Blue Monday: Web Application Firewall, Storage Blob Encryption And Service Fabric

Microsoft Azure went hog wild last week with releases of interest to .NET developers, so let’s get right to it!

Web application firewall in preview

One of the limitations of Azure App Services has been firewalling; that is, being strict about whom can access an App Service and defending it from common exploits.

True, there are plenty of add-ons out there and other means of defense; for example, I could spin up a virtual machine, install a firewall there, and route all traffic to my App Service through that.

But that’s expensive, wonky and creates the kind of bottleneck that App Services are supposed to surmount.

So it’s a welcome development to see the Application Gateway service, which provides many of the features necessary for a truly scalable application — such as load balancing, session affinity and URL routing — add in a new firewal feature, which is in preview.

The firewall is designed to identify and protect against common attacks such as SQL injection, cross site scripting, remote file inclusion, DDoS, HTTP forgeries and exploit scanners / bots. You can choose to have the firewall merely monitor and alert, or actively block.

You can bet I’ll be rolling this out ASAP to my Web Apps.

Storage blob encryption

Black-box encryption of page (i.e., VHD) and block (i.e., regular file) blob storage is generally available in all regions.

Encrypting block blobs and encrypting page blobs require the use of an Azure Key Vault, which holds the relevant cryptographic keys.

And using a Key Vault generally requires an Azure Active Directory application, which authenticates a user to have access to that Key Vault. That means if you don’t have an Azure AD tenant, you’ll need to create one.

These encryption options are a black box in the sense that you do not need to generate, store, validate or expire the actual keys; Azure automagically handles the behind-the-curtain stuff. You do need to manage secrets, however.

A caution: These solutions make use of JSON Web Tokens, and the latest version of Microsoft’s JWT library has all kinds of problems.

Further, the team working on these issues has taken a “we’ll fix it in the next sprint” approach (vs. issuing hotfixes), but the last sprint came out in June … so you’re probably going to have to stick with version 4.3 for a while.

I’m not certain these issues extend to working with Storage encryption, but I bet they do, so it’s something to keep in mind.

Service Fabric availability

Service Fabric for Windows is generally available, and Service Fabric for Linux is in public preview.

I’m still of the mind that Microsoft may be too late to the container business, especially in the Linux space.

That said, Azure’s reliability has proven Service Fabric as a tough-as-nails containerization stack. While I don’t have enough experience to speak authoritatively about Docker / VMWare / Service Fabric pros and cons, it’s clear to me a strong case can be made for Service Fabric.

DocumentDB SDK improvements

Microsoft has released version 1.10.0 of the DocumentDB SDK.

Improvements include the ability to connect to a specific partition; and improved reliability in the Bounded Staleness consistency level.

Germany regions generally available

Germany Central (Frankfurt) and Germany Northeast (Magdeburg) are generally available.

In addition, Microsoft has provided some compliance documents to help ventures meet European Union / European Free Trade Agreement and IT Grundschutz rules.

These two new regions follow on the heels of UK South (London) and UK West (Cardiff) and are a bit more fleshed out than those UK regions, with G-series VMs, Service Fabric, Notification Hubs, Machine Learning and Stretch Database all on hand.

This brings to six the number of European Azure regions. Microsoft is planning rollouts of two new DoD regions in the US and a second datacenter in Korea. The Korea Central (Seoul) datacenter is not generally available.

Azure DNS service

Azure DNS service is generally available. It’s dirt cheap, too.

A quick look at the documentation looks like zone and record management tools are OK, plus there’s CLI and PowerShell support.

Unfortunately, Microsoft still wants no part of the DNS registrar business, which is an argument against using their DNS; so, too, is that some services, such as CloudFlare, requires authoritative access.

But if you’re able to use any DNS service you please, Azure DNS sure looks like a great choice.

Virtual networking peering

I previously mentioned virtual network peering, which basically allows you to connect two vnets in the same region. Vnet peering is generally available.

This greatly expands the flexibility of both pure-cloud and hybrid solutions, especially if you’re using a VPN to connect on-prem to Azure.

However, while you can chain many vnets together through peering, it’s important to note that peering is A/B only. In other words, if I have vnet A peered to vnet B, and vnet B peered to vnet C, that doesn’t mean vnet A and vnet C are peered.

Odds and ends

Featured photo by skeeze via Pixabay, in the public domain.
Featured photo by skeeze via Pixabay, in the public domain.

Leave a Reply

  • Check out the Commenting Guidelines before commenting, please!
  • Want to share code? Please put it into a GitHub Gist, CodePen or pastebin and link to that in your comment.
  • Just have a line or two of markup? Wrap them in an appropriate SyntaxHighlighter Evolved shortcode for your programming language, please!