Road To AZ-204 - Implement Secure Cloud Solutions

Introduction

This article's intention is to explain the main skills measured in this sub-topic of the AZ-204 Certification. Azure Key Vault, App Configuration, and Managed Identities are the main components that will have their fundamentals explained here alongside a practical example.

This certification is very extensive and this article approaches only the main topics, make sure you know those components before taking the exam. Another great tip is to do exam simulators before the official exam in order to validate your knowledge.

What is the Certification AZ-204 - Developing Solutions for Microsoft Azure?

The AZ-204 - Developing Solutions for Microsoft Azure certification measures designing, building, testing, and maintaining skills of an application and/or service in the Microsoft Azure Cloud environment. It approaches, among others, that component.

  • Azure Virtual Machines
  • Docker
  • Azure Containers
  • Service Web App
  • Azure Functions
  • Cosmos DB
  • Azure Storage
  • Azure AD
  • Azure Key Vault
  • Azure Managed Identities
  • Azure Redis Cache
  • Azure Logic App
  • Azure Event Grid
  • Azure Event Hub
  • Azure Notification Hub
  • Azure Service Bus
  • Azure Queue Storage

Target Audience

Any IT professional willing to improve his knowledge in Microsoft Azure is encouraged to take this certification, it is a great way to measure your skills within trending technologies. But, some groups of professionals are more keen to take maximum advantage of it.

  • Azure Developers, with at least 1 year of experience with Microsoft Azure.
  • Experienced Software Developers, looking for an Architect position in a hybrid environment.
  • Software Developers, working to move applications to the cloud environment.

Skills Measured

According to today's date, the skills that are measured in the exam are split as follows.

Benefits of Getting Certified

The main benefit here is having a worldwide recognized certification that proves that you have knowledge of this topic. Among intrinsic and extrinsic benefits, we have,

  • Higher growth potential, as certifications are a big plus.
  • Discounts and deals in Microsoft products and partners, like PluralSight and UpWork.
  • MCP Newsletters, with trending technologies.
  • Higher exposure on LinkedIn, as recruiters usually search for specific certifications.
  • With a higher salary, you will be more valuable to your company.
  • Unique happiness when getting the result and you were approved, knowing that all your efforts were worth it.

Main Skills Measured by this Topic
 

What are Managed Identities?

Azure Managed Identities is the concept of associating identities to internal resources inside Azure AD, those identities have their own roles as far as their own token. Managed Identities increase your security because you can link directly resources to access other resources without sharing any kind of security information on the network, those resources are going to be authenticated against Azure AD in order to validate if they have enough rights to manipulate other resources. As an example, we can make our Applications access Azure Key Vault in order to retrieve a secret without having to expose any kind of password. Managed Identities is available in two types, as follows.

  • System-assigned Identities are created and managed by Azure AD when we create a managed identity in a service instance.
  • User-assigned Identities, also named custom-managed identities are created and managed manually.

What is Azure Key Vault?

Azure Key Vault is the Azure Cloud service designed to store different Keys, Secrets, and Certificates. Azure Key Vault increases your application security and customization, the Azure Key Vault can make use of Azure AD security in order to be accessed to other applications or services without requiring any confidential information to be exposed to request information from Azure Key Vault.

Your security is increased because it avoids exposing your app secrets, such as connection strings, passwords, and certificates when deploying your apps or storing them in a shared repository. You can store all your app secrets, keys, and certificates in the Azure Key Vault and give access to your app internally to retrieve this information.

Your customization is increased because you can define environment variables stored in your Azure Key Vault, those variables are going to be securely stored and those variables may be used by a wide range of applications. Also, you can have a different environment pointing to different values.

Azure Key Vaults have two different types of containers: vaults and HSM pools. Vault Containers support the storing of software and HSM-backed keys, secrets, and certificates, while the HSM pools only support HSM-backed keys. In order to understand more about Key Vault, the following main terminologies need to be explained.

  • Key, API Keys with support of multiple types of key types and algorithms.
  • Secret, can be any kind of password or protected information.
  • Certificate, Certificates with an autorenewal feature.

