Implement secure cloud solutions

Last Updated on December 13, 2020 by

Implement secure cloud solutions is part of Implement Azure security topics. The total weight of this in the exam will be 15-20%. This training post is designed to help and provide readers with a better understanding of the topic mentioned.

Disclaimer: This is not a training article to help complete the Microsoft Azure AZ-204, but it provides a good insight into the areas within these topics. Labs and hands-on work are essential to passing most Microsoft Azure exams.

Implement secure cloud solutions:
Manage keys, secrets, and certificates by using the KeyVault API

Implement secure cloud solutions:

Azure Key Vault

Microsoft Azure Key Vault is a cloud service that works as a security-enhanced secrets store.

Key Vault allows you to create multiple security-enhanced containers, called vaults. These vaults are backed by hardware security modules (HSMs). Vaults help to reduce the chance of accidentally losing security information by centralizing the storage of application secrets. Vaults also control and log the access to anything stored in them. Azure Key Vault is designed to support any type of secret, such as a password, database credential, API key, or certificate. Software or HSMs can help to protect these secrets. Azure Key Vault can handle requesting and renewing Transport Layer Security (TLS) certificates, providing the features required for a robust certificate lifecycle management solution.

Key Vault concepts

Here are some important terms:

  • Vault: A vault is logical group of secrets.
  • Vault owner: A vault owner can create a key vault and gain full access and control over it. The vault owner can also set up auditing to log who accesses secrets and keys. Administrators can control the key lifecycle.
  • Vault consumer: A vault consumer can perform actions on the assets inside the key vault when the vault owner grants the consumer access. The available actions depend on the permissions granted.

Key Vault authentication

Managed identity:

  • Assigned identity for an Azure resource
  • Fastest way to access the vault from a service without sharing or exposing credentials

Service principal:

  • Can provide certificate or secret
  • Not recommended as it’s difficult to rotate

Key Vaults secret types

Key Vault enables Azure applications and users to store and use several types of secret/key data, including:

  • Cryptographic keys. Key Vault supports multiple key types and algorithms and using hardware security modules (HSMs) for high-value keys.
  • Secrets. Key Vault provides secure storage of secrets, such as passwords and database connection strings.
  • Certificates. Key Vault supports certificates, which are built on top of keys and secrets, and add an automated renewal feature.
  • Azure Storage. Key Vault can manage the keys of an Azure Storage account. Internally, Key Vault can list (sync) keys with an Azure Storage Account and regenerate (rotate) the keys periodically.

Create Key Vault secret by using Azure CLI

Implement secure cloud solutions:
Implement Managed Identities for Azure resources

Implement secure cloud solutions:

Azure AD–managed identity

The managed service identities (MSI) feature in Azure Active Directory (Azure AD) solves this problem. The feature provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without providing any credentials in your code.

  • Keeps credentials out of code
  • Identity automatically managed in Azure AD for Azure resources
  • Uses a local MSI endpoint to get access tokens from Azure AD
  • Direct authentication with services or retrieve credentials from Azure Key Vault

Managed identities implementation

The diagram on the current slide illustrates how a managed identity works with an Azure VM:

  1. Azure Resource Manager receives a request to enable the system-assigned managed identity on a VM or create a user-assigned managed identity and assign it to the VM.
  2. Azure Resource Manager creates a service principal in Azure AD for the VM’s identity. The service principal is created in the Azure AD tenant that’s trusted by the subscription.
  3. Azure Resource Manager configures the identity on the VM. It updates the Azure Instance Metadata Service identity endpoint with the service principal client ID and certificate.
  4. After the VM has an identity, use the service principal information to grant the VM access to Azure resources. To call Azure Resource Manager, use role-based access control (RBAC) in Azure AD to assign the appropriate role to the VM service principal. To call Key Vault, grant your code access to the specific secret or key in Key Vault.
  5. Your code that’s running on the VM can request a token from two endpoints that are accessible only from within the VM
  6. Your code makes a call to Azure AD to request an access token (as specified in step 5) by using the client ID and certificate configured in step 3. Azure AD returns a JSON Web Token (JWT) access token.
  7. Your code sends the access token on a call to a service that supports Azure AD authentication.

System-assigned managed identity

You can enable a system-assigned managed identity directly on an Azure service instance. •

Azure creates an identity for the instance in the Azure AD tenant that’s trusted by the subscription of the instance. Credentials are provisioned onto the instance after the identity is created. The lifecycle of a system-assigned identity is directly linked to the Azure service instance that it’s enabled on. Azure automatically deletes the credentials and the identity in Azure AD when the instance is deleted.

User-assigned managed identity

An Azure standalone resource can create a user-assigned managed identity.

Through a create process, Azure creates an identity in the Azure AD tenant that’s trusted by the subscription in use. After the identity is created, you can assign the identity to one or more Azure service instances.

Azure manages the lifecycle of a user-assigned identity separately from the lifecycle of the Azure service instances to which it’s assigned.

Types of managed identities

Creation•Created as part of an Azure resource (for example, an Azure virtual machine or Azure App Service)•Created as a standalone Azure resource
Lifecycle•Shares a lifecycle with the assigned Azure resource
•When the parent resource is deleted, the managed identity is deleted as well
•Has an independent lifecycle •Must be explicitly deleted
Sharing across Azure resources•Cannot be shared •Can only be associated with a single Azure resource•Can be shared •The same user-assigned managed identity can be associated with more than one Azure resource

Managed identities use cases

System-assigned managed identity:  User-assigned managed identity:  
Workloads that are contained within a single Azure resource
Workloads for which you need independent identities
Workloads that run on multiple resources and which can share a single identity
Workloads that need preauthorization to a secure resource as part of a provisioning flow
Workloads where resources are recycled frequently, but permissions should stay consistent  
Implement secure cloud solutions:
Secure app configuration data by using Azure App Configuration

Implement secure cloud solutions:

Azure App Configuration

  • Service to centrally manage application settings and feature flags
  • Dedicated UI for feature flag management
  • Enhanced security through Azure-managed identities
  • Complete data encryptions at rest or in transit
Programming languages and frameworkHow to connect
.NET Core and ASP.NET CoreApp Configuration provider for .NET Core
.NET Framework and ASP.NETApp Configuration builder for .NET
Java SpringApp Configuration client for Spring Cloud
OthersApp Configuration REST API

Keys and values

App Configuration treats keys as a whole. It doesnt parse keys to figure out how their names are structured or enforce any rule on them.

You can use any unicode character in key names entered into App Configuration except for ” * “, ” , “, and ” \ “. These characters are reserved.

If you need to include a researved character, you must escape it by using “\{Reserved Character}”


Labels are used to differentiate key values with the same key ž

Can be used to specify multiple environments

Key = AppName:DbEndpoint & Label = Test
Key = AppName:DbEndpoint & Label = Staging
Key = AppName:DbEndpoint & Label = Production

Or different versions

Key = AppName:DbEndpoint & Label = 1
Key = AppName:DbEndpoint & Label = 2
Key = AppName:DbEndpoint & Label = 3

Feature Management

Feature management is a modern software-development practice that decouples feature release from code deployment and enables quick changes to feature availability on demand.

It uses a technique called feature flags (also known as feature toggles, features switches, and so on) to dynamically administer a feature lifecycle.

More topics on Implement Azure security:

Implement user authentication and authorization

Microsoft Azure AZ-204 exam topics:

If you have covered the current topics in Implement Azure security then you can have a look at the other topic areas:

View full documentation Microsoft Azure: AZ-204 exam content from Microsoft

Leave a Reply

Your email address will not be published. Required fields are marked *