HSTS Preloading with Azure Web Apps

In previous posts, I’ve talked about implementing web security features such as HTTPS, CSP, HPKP and HSTS. Almost all of these are things we can configure ourselves within our web applications responses to client requests however one of these features, HSTS requires a little more work to fully implement.

HSTS is a technology of two halves. HTTP Strict Transport Security (HSTS) is a feature which allows a website to instruct the client that it should never be downgraded to HTTP and should only ever request and receive data from the site over HTTPS. We can easily implement this, in the case of Windows and IIS, using a web.config file outbound rewrite rule which I covered in the previous post, Working Hard on Web Security.

The trouble is, this is only half the battle. If a client repeatedly visits your site, their browser will know as a result of previous visits to always use HTTPS due to having previously seen the HSTS header but what about new visitors? What happens if your site is victim of a downgrade attack between you implementing HTTPS and HSTS and the first time a user visits? Their browser doesn’t know it should be using HSTS already so we have a problem.

Read the Full Post

Restricting Azure Resource Deployment by Region

This week, I’ve been studying some topics ahead of my 70-533 exam and one of the topics that I covered which I though would make a really relevant and hopefully not too long of a post would be the subject of restricting Azure resource deployment to specific regions.

Many organisations have considerations around data privacy and sovereignty. For me and many folks in the UK, right now that means your data is probably living in an Azure region in Europe. Either Dublin or Amsterdam. With the UK datacentres being brought online fairly recently and the available features growing month by month, it makes using those regions more appealing. With the prospect of Brexit and how your data soverignty may be effected by that shake up could potentially make those UK datacentres even more appealing in the months and years to come.

With an out of the box Azure subscription, we have the power to deploy resources to any region we like be it UK, US, South America or Asia but with these privacy and data protection concerns wouldn’t it be great if you could limit this so that even the most well trained administrators and users cannot accidently place your data on the wrong side of a pond?

Read on below the fold and I’ll explain how to create an Azure Resource Policy and how to apply that to your evironments.

Read the Full Post

The GitHub Deploy to Azure Button

This is a really quick post but one I thought was worthy of getting down somewhere.

I’m starting to use GitHub more and more as a source for content and as I find myself wanting to produce the odd piece of content as well, I figured GitHub is where everyone else is sticking their Azure Resource Manager code so I should do the same.

For anyone that has looked on the official Azure team GitHub Repositories, you will have seen the blue Deploy to Azure button which is really nice as it directly takes you from GitHub over to Azure and links back to the GitHub Repository to start deploying the Resource Manager template without you having to download it and deploy it manually first.

The Azure team have a blog post over at https://azure.microsoft.com/en-gb/blog/deploy-to-azure-button-for-azure-websites-2/ which explains how you can use the Deploy to Azure button in your own repositories or even have it on your own website with a link back to a repository. It’s a nice touch, dead simple to implement by adding a line to the readme.md file and gives you that factory feel.

Enjoy.

Azure Winter Roundup 2016

Microsoft Azure LogoWith the weather starting to warm up and the sun out for longer, the worst of winter is behind us and we have spring to look forward to so what better time to wrap up 2016 with a recap of some of the new features to drop.

What’s New in General Availability

The all important GA milestone means these services are ready for prime time so here’s what’s new in the world of Azure since Al’s last update.

Managed Disks

Azure Virtual Machine Data DiskSince the dawn of infrastructure as a service in Microsoft Azure, Storage Account management has been one of the burdens that stayed with us into the cloud. Like managing LUN mapping and disk tier balancing from on-premises SAN arrays, we had to get the right number of Storage Accounts with the right capacity and number of IOPS in each.

Managed Disks now allows us to offload that burden to Microsoft and means we can provision IaaS VMs with the storage complexity of PaaS (read none). When we provision a machine and select the option to use Managed Disks, the platform with create everything behind the scenes.

Managed Disks are available in Premium and Standard storage flavours but the gotcha here is that for standard, you pay for the fully provisioned disk size, not the thin provisioned in use size as you do with traditional Storage Accounts so some customers may wish to continue using the conventional methods for storage.