Also, Azure provides a Rest API in order to manage your Azure Key Vault with its main functionalities as follows.

  • Create a key or secret
  • Import a key or secret
  • Revoke a key or secret
  • Delete a key or secret
  • Authorize users or apps to access their keys or secrets
  • Monitor and manage key usage

Azure Key Vault Rest API has three different types of authentications, as follows.

  • Managed Identities, using managed identities authentication mode is recommended as best practices.
  • Service Principal and Certificate, using a pre-configured security user with an associated certificate.
  • Service Principal and Secret, using a pre-configured security user with a secret.

What is Azure App Configuration?

Azure App Configuration is an Azure service that helps you to centralize your application settings into a single location. Azure App Configuration is great for multi-environment and multi-geography applications whereas it offers a dynamic way to change your application settings without requiring to restart them, it also works together with Azure Key Vault, which is the place where the application secrets are stored.

Azure App Configuration's main benefits are as follows.

  • Easy and fast to set up
  • Data encryption in rest or in transit
  • Labels
  • High security through access to other resources with Managed Identities
  • A point-in-time replay of settings with the Restore functionality
  • Data Import and Export
  • Data Comparison

Practical Examples
 

Connecting Azure Key Vault with .Net Web API

Here we will be using .Net with Azure Key Vault and App Configuration in order to retrieve secure data. The focus is the connection and consumption of Key Vault and App Configuration so we will be using the following existing project.

Using Key Vault

Requirements

  • Azure Key Vault previously created
  • Nuget Azure.Security.KeyVault.Secrets
  • Nuget Azure.Identity
  • Having a secret created named "sampleSecret"

The following example uses a Key Vault being authenticated within the User, checking if the user has the right to see this secret. This is configured in the Key Vault Access Policies.

Vault Access Policies

Controller Code

private readonly string keyVaultURI = "https://azurekeyvaultsample.vault.azure.net/";

[HttpGet]
public IActionResult Index()
{
    var client = new SecretClient(new Uri(keyVaultURI), new DefaultAzureCredential());
    var secret = client.GetSecretAsync("sampleSecret").Result;
    ViewBag.Secret = secret.Value.Value;
    return View();
}

View Code

@if (ViewBag.Secret != null)
{
    <label>You have a hidden secret retrieved by Azure Key Vault: @ViewBag.Secret</label>
}

Result

Result

Using Key Vault connected with App

Requirements

  • Azure Key Vault previously created
  • Azure Application registered
  • Nuget Azure.Security.KeyVault.Secrets
  • Nuget Azure.Identity
  • Having a secret created named "sampleSecret"

Add an access policy from your Azure Key Vault to your App. From your Azure Key Vault go to Access Policies and then click on Add Access Policy.

Select permissions for each type of resource and on Select Principal, select your App previously registered.

App previously

Controller Code

private readonly string keyVaultURI = "https://azurekeyvaultsampletwo.vault.azure.net/";
private readonly string clientAppID = "";
private readonly string clientAppSecret = "";

[HttpGet]
public async Task<IActionResult> Index()
{
    ClientCredential credential = new ClientCredential(clientAppID, clientAppSecret);
    KeyVaultClient.AuthenticationCallback authenticationCallback = new KeyVaultClient.AuthenticationCallback(async
        (string authenticationAuthority, string resource, string scope) =>
    {
        AuthenticationContext authenticationContext = new AuthenticationContext(authenticationAuthority);
        AuthenticationResult result = await authenticationContext.AcquireTokenAsync(resource, credential);
        return result.AccessToken;
    });
    KeyVaultClient client = new KeyVaultClient(authenticationCallback);
    var secret = await client.GetSecretAsync(keyVaultURI, "sampleSecret");

    ViewBag.Secret = secret.Value;

    return View();
}

Key Vault API Practical Examples

Pre-Requisites

  • Azure Key Vault previously Created; In this example the Key Vault name is azurekeyvaultsampletwo.
  • Have your Azure Key Vault Authentication token configured in the request header.

