Azure Security Fundamentals Part - 3: Hardening App Services and Databases

February 13, 2025
Azure SecurityAzureSecurity

πŸ” Azure App Services & Database Security

In this post, we dive into securing Azure App Services and databases, two of the most frequently used components in cloud native architectures.

While Azure handles much of the infrastructure, you’re still responsible for application level and data level security especially when it comes to configuration, access, and encryption.

🌐 App Services Security

Azure App Services and Azure Functions share the same infrastructure and security models. They're PaaS services, which means you don’t manage the OS but you still must configure them securely.

πŸ”’ Enforce HTTPS Only Traffic

Always enforce HTTPS by disabling HTTP. This:

  • Ensures encrypted communication
  • Prevents man in the middle attacks

βœ… This is usually enabled by default, but verify it after deployment.

πŸ‘₯ Integrate Azure AD Authenticatio

Using Azure AD to authenticate users for your app brings major benefits

  • Seamless integration
  • Single Sign On (SSO)
  • Multi Factor Authentication (MFA)
  • Conditional Access
  • Centralized user management

πŸ”— Azure AD auth is free and easily enabled through the Azure portal.

πŸ—οΈ Protect Secrets with Azure Key Vault

Never store secrets (like database strings or API keys) in

  • Application settings
  • Source code
  • Configuration files

Instead, use Azure Key Vault and access secrets securely via

  • Managed Identities
  • Built in App Service integration

🌍 Restrict Internet Access

Minimize the public exposure of your App Service:

  • Allow public access only through WAF and Firewall
  • If app usage is limited (e.g., internal tools), configure IP restrictions
  • For high security apps, consider App Service Environment (ASE) or Isolated Tier with VNet integration

πŸ—„οΈ Database Security in Azure

Databases are prime targets for attackers. Azure provides several layers of defense, but secure setup is still your responsibility.

πŸ‘€ Use Azure AD Authentication

Instead of SQL authentication (username/password), use

  • Azure AD identities
  • Managed Identity (for app to database access)

Benefits

  • No credential storage
  • Unified access control
  • Stronger compliance posture

πŸ” Encrypt Data at Rest and In Transit

Transparent Data Encryption (TDE)

  • Default for Azure SQL
  • Encrypts data at rest using a server managed key
  • Optionally, bring your own key stored in Key Vault

Always Encrypted (AE)

  • Encrypts sensitive columns
  • Keeps data encrypted even from DBAs
  • Only authorized client applications can decrypt

πŸ’‘ Store Always Encrypted keys in Azure Key Vault for additional protection.

πŸ”’ Restrict Access Using Private Endpoints

Use Private Link to avoid exposing your database to the public internet

  • Creates a private IP address for the DB in your VNet
  • Access is limited to trusted subnets or services
  • Requires DNS and VNet configuration

Fallback: Use firewall rules to allow specific public IPs if private access isn’t possible.

πŸ’‘ Connecting From App Service or VM

From Virtual Machines

Security stack

LevelBest Practice
IdentityUse Managed Identity
SecretsStore in Key Vault
NetworkingUse Private Endpoint over Public IP

From App Services

  • App Services aren't in a VNet by default
  • Use VNet Integration to reach Private Endpoints
  • For high security workloads, consider Isolated Tier (expensive but VNet native)
App Service
     β”‚
VNet Integration
     β”‚
Private Endpoint ──► Azure SQL

βœ… Summary Checklist

ComponentRecommendation
App ServicesEnforce HTTPS, use Azure AD Auth, restrict IPs
Secret StorageUse Azure Key Vault + Managed Identity
SQL AuthenticationPrefer Azure AD identity over SQL login
EncryptionUse TDE and Always Encrypted (where needed)
NetworkUse Private Endpoint + VNet Integration

← Previous: Key Vault and Virtual Machines

Next: β†’ Storage, Firewalls, Logging