For the full story on Managed Disks, read on at https://azure.microsoft.com/en-us/blog/announcing-general-availability-of-managed-disks-and-larger-scale-sets/.

Read the Full Post

Azure Updates Arrive En Masse

It seems that the folks in the various Azure teams at Microsoft have been really busy since the Build conference earlier this year getting products to various states of ship and it appears that this month is the mountain when it comes to releases and announcements. I got my usual Microsoft Azure new features and pricing announcements email last night and the number of new features here and features entering GA this month is astonishing.

Azure AD Connect

First and foremost, we have Azure AD Connect entering general availability. This is the replacement to all existing versions of DirSync and the Azure AD Sync tools. Whilst the directory synchronisation feature in itself isn’t anything special to talk about, for anyone still using DirSync, this is certainly a lot nicer to interact with and operate. Additionally, we have a number of the optional features available (a number of which are still classed as preview) to make synchronising your users between on-premise and Azure Active Directory that bit more rich. Sadly, there is still no Yammer integration with this version of Azure AD Connect so you still need to run the Yammer Directory Sync tool.

Azure Key Vault

This is a new service for Azure as opposed to an update to an existing service. Key Vault provides FIP 140-2 certified HSMs in the cloud. A HSM is a Hardware Security Module, a device used to manage security keys in encryption and it commonly found in Certificate Authorities and SQL Servers. I’ve worked with a number of PKI and SQL projects and none of them have ever had technical requirements for HSMs to be in-place. I suspect this has been added to Azure as a service by the request of one or more major companies sitting on the fence over public cloud right now because they need HSMs in order to meet some kind of regulatory or certification.

Azure Application Gateway

This is another new service and one which is really quite amazing in both it’s simplicity and the features that it brings. Azure Application Gateway is essentially an application request routing engine or reverse proxy as an Azure service. It allows you to publish Azure hosted, non-Azure publicly hosted or even on-premise applications to the world. It supports SSL offload to take the key processing workload away from your servers and it can be integrated with Azure Traffic Manager to provide geographic awareness for your applications.

Where I see this being especially useful is for companies currently hosting applications on-premise that are either publicly accessible or published to allow employees or partners access to a service. By publishing applications via Azure Application Gateway instead, companies can have their applications published but without the need to break holes in their own firewalls for those incoming connections.

The pricing on Azure Application Gateway seems very reasonable to me also which is going to make it extremely popular I think.

Azure SQL Data Warehouse

While all the previous service offerings have been general availability, this one is just a limited public preview however Azure SQL Data Warehouse was one of the brand new services announced earlier this year at Build so it’s great to see it moving along. I tend not to get involved so much with large SQL data warehousing work being more of an infrastructure specialist than a data specialist however I can see how if priced suitably, this is going to be a major service of interest for some businesses who want to leverage the cost benefits of the public cloud due to the fact that Data Warehousing can be extremely expensive to properly implement on-premise. This coupled with the fact that Azure SQL Data Warehouse is going to be tightly integrated with Power BI from Office 365 as well as Azure services like Machine Learning is going to make it very easy for customers to do more with their data.

Azure Web App SSL Cipher Suite Changes

Earlier this week, I got an email form the Azure Team to announce that as part of security improvements to the Azure App Service Web Apps (formerly known as Azure Websites) they will be making changes to the supported SSL cipher suites with the changes taking effect as of July 18th 2015. Additionally, Microsoft have provided a test site that is running the new suite of ciphers at https://testsslclient.trafficmanager.net.

I decided to take the test site for a drive over on the Qualys SSL Labs tool the SSL Server Tester. I’ve been using this site for a long time now as a means to test SSL enabled websites as it allows you to verify the whole configuration in one place including the certificate, protocols and cipher suites. I ran the test site through Qualys SSL Server Tester as well as this blog which is running on a current generation Azure Web App site to compare the results.