Creating Keys, Secrets, and Certificates
 

Creating Keys

POST https://azurekeyvaultsampletwo.vault.azure.net/keys/sampleKey/create?api-version=7.1
{
  "kty": "RSA",
  "key_size": 2048,
  "key_ops": [
    "encrypt",
    "decrypt",
    "sign",
    "verify",
    "wrapKey",
    "unwrapKey"
  ],
  "attributes": {},
  "tags": {
    "purpose": "unit test",
    "test name": "CreateGetDeleteKeyTest"
  }
}

Creating/Updating Secrets

PUT https://azurekeyvaultsampletwo.vault.azure.net/secrets/sampleSecret?api-version=7.1
{
  "value": "my secret value"
}

Creating Certificates

POST https://azurekeyvaultsampletwo.vault.azure.net/certificates/sampleCertificate/create?api-version=7.1
{
  "policy": {
    "key_props": {
      "exportable": true,
      "kty": "RSA",
      "key_size": 2048,
      "reuse_key": false
    },
    "secret_props": {
      "contentType": "application/x-pkcs12"
    },
    "x509_props": {
      "subject": "CN=*.microsoft.com",
      "sans": {
        "dns_names": [
          "onedrive.microsoft.com",
          "xbox.microsoft.com"
        ]
      }
    },
    "issuer": {
      "name": "Self"
    }
  }
}

Importing Keys and Certificates
 

Importing Keys

PUT https://azurekeyvaultsampletwo.vault.azure.net/keys/sampleKey?api-version=7.1
{
  "key": {
    "kty": "RSA",
    "n": "nKAwarTrOpzd1hhH4cQNdVTgRF-b0ubPD8ZNVf0UXjb62QuAk3Dn68ESThcF7SoDYRx2QVcfoMC9WCcuQUQDieJF-lvJTSer1TwH72NBovwKlHvrXqEI0a6_uVYY5n-soGt7qFZNbwQLdWWA6PrbqTLIkv6r01dcuhTiQQAn6OWEa0JbFvWfF1kILQIaSBBBaaQ4R7hZs7-VQTHGD7J1xGteof4gw2VTiwNdcE8p5UG5b6S9KQwAeET4yB4KFPwQ3TDdzxJQ89mwYVi_sgAIggN54hTq4oEKYJHBOMtFGIN0_HQ60ZSUnpOi87xNC-8VFqnv4rfTQ7nkK6XMvjMVfw",
    "e": "AQAB",
    "d": "GeT1_D5LAZa7qlC7WZ0DKJnOth8kcPrN0urTEFtWCbmHQWkAad_px_VUpGp0BWDDzENbXbQcu4QCCdf4crve5eXt8dVI86OSah-RpEdBq8OFsETIhg2Tmq8MbYTJexoynRcIC62xAaCmkFMmu931gQSvWnYWTEuOPgmD2oE_F-bP9TFlGRc69a6MSbtcSRyFTsd5KsUr40QS4zf2W4kZCOWejyLuxk88SXgUqcJx86Ulc1Ol1KkTBLadvReAZCyCMwKBlNRGw46BU_iK0vK7rTD9fmEd639Gjti6eLpnyQYpnVe8uGgwVU1fHBkAKyapWoEG6VMhMntcrvgukKLIsQ",
    "dp": "ZGnmWx-Nca71z9a9vvT4g02iv3S-3kSgmhl8JST09YQwK8tfiK7nXnNMtXJi2K4dLKKnLicGtCzB6W3mXdLcP2SUOWDOeStoBt8HEBT4MrI1psCKqnBum78WkHju90rBFj99amkP6UeQy5EASAzgmKQu2nUaUnRV0lYP8LHMCkE",
    "dq": "dtpke0foFs04hPS6XYLA5lc7-1MAHfZKN4CkMAofwDqPmRQzCxpDJUk0gMWGJEdU_Lqfbg22Py44cci0dczH36NW3UU5BL86T2_SPPDOuyX7kDscrIJCdowxQCGJHGRBEozM_uTL46wu6UnUIv7m7cuGgodJyZBcdwpo6ziFink",
    "qi": "Y9KD5GaHkAYmAqpOfAQUMr71QuAAaBb0APzMuUvoEYw39PD3_vJeh9HZ15QmJ8zCX10-nlzUB-bWwvK-rGcJXbK4pArilr5MiaYv7e8h5eW2zs2_itDJ6Oebi-wVbMhg7DvUTBbkCvPhhIedE4UlDQmMYP7RhzVVs7SfmkGs_DQ",
    "p": "v1jeCPnuJQM2PW2690Q9KJk0Ulok8VFGjkcHUHVi3orKdy7y_TCIWM6ZGvgFzI6abinzYbTEPKV4wFdMAwvOWmawXj5YrsoeB44_HXJ0ak_5_iP6XXR8MLGXbd0ZqsxvAZyzMj9vyle7EN2cBod6aenI2QZoRDucPvjPwZsZotk",
    "q": "0Yv-Dj6qnvx_LL70lUnKA6MgHE_bUC4drl5ZNDDsUdUUYfxIK4G1rGU45kHGtp-Qg-Uyf9s52ywLylhcVE3jfbjOgEozlSwKyhqfXkLpMLWHqOKj9fcfYd4PWKPOgpzWsqjA6fJbBUMYo0CU2G9cWCtVodO7sBJVSIZunWrAlBc"
  },
  "tags": {
    "purpose": "unit test"
  }
}

