Securing app services across multiple AAD tenants
Hi All I'm beating my head against a wall so wanted to see if anyone can please help me out, or at least point me in the correct direction. We have a large Azure infrastructure across multiple AAD tenants, with a number of app services that we're trying to secure at the network level using app service restrictions so access is only allowed from clients within our infrastructure (across the 2 tenants), or using controlled access via our APIM and Front Door edges. The clients are a mix of other app services, VMs, VM scale sets (service fabric), and APIM access routes. All these now have Subnets attached for outbound routing. For securing within the same tenant everything works beautifully, using subnet access rules to grant access to the service endpoints from the client subnets. Where we are having problems is the cross-tenant allow rules. All the subnets have NATs attached with IPv4 public IPs, which I had assumed would mean that we'd be able to use the public IP to grant the access on restrictions in the other tenant. However what we've realised when we tested was that the presence of the Microsoft.Web service endpoint means that the NAT is being bypassed, and the IP presented to the target app service is not the IPv4 address we were expecting but an IPv6 address that is apparently used by the service endpoint, and I'm presuming not reliably static even if we can figure it out. I presume we're not the first people ever to try and achieve the goal of cross-tenant app restrictions so thought I would ask how this is best done? The one suggest I was given was to remove the service endpoints but that of course stops us being able to use subnet app restriction rules, and I failed to get anything to work with any of the IPs associated clients. Thanks in advance for any help you can offer Mark Middlemist
Azure Security architecture
Migrating to Azure. I want to make sure I get all the correct security applications for Azure like defender , security center, user analytics, SQL auditing, etc. We are using a cloud SIEM not Sentinal. How do I use and verify all the built in security is on? With Azure there are so many different options, how do I tie it all together and keep cost down? I am working on a Visio diagram and I want to make sure getting the security logging that is built into Azure and that the data that I need to my Cloud SIEM is set up in the most economical and secure fashion. I have found many links I plan to read and use to help with my archecture question but any insight for the community is very much appreciated.