secrets in Microsoft Azure – particularly SSL certificates. Key Vault has a nice system for abstracting versions of a certificate so you can put in newer versions without changing references to the older one. There is also a feature for automatic renewal of expiring certs from certain issuers. I also like the separation of exposed resource from organisation secrets that you get with this approach; the legacy method was that you had to upload the cert into the WAG/WAF, but now WAG_v2/WAF_v2 allow you to store the certs in a Key Vault, and that limited access is done using a managed user ID (an Azure resource, not an Azure AD resource, which makes it more agile).

The Problem

I was actually going to write a blog post about how to obtain the secret ID of a certificate from the Key Vault so you could add it to the WAGv2/WAFv2. But as I was setting up the lab, I realised that during the day, Microsoft had updated the Azure Portal blade so certs were instead presented as a drop-down list box; now my post was pointless. But I continued setting things up and hit the above issue.

The Cause/Fix

When you use this architecture, WAF_v2/WAG_v2 requires that you have enabled soft delete on the Key Vault. And that’s the only check that they have been doing. The default setting for Key Vault soft delete is 90 days. I was in a lab, I was mucking around, so I set soft delete in my Key Vault to 7 days – a perfectly legit value for Key Vault. However, the Application Gateway (AppGW) requires it to be set to 90 days minimum … even though it does not check it!

To undo the damage you can run the following PowerShell cmdlets:

Set-AzApplicationGatewayIdentity
Remove-AzApplicationGatewaySslCertificate
Remove-AzApplicationGatewayHttpListener
Set-AzApplicationGateway to update the WAF

Thanks to Cat in the Azure network team for the help!

Microsoft Ignite 2019 – Deliver Highly Available Secure Web Application Gateway and Web Application Firewall

Speaker:

Amit Srivastava, Principal Program Manager, Microsoft

Mission Critical HTTP Applications

Always On
Secure
Scalable
Telemetry
Polygot – variety of backed, IaaS, PaaS, on-prem

Many things to think about.

What Azure Pieces Can We Use?

WAG
AFD
CDN
WAF
Azure Load Balancer
Azure Traffic Manager

WAG

Regional ADS as a service. A full reverse proxy. It terminates the incoming connection and creates a new one to the web server.

Platform managed: built-in HA and sclability
Layer 7 load balancing: URL path, host based, round robin, session affinity, redirection
Security and SSL management: WAF, SSL Offload, SSL re-encryption, SSL policy
Public or ILB: Public internet, internal or both.
Flexible backends: VMs, VMSS, AKS, public IP, cloud services, ALB/ILB, On-premises
Rich diagnostics: Azure monitor, log analytics, network watcher, RHC, more

Standard v2 SKU in GA

Available in 26 regions
Built-in zone redundancy
Static VIP
HTTP header/cookies insertion/modification
Increased scale limits 20 -> 100 listeners
Key vault integration and autorenewal of SSL certs (GA)
AKS ingress controller (GA)

Autoscaling and performance improvements:

Grow and shrink based on app traffic requirements
5 x better SSL offloads performance
- 500-50,000 connections/sec with RSA 2048 bit certs
- 30,000, 3,000,000 persistent connections
- 2,500 – 250,0000 HTTP req/sec
75% reduction in provisioning time ~5mins

Key Vault Integration in v2 GA

Front end TLS cert integrated with Azure Key Vault
Utilizes user-assigned management identity for access control on key vault
Use certificate or secrets on Key Vault
Pools every 4 hours to enable automatic cert renewal – you can force a poll if you need to
Manual override or specific certificate version retrieval

WAG v2 Header Rewrites

Manipulate request and response headers and cookies
- Strip port from x-forwarded-for header
- Add security headers like HSTS and X-XSS-Protection
- Common header manipulation ex: HOST, SERVER
Conditional header rewrites … something

Ingress Controller

Ingress controller for 1+ AKS clusters at one time
Deployed using HELM – newer easier options by EOY
Utilized pod-AAD for ARM authentication
Tighter integration with AKS add-on support upcoming
Supports URI-path based, host based, SSL termination, SSL re-encryption, redirection, custom health probes, draining, cookie affinity.
Support for Let’s Encrypt provided TLS certs
WAF fully supported with custom listener policies
Support for multiple AKS as backend
Support for mixed mode- both AKS and other backend types on the same application gateway.

http://aka.ms/appgawks

Application Gateway Wildcard Listener

Managed preview
Support for wildcard characters in listener host name
Supports * and ? characters in host name
Associate wildcard or SAN certs to serve HTTPS

Telemetry Enhancements

GA
Diagnostics Log Enhancements
- TLS protocol version, cipher spec selected.
- Backend target server, response code, latency.
Metrics Enahncements
- Backend response status code
- RPS/healthy node
- End-to-end latency
- Backend latency
- Backend connect, first byte, and last byte latency.

Azure Monitor Insights for Application Gateway

Public Preview
Sign health and metric console for your entire cloud network#
No agent/configuration required
Visualize the structure and functional dependencies
More

AKS Demo

He loads a Helm YAML config to the AKS cluster. Now the AKS cluster can configure listers, backend pools, rules, etc for the containers/services running on the cluster. Pretty cool.

Azure WAF

Cloud native WAF

Unified WAF offering
- Protect your apps at network edge or in region uniformly
Public preview:
- Microsoft threat intelligence
  - Protect apps against automated attacks
  - Manage good/bad bots with Azure BotManager RuleSet
- Site and URI pathc specific WAF policies
  - Customise WAF policies at regional WAF for finer grained protection at each host/listener or URI path level
- Geo-filtering on regional WAF

WAF

HA, scalable fully platform managed
Auto-scaling support
New RuleSet CRS 3.1 added, will soon be the default
Integration with Azure Sentinel SIEM
Performance and concurrency enhancements
More

WAF Policy Enhancements

Assign different policies to different sites behind the same WAF
Increased configurability
Per-URI policy

Geo Filtering Public Preview

Block, allow, log countries.
Easily configurable in WAF policy
Geo data refreshed weekly

Only in special Portal URI at the moment – normal Azure Portal soon.

Bot Protection (Public Preview)

Stuff