Importing Certificates

POST https://azurekeyvaultsampletwo.vault.azure.net/certificates/sampleCertificate/import?api-version=7.1
{
  "value": "MIIJOwIBAzCCCPcGCSqGSIb3DQEHAaCCCOgEggjkMIII4DCCBgkGCSqGSIb3DQEHAaCCBfoEggX2MIIF8jCCBe4GCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAj15YH9pOE58AICB9AEggTYLrI+SAru2dBZRQRlJY7XQ3LeLkah2FcRR3dATDshZ2h0IA2oBrkQIdsLyAAWZ32qYR1qkWxLHn9AqXgu27AEbOk35+pITZaiy63YYBkkpR+pDdngZt19Z0PWrGwHEq5z6BHS2GLyyN8SSOCbdzCz7blj3+7IZYoMj4WOPgOm/tQ6U44SFWek46QwN2zeA4i97v7ftNNns27ms52jqfhOvTA9c/wyfZKAY4aKJfYYUmycKjnnRl012ldS2lOkASFt+lu4QCa72IY6ePtRudPCvmzRv2pkLYS6z3cI7omT8nHP3DymNOqLbFqr5O2M1ZYaLC63Q3xt3eVvbcPh3N08D1hHkhz/KDTvkRAQpvrW8ISKmgDdmzN55Pe55xHfSWGB7gPw8sZea57IxFzWHTK2yvTslooWoosmGxanYY2IG/no3EbPOWDKjPZ4ilYJe5JJ2immlxPz+2e2EOCKpDI+7fzQcRz3PTd3BK+budZ8aXX8aW/lOgKS8WmxZoKnOJBNWeTNWQFugmktXfdPHAdxMhjUXqeGQd8wTvZ4EzQNNafovwkI7IV/ZYoa++RGofVR3ZbRSiBNF6TDj/qXFt0wN/CQnsGAmQAGNiN+D4mY7i25dtTu/Jc7OxLdhAUFpHyJpyrYWLfvOiS5WYBeEDHkiPUa/8eZSPA3MXWZR1RiuDvuNqMjct1SSwdXADTtF68l/US1ksU657+XSC+6ly1A/upz+X71+C4Ho6W0751j5ZMT6xKjGh5pee7MVuduxIzXjWIy3YSd0fIT3U0A5NLEvJ9rfkx6JiHjRLx6V1tqsrtT6BsGtmCQR1UCJPLqsKVDvAINx3cPA/CGqr5OX2BGZlAihGmN6n7gv8w4O0k0LPTAe5YefgXN3m9pE867N31GtHVZaJ/UVgDNYS2jused4rw76ZWN41akx2QN0JSeMJqHXqVz6AKfz8ICS/dFnEGyBNpXiMRxrY/QPKi/wONwqsbDxRW7vZRVKs78pBkE0ksaShlZk5GkeayDWC/7Hi/NqUFtIloK9XB3paLxo1DGu5qqaF34jZdktzkXp0uZqpp+FfKZaiovMjt8F7yHCPk+LYpRsU2Cyc9DVoDA6rIgf+uEP4jppgehsxyT0lJHax2t869R2jYdsXwYUXjgwHIV0voj7bJYPGFlFjXOp6ZW86scsHM5xfsGQoK2Fp838VT34SHE1ZXU/puM7rviREHYW72pfpgGZUILQMohuTPnd8tFtAkbrmjLDo+k9xx7HUvgoFTiNNWuq/cRjr70FKNguMMTIrid+HwfmbRoaxENWdLcOTNeascER2a