Azure Kubernetes Service Baseline - The Hard Way
Are you ready to tackle Kubernetes on Azure like a pro? Embark on the “AKS Baseline - The Hard Way” and prepare for a journey that’s likely to be a mix of command line, detective work and revelations. This is a serious endeavour that will equip you with deep insights and substantial knowledge. As you navigate through the intricacies of Azure, you’ll not only face challenges but also accumulate a wealth of learning that will sharpen your skills and broaden your understanding of cloud infrastructure. Get set for an enriching experience that’s all about mastering the ins and outs of Azure Kubernetes Service!
Demystifying Cipher Suites on Azure App Services
It is strongly recommended to use TLS v1.2 on app services by industry standards such as PCI DSS. New app services are created with TLS v1.2 enabled by default. Refer to below documents for more details. Secure a custom DNS with a TLS/SSL binding - Azure App Service | Microsoft Docs New App Service apps deployed with TLS 1.2 by default from June 30 | Azure updates | Microsoft Azure Sometimes, a user runs a security and vulnerability test on app service for their app enabled with TLS v1.2 using any of the third party tool available (for example SSL Labs) as per their organization guidance or compliance checklist. Some of these tools tag some of the cipher suites(especially CBC based cipher suites) as 'weak'. Mostly, the cipher suites are tagged 'weak' just based on the availability of the cipher suites on the app and not because of an actual vulnerabilities found. An example below: There are reports that discusses why these CBC based cipher suites are being tagged weak. For example, you may refer to this document by SSL Labs. It mentions that "SSL Labs identifies cipher suites using CBC with orange color and with text WEAK. This change won’t have any effect on the grades, as it only means that SSL Labs discourages the use of CBC-based cipher suites further.". These are generic guidelines and these cipher suites would be advisable to disable when you are running your application on standalone server or VM/IaaS or on-premises machines. Note that app services is a PaaS environment and its securities are constantly reviewed by the Product Group and the security team and the vulnerabilities are patched/fixed on the platform. The reason why these CBC cipher suites are being tagged 'weak' in general is because it could be vulnerable to certain attacks. However, if you test it for an app services on TLS v1.2, none of those associated vulnerabilities exists. They are already fixed on app services and none of those real security vulnerabilities exist on app services running on TLS v1.2. Also these 'weak' tagged cipher suites are lower in the order of the cipher suites presented by the app services. App service is PCI standard complaint. You may also want to review the SSL/TLS best practices by SSL Labs. It does mention – “TLS v1.2 and v1.3 are both without known security issues.”. Also in the section Use Secure Cipher Suites it does recommend the secure cipher suites to start with: [Edit: 13/Oct/2022] If you are looking for disabling the cipher suites as compliance checklist (where just the existence of the cipher suites is concern) then following are the options available: Recently released public preview feature: Disabling Weaker TLS Cipher Suites for Web Apps on Multi-tenant Premium App Service Plans. Please note that this feature is in preview currently and not supported for production workloads. Or, you can add additional layer of security like WAF/application gateway Or, deploy to single tenant app service environment (ASE v3) which offers network isolation, higher scalability and security. In an ASE, you can change the default cipher suites using cluster settings.Go Cloud Native with Azure Container Apps
In this article, we discuss how Azure Container Apps is purpose-built to support cloud native applications. This post is part of the Zero To Hero series for #ServerlessSeptember, a month-long initiative to learn, use, and celebrate, all things Serverless On Azure. Check out the main site at https://aka.ms/serverless-september to read other posts, participate in a Cloud Skills Challenge, explore a Serverless Hack and participate in live Q&A with product teams on #AskTheExperAzure Kubernetes Service Baseline - The Hard Way, Part Deux
Have you suffered through our blog named Azure Kubernetes Service Baseline - The Hard Way? Well, it's time for some more hard work as we bring you the next episode "Azure Kubernetes Service Baseline - The Hard Way, Part Deux" which looks into securing the workloads in your Kubernetes cluster even further using Workload Identity, Network Policies and Microsoft Defender for Containers.Announcing landing zone accelerator for Azure Container Apps
Are you looking for deploying your containerized workloads to Azure Container Apps at an enterprise scale with a secured footprint? The ACA Landing Zone Accelerator is a great way to get a head start on rapidly setting up an Azure Container Apps environment, with the confidence that you're applying the best enterprise-scale design practices for scale, security and performance. It provides the guidance on architecture and critical design areas to accelerate cloud native workloads deployments.
Collect memory dump for App Service (Windows only)
Most of the people have already know that the memory dump can help us solve a lot of problems. And there are several different ways to capture memory dumps in the App service. But there are still some people may have confusion why we have so many ways to capture dump over the app service? And if the dump we captured can help us solve the problem? In this article, I will start from the basic concepts. What is the memory dump? A memory dump is a static memory snapshot of a system or an application process at the time when it was captured. The file has an extension of .dmp. When to collect the memory dump? Since the data in the machine memory is changing very fast, and the dump file is like a photograph of one specific time, the dump is useful only if it was captured when the issue was happening. Why the dump helps us? A dump file has the threads that were executing, and their callstacks, loaded modules, Memory heap, etc. By analysis that information, we can know what was happening during the issue time and get the conclusion of the cause. What kind of problem it can help to solve? It generally can help to solve problems, such as crash, hang, high memory, high CPU and slowness, etc. As mentioned above, since the dump can only be useful when it captured in time, so we have different ways to trigger different task in the app service to capture it, below are the common ways we are having: High CPU: proactive CPU monitor https://azure.github.io/AppService/2019/10/07/Mitigate-your-CPU-problems-before-they-even-happen.html Crash: Crash monitor https://azure.github.io/AppService/2020/08/11/Crash-Monitoring-Feature-in-Azure-App-Service.html High Memory\Hang\slowness: Auto Heal https://azure-advice.com/2020/11/19/using-auto-heal-to-capture-memory-dumps-for-slow-requests/ But in some cases, the above ways cannot help us. I will explain in the later articles.Building Static Web Apps with database connections: Best Practices
With the announcement of Static Web Apps' database connections feature, when should you use database connections versus building your own backend APIs? What is Data API builder and how does it relate to Static Web Apps' database connections feature? We cover these topics and more in this blog post.
