Azure Kubernetes Service Baseline - The Hard Way
Are you ready to tackle Kubernetes on Azure like a pro? Embark on the “AKS Baseline - The Hard Way” and prepare for a journey that’s likely to be a mix of command line, detective work and revelations. This is a serious endeavour that will equip you with deep insights and substantial knowledge. As you navigate through the intricacies of Azure, you’ll not only face challenges but also accumulate a wealth of learning that will sharpen your skills and broaden your understanding of cloud infrastructure. Get set for an enriching experience that’s all about mastering the ins and outs of Azure Kubernetes Service!
Demystifying Cipher Suites on Azure App Services
It is strongly recommended to use TLS v1.2 on app services by industry standards such as PCI DSS. New app services are created with TLS v1.2 enabled by default. Refer to below documents for more details. Secure a custom DNS with a TLS/SSL binding - Azure App Service | Microsoft Docs New App Service apps deployed with TLS 1.2 by default from June 30 | Azure updates | Microsoft Azure Sometimes, a user runs a security and vulnerability test on app service for their app enabled with TLS v1.2 using any of the third party tool available (for example SSL Labs) as per their organization guidance or compliance checklist. Some of these tools tag some of the cipher suites(especially CBC based cipher suites) as 'weak'. Mostly, the cipher suites are tagged 'weak' just based on the availability of the cipher suites on the app and not because of an actual vulnerabilities found. An example below: There are reports that discusses why these CBC based cipher suites are being tagged weak. For example, you may refer to this document by SSL Labs. It mentions that "SSL Labs identifies cipher suites using CBC with orange color and with text WEAK. This change won’t have any effect on the grades, as it only means that SSL Labs discourages the use of CBC-based cipher suites further.". These are generic guidelines and these cipher suites would be advisable to disable when you are running your application on standalone server or VM/IaaS or on-premises machines. Note that app services is a PaaS environment and its securities are constantly reviewed by the Product Group and the security team and the vulnerabilities are patched/fixed on the platform. The reason why these CBC cipher suites are being tagged 'weak' in general is because it could be vulnerable to certain attacks. However, if you test it for an app services on TLS v1.2, none of those associated vulnerabilities exists. They are already fixed on app services and none of those real security vulnerabilities exist on app services running on TLS v1.2. Also these 'weak' tagged cipher suites are lower in the order of the cipher suites presented by the app services. App service is PCI standard complaint. You may also want to review the SSL/TLS best practices by SSL Labs. It does mention – “TLS v1.2 and v1.3 are both without known security issues.”. Also in the section Use Secure Cipher Suites it does recommend the secure cipher suites to start with: [Edit: 13/Oct/2022] If you are looking for disabling the cipher suites as compliance checklist (where just the existence of the cipher suites is concern) then following are the options available: Recently released public preview feature: Disabling Weaker TLS Cipher Suites for Web Apps on Multi-tenant Premium App Service Plans. Please note that this feature is in preview currently and not supported for production workloads. Or, you can add additional layer of security like WAF/application gateway Or, deploy to single tenant app service environment (ASE v3) which offers network isolation, higher scalability and security. In an ASE, you can change the default cipher suites using cluster settings.Go Cloud Native with Azure Container Apps
In this article, we discuss how Azure Container Apps is purpose-built to support cloud native applications. This post is part of the Zero To Hero series for #ServerlessSeptember, a month-long initiative to learn, use, and celebrate, all things Serverless On Azure. Check out the main site at https://aka.ms/serverless-september to read other posts, participate in a Cloud Skills Challenge, explore a Serverless Hack and participate in live Q&A with product teams on #AskTheExperAzure Kubernetes Service Baseline - The Hard Way, Part Deux
Have you suffered through our blog named Azure Kubernetes Service Baseline - The Hard Way? Well, it's time for some more hard work as we bring you the next episode "Azure Kubernetes Service Baseline - The Hard Way, Part Deux" which looks into securing the workloads in your Kubernetes cluster even further using Workload Identity, Network Policies and Microsoft Defender for Containers.Announcing landing zone accelerator for Azure Container Apps
Are you looking for deploying your containerized workloads to Azure Container Apps at an enterprise scale with a secured footprint? The ACA Landing Zone Accelerator is a great way to get a head start on rapidly setting up an Azure Container Apps environment, with the confidence that you're applying the best enterprise-scale design practices for scale, security and performance. It provides the guidance on architecture and critical design areas to accelerate cloud native workloads deployments.