It’s important to understand the difference between a Web App and a Cloud Service before we get much further into this too. Some people will be looking at this post and thinking why don’t I just enable or disable the relevant protocols or ciphers within my application however herein lies the difference between the Web App and a Cloud Service. The Web App in web hosting terms is a website running on a multi-instance web server. A Cloud Service is a dedicated instance that you are responsible for so allow you more control but at the expense of additional complexity. With a Cloud Service, we can configure the ciphers and protocols as part of the service definition which runs in the form of a start-up script. With a Web App, we don’t have any of these levels of deep system level access so have to accept what we are given.

richardjgreen.net SSL Test Result

Running the test on this site, richardjgreen.net I get the same result I have achieved for some time, a overall score of Grade B. The grade in this instance is limited to B because the server is allowing weak RC4 ciphers as well as a Triple DES (3DES) cipher. Additionally, the current site does not support Forward Secrecy, sometimes seen at Perfect Forward Secrecy or PFS for short. The final message stating that the site only works with browsers supporting Server Name Indication or SNI for short is not a security failure. This is due to the fact that I have opted to only support SSL for SNI browsers on my Azure Web App instance.

testsslclient SSL Test Result

Running the test again against the test site, we can see that the result has improved to an overall score of Grade A. This is achieved because support for the weak RC4 ciphers has been dropped along with the Tripe DES (3DES) cipher. Additionally, the cipher suites have been re-ordered slightly and a new SHA384 3072 RSA key cipher has been added at the top of the cipher suite order meaning that this cipher should be the most preferable to use.

Looking at some of the details for the test, I also appears that the Web App instances are being built now on Windows Server 2012 R2 although how long this has may have been the case, I do not know? In the HTTP Server Signature for the SSL Server Tester results, richardjgreen.net shows Microsoft-IIS/8.0 whereas the Microsoft test site shows Microsoft-IIS/8.5.

I look forward to re-running the SSL Server Tester after the 18th July and seeing if the test result for my own site is as good as the test site shown.

Azure Backup Maximum Retention

This is a very short and quick post but something I wanted to share none-the-less.

I got a call from somebody today looking at the potential for using Azure as a long-term solution to store infrequently accessed data. A StorSimple appliance is one obvious answer to the problem but that was out of consideration in this instance and we talked about using Azure Backup as a solution due to the fact that this data doesn’t actually need to be accessible online and an offline recovery to access the data would be viable.

When I started to use Azure Backup with the Windows Server 2012 R2 Essentials integration a number of years ago, Azure Backup was limited to 30 days retention but I knew that this had been increased of late so using the Microsoft Azure Backup client on my server, I looked to see what the maximum value was that I could set the backup job retention to and the number that came out was 3360 Days which in a sensible scale is 9 Years and 3 Months.

That’s quite a lot of retention there but sadly, it still wasn’t enough for this requirement so back to the drawing board. My problem aside, it’s good to see that Azure Backup now supports long-term data retention for backup and 9 years and 3 months is long enough to meet most organisations retention requirements including those in the financial sector.

A Swathe of Microsoft Azure Updates

I’ve been a bit lazy over the last couple of weeks when it’s come to blogging a) because I’ve been on the road quite a bit with work and I haven’t fancied sitting in front of my PC when I got home in the evening and b) I’ve been too hooked watching Ray Donovan on TV to think about picking up the laptop.

The problem with not blogging for a while is that I have a lot of pent up desire to post things that I’ve been thinking about and doing over the last couple of weeks, not enough time to do it, nor the will power to type it all out.

As we all know, Azure is fairly close to my heart these days and three’s been a lot of activity in Azure across a whole host of offerings.

The biggest changes are covered in full in the blog post by Scott Guthrie over at http://weblogs.asp.net/scottgu/azure-sql-databases-api-management-media-services-websites-role-based-access-control-and-more.

Azure SQL Service Tiers

For me and my love obsession with running WordPress on Azure, the biggest changes here are the General Availability of the Azure SQL Database Service Tiers. These are the tiers which have been in preview since early this year and are due to replace the legacy tiers next year. The good news here is that Microsoft appear to have made a change during the course of the year which means you don’t need to actually migrate your data and you can simply switch between the tiers so there’s no excuse now.

