secure multi-tenant apps with azure and azure...

53
Secure Multi-tenant Apps with Azure and Azure DevOps Benny Michielsen DevOps Pro Europe 21 March 2019

Upload: others

Post on 28-May-2020

13 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Deze template bevat twee ontwerpen:

Alle dia’s in je presentatie worden

Secure Multi-tenant Apps with Azure and Azure DevOps

Benny MichielsenDevOps Pro Europe21 March 2019

Page 2: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Tech aficionado

Programming, Zbgureshpxre

Benny [email protected]

[email protected]

Page 3: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny
Page 4: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny
Page 5: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny
Page 6: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny
Page 7: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Secure Isolated Automated

Page 8: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny
Page 9: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Secure

defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction

Page 10: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Deze template bevat twee ontwerpen:

Alle dia’s in je presentatie worden

Azure AD

Page 11: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Integrate with Azure AD

<ItemGroup><PackageReference

Include="Microsoft.AspNetCore.App" /><PackageReference

Include="Microsoft.AspNetCore.Authentication.AzureAD.UI"Version="2.1.1" />

</ItemGroup>

Page 12: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Integrate with Azure AD

public void ConfigureServices(IServiceCollection services){

services.AddAuthentication(AzureADDefaults.AuthenticationScheme).AddAzureAD(options =>

Configuration.Bind("AzureAd", options));

services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options => {

options.Authority = options.Authority + "/v2.0/";options.TokenValidationParameters.ValidateIssuer = true;

});

Page 13: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Integrate with Azure AD

{"AzureAd": {

"Instance": "https://login.microsoftonline.com/", "TenantId": "",”ClientId": "", "CallbackPath": "/signin-oidc"}

}

Page 14: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny
Page 15: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny
Page 16: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny
Page 17: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny
Page 18: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny
Page 19: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Azure AD – Restricting access

• By default all registered apps are available to all users• All apps show up on their profile

Page 20: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny
Page 21: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny
Page 22: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Groups and roles

• Groups (Security Groups)– Can be assigned to users– Managed for the entire Azure AD– Group information can be made available to the application

• Application Roles– Application can define roles– Scoped per application– Role information can be read to check authorisation

Page 23: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny
Page 24: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny
Page 25: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny
Page 26: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Azure AD

• Multi-tenant service that provides enterprise-level identity and access management

• Manage users and access to resources• Provide single sign on• Multi factor authentication• Manage Groups• Manage Applications• Actively being integrated in azure services

Page 27: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Deze template bevat twee ontwerpen:

Alle dia’s in je presentatie worden

KeyVault

Page 28: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

{"Logging": {

"LogLevel": {"Default": "Warning"

}},"AllowedHosts": "*","Storage": {

"Name": "","ConnectionString": ""

},"ConnectionStrings": {

"CustomerAppDatabase": ""},"AzureAd": {

"Instance": "https://login.microsoftonline.com/","Domain": "","TenantId": "","ClientId": "","ClientSecret": "","CallbackPath": "/signin-oidc"

},"KeyVault": {

"Name": ""}

}

Page 29: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Azure KeyVault

• Safeguard cryptographic keys and other secrets used by cloud apps and services

• Secret Management• Key Management• Certificate Management

Page 30: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny
Page 31: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

public static void Main(string[] args){

CreateWebHostBuilder(args).Build().Run();}

public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>

WebHost.CreateDefaultBuilder(args).ConfigureAppConfiguration((ctx, builder) =>{

var builtConfig = builder.Build();builder.AddAzureKeyVault(

$"https://{builtConfig["KeyVault:Name"]}.vault.azure.net/",builtConfig["AzureAd:ClientId"],builtConfig["AzureAd:ClientSecret"]);

}).UseStartup<Startup>();

Page 32: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny
Page 33: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

{"Logging": {

"LogLevel": {"Default": "Warning"

}},"AllowedHosts": "*","Storage": {

"Name": "","ConnectionString": ""

},"ConnectionStrings": {

"CustomerAppDatabase": ""},"AzureAd": {

"Instance": "https://login.microsoftonline.com/","Domain": "","TenantId": "","ClientId": "","ClientSecret": "","CallbackPath": "/signin-oidc"

},"KeyVault": {

"Name": ""}

}

Page 34: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Managed Identity

• Identity for Azure resources– System Assigned– User Assigned

• Remove the need to manage credentials• Integrates with any resource that supports AD authentication

Page 35: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny
Page 36: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny
Page 37: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

public static void Main(string[] args){

CreateWebHostBuilder(args).Build().Run();}

public static IWebHostBuilderCreateWebHostBuilder(string[] args) =>

WebHost.CreateDefaultBuilder(args).ConfigureAppConfiguration((ctx, builder) =>{

var builtConfig = builder.Build();builder.AddAzureKeyVault(

$"https://{builtConfig["KeyVault:Name"]}.vault.azure.net/”);

}).UseStartup<Startup>();

Page 38: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Isolation

how and when the changes made by one operation become visible to other concurrent operations

Page 39: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Tenant 3

Tenant 2

Single tenant app

Tenant 1

Page 40: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Multi tenant app

Tenant 1 Tenant 2 Tenant 3

Page 41: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Multi tenant app

Tenants

Page 42: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Multi tenant app

Tenants 1, 2 & 3 Tenants 4, 5 & 6

Page 43: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Premium tier -Tenant 4

Multi tenant app

Free tier – Tenant 1, 2 & 3

Premium tier -Tenant 5

Page 44: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Stand alone single tenant

FK Suduva Zalgiris Vilnius NFA Kaunas

Page 45: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Stand alone single tenant

FK Suduva Zalgiris Vilnius NFA Kaunas

Elastic Db Pool

Page 46: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Automation

by which a process or procedure is performed with minimum human assistance.

Page 47: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Resource Group

Multi tenant app

Tenant 1 Tenant 2 Tenant 3

Page 48: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Automate provisioning

• ARM Templates• Execute with

– CLI– PowerShell– Azure DevOps– Azure Automation– Rest API

Page 49: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Stand alone single tenant

FK Suduva Zalgiris Vilnius NFA Kaunas

Elastic Db Pool

Page 50: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny
Page 51: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

The entire picture

Page 52: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

License App

Admin Application

Club A Application

Club B Application

Club C Application

Registration Application

Document Service

Page 53: Secure Multi-tenant Apps with Azure and Azure DevOpsblog.bennymichielsen.be/wp-content/uploads/2019/03/... · 2019-03-21 · Secure Multi-tenant Apps with Azure and Azure DevOps Benny

Thanks for listening!

@[email protected]