+37UQolKD5ksrPJG6RdNA7O2pzp3micDYRs/+s28cCIxO//J/d4nsgHp6RTuCu4+Jm9k0YTw2Xg75b2cWKrxGnDUgyIlvNPaZTB5QbMid4x44/lE0LLi9kcPQhRgrK07OnnrMgZvVGjt1CLGhKUv7KFc3xV1r1rwKkosxnoG99oCoTQtregcX5rIMjHgkc1IdflGJkZzaWMkYVFOJ4Weynz008i4ddkske5vabZs37Lb8iggUYNBYZyGzalruBgnQyK4fz38Fae4nWYjyildVfgyo/fCePR2ovOfphx9OQJi+M9BoFmPrAg+8ARDZ+R+5yzYuEc9ZoVX7nkp7LTGB3DANBgkrBgEEAYI3EQIxADATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IAGEAOAAwAGQAZgBmADgANgAtAGUAOQA2AGUALQA0ADIAMgA0AC0AYQBhADEAMQAtAGIAZAAxADkANABkADUAYQA2AGIANwA3MF0GCSsGAQQBgjcRATFQHk4ATQBpAGMAcgBvAHMAbwBmAHQAIABTAHQAcgBvAG4AZwAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkAZABlAHIwggLPBgkqhkiG9w0BBwagggLAMIICvAIBADCCArUGCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEGMA4ECNX+VL2MxzzWAgIH0ICCAojmRBO+CPfVNUO0s+BVuwhOzikAGNBmQHNChmJ/pyzPbMUbx7tO63eIVSc67iERda2WCEmVwPigaVQkPaumsfp8+L6iV/BMf5RKlyRXcwh0vUdu2Qa7qadD+gFQ2kngf4Dk6vYo2/2HxayuIf6jpwe8vql4ca3ZtWXfuRix2fwgltM0bMz1g59d7x/glTfNqxNlsty0A/rWrPJjNbOPRU2XykLuc3AtlTtYsQ32Zsmu67A7UNBw6tVtkEXlFDqhavEhUEO3dvYqMY+QLxzpZhA0q44ZZ9/ex0X6QAFNK5wuWxCbupHWsgxRwKftrxyszMHsAvNoNcTlqcctee+ecNwTJQa1/MDbnhO6/qHA7cfG1qYDq8Th635vGNMW1w3sVS7l0uEvdayAsBHWTcOC2tlMa5bfHrhY8OEIqj5bN5H9RdFy8G/W239tjDu1OYjBDydiBqzBn8HG1DSj1Pjc0kd/82d4ZU0308KFTC3yGcRad0GnEH0Oi3iEJ9HbriUbfVMbXNHOF+MktWiDVqzndGMKmuJSdfTBKvGFvejAWVO5E4mgLvoaMmbchc3BO7sLeraHnJN5hvMBaLcQI38N86mUfTR8AP6AJ9c2k514KaDLclm4z6J8dMz60nUeo5D3YD09G6BavFHxSvJ8MF0Lu5zOFzEePDRFm9mH8W0N/sFlIaYfD/GWU/w44mQucjaBk95YtqOGRIj58tGDWr8iUdHwaYKGqU24zGeRae9DhFXPzZshV1ZGsBQFRaoYkyLAwdJWIXTi+c37YaC8FRSEnnNmS79Dou1Kc3BvK4EYKAD2KxjtUebrV174gD0Q+9YuJ0GXOTspBvCFd5VT2Rw5zDNrA/