Azure Websites

Another big change is to Azure Websites. Azure Websites have previously not been able to integrate with a Virtual Network to allow you to easily consume on-premise resources as part of a website. You could get around this to an extent using a BizTalk Hybrid Connection however the setup of this required agents to be deployed across the servers you wanted to connect to and meant extra configuration and complexity. We can now consume resources on-premise via our Virtual Network to on-premise resources whether it be a SQL Server, a back-end application server or whatever your website needs.

As part of the website changes, there is a new gallery template available for Websites named Scalable WordPress. This is a WordPress site deployment on Azure Websites designed for Azure which includes pre-configuration to use Azure BLOB Storage and easy configuration for Azure CDN. This new template potentially puts all my work to hone WordPress for Azure to the waste heap. As a WordPress user and fan, I’m going to be deploying one of these sites in the next few days (maybe longer) to see how Microsoft have built the site template. My money is on either they have used plugins to achieve it in the same way I do or they’ve customized the code base to make it work. Either way, I’ll be interested to see.

Azure RBAC

Finally, at last, the feature that we’ve all been wanting, needing and waiting for. No more, is a subscription the boundary for security and access control in Azure as with the release of Role Based Access Control (RBAC), we can now control access to resources in our Azure subscriptions. I’m really looking forward to having a poke around with this feature as I see this being one of the biggest features ever with Azure.

Azure Active Directory (AAD) Sync

In a separate article over at http://blogs.technet.com/b/ad/archive/2014/04/21/new-sync-capabilities-in-preview-password-write-back-new-aad-sync-and-multi-forest-support.aspx it was announced that the latest version of the AAD Sync tool has come out of Preview and is now in General Availability.

This new version supports Self-Service Password Reset write-back to Active Directory Domain Services (AD DS) with DirSync and Multi-Forest sync for complex domain and Exchange Server topologies.

Password Write-Back for organisations using AAD could be really good thing, just bear in mind before you get too excited about the reduction in service desk calls you can achieve through self-service password reset, you need to meet the prerequisites for the writeback agent which are pretty simple but you also need to be paying for Azure Active Directory Premium.

All in all, this has been a great month for Azure and I’m looking forward to trying to get my teeth into some of these new features.

The Forgotten Cost of Microsoft Azure Networks

We all know cloud services cost money, that’s a no brainer because we are consuming resources in somebody else’s environments, but what happens when you forget about it?

I was looking at my Microsoft Azure subscription today to see how I was doing for billing this month and the bill was higher than I expected. When I looked through the consumption charts in the Account Portal, I was shocked to see £20 of consumption against the Azure Network Gateway. Sometime ago, I had configured the Azure Network Site-to-Site VPN to test the feature against my ASA firewall at home. Once I had played with it for a while and verified I had a good configuration, I disabled the IPsec tunnel at my end as there was no point in keeping the connection up for the sake of it.

Problem was, I forgot about the Azure VPN Gateway which is a required item to enable the Site-to-Site VPN to function. I had accidentally left it running, consuming resources as it pleased without me actually reaping the service it offered.

Azure Gateway Hours

Sure, the cost is not significant, but it’s still a cost I’d rather avoid as I’m sure anyone out there paying up for cloud services would avoid. Money for nothing as Dire Straits famously said.

Needless to say, the VPN Gateway is now deleted and when the time comes that I want to use the Site-to-Site VPN, I’ll need to redeploy it and re-configure the Pre-Shared Key and IP Address for the tunnel endpoint on my ASA but that’s worth doing for a £20 a month saving on my Azure bill. Let this be a lesson to us all. Remember what you deploy and remember to clean-up after yourself when you’re finished with it.

Microsoft Azure Spending Limits Clarification

Lots of people want to use Microsoft Azure that much is clear, but a lot of people based on threads which get started on the TechNet forum get stuck when it comes to the relationship between trial accounts, standard accounts, billing and limits so I wanted to set the record straight a little using some good old plain English.

This is in response to a thread I answered on the TechNet forum last night which you can see at http://social.msdn.microsoft.com/Forums/windowsazure/en-US/a78f28e6-3929-45ef-9c52-cee62d3ab17a/set-spending-limit-after-free-trial?forum=windowsazurepurchasing#a603ca13-5911-4cf9-a142-ec1615192e95.

Trial Accounts

When you sign up for a Microsoft Azure trial account, you are prompted to provide a payment instrument during the sign up. Payment instrument is a really horrible term for a payment method. In a nutshell, it wants you to provide a credit card. When you sign up for the free trial, you get $200 of credit available to consume over a one month period.

The $200 credit is imposed in the form of a spending limit. If you consume all $200 before your month is up, all of your services will be suspended. If you’ve got credit left at the end of the one month period you will lose it, so use make sure you use it even if it’s just to get a grasp on how to create various types of virtual machine, websites, cloud services or databases.

If you consume all $200 before the month is up and you want to resume the services that you have provisioned thus far you can remove the spending limit on the trial account which will begin placing cost incurring charges against your credit card payment instrument.

MSDN and BizSpark Accounts

If you have access to Microsoft Azure via an MSDN subscription or a BizSpark subscription you will have at your disposal $150 per month of Microsoft Azure credit included in your agreement. This entitlement lasts for the duration of the agreement and at the termination of your agreement, all services will become suspended when the final credit amount expires in your final month.

If you want to resume these services, you will need to add a payment instrument, a credit card to the account and disable the spending limit. Unlike a trial account, you are not forced to add credit card information at the point of enabling the subscription so be sure you don’t forget to add this detail.

If you are using your $150 a month entitlement but find that you could do with a little bit extra then you can opt to disable the spending limit on the subscription, add payment details in the form of a credit card and once you reach the $150 free entitlement, any excess usage of the Microsoft Azure platform will be billed to your card.

Understanding Spending Limits

Spending limits I think are the largest cause for confusion in Microsoft Azure. Spending limits are what they are called, they are a limit to prevent spending money over a given amount. They do not represent a fixed spending commitment (eg. Spending $100 a month even if you only consume $25 of services), a question I’ve seen asked on TechNet Forums on more than a few occasions.

Spending limits is not a feature which is generally available for normal subscriptions. Spending limits are only available for the Trial, MSDN and BizSpark subscription as previously mentioned. If you are an enterprise customer or a conventional pay-as-you-go customer you cannot enable a spending limit on your subscription as this option is not available.

With MSDN and BizSpark subscriptions, when you disable the spending limit, you will continue to consume your monthly or triad period entitlement to funds. The trial or monthly funds will be consumed first before any charges are levied against your credit card. Once you exhaust all of your credit, you will start being billed.

If you elect to reactivate a spending limit on an MSDN or a BizSpark subscription, you cannot customise the limit value. When you reactivate the spending limit, the limit will be restored with the same limit as was previously imposed. To re-iterate, you cannot customise the spending limit as the limit value is defined by the type of subscription that you have.

You can read the official Microsoft article on MSDN about spending limits configuration and when they are or are not available at http://msdn.microsoft.com/library/azure/dn465781.aspx.

Alternative to Spending Limits

With spending limits not available for conventional subscriptions, many people will be thinking what is there to stop me from racking up a massive bill unknowingly and then having to try and explain or justify perhaps to business partners or co-workers or such like, how you managed to spend so much. By default, nothing, there is nothing to stop you from spending an infinite amount of money. Luckily, we have a solution in the Billing Alert Service.

The Azure Billing Alert Service is currently in preview although it has been around for a while now and I expect it to stay due to the lack of spending limits for conventional subscriptions. Although the Azure Billing Alert Service does not explicitly stop you from spending too much money, it does allow you to configure warnings and alerts before you spend too much money and allow you a chance to react to potential billing spikes such as shutting down services or virtual machines.

I have previously written a show post on how to enable and configure the Azure Billing Alert Service which you should take a look out to find out more how to configure this your own subscription.

I hope that this post clarified the meaning of spending limits in Microsoft Azure, when you can and cannot use them and how to access the Azure Billing Service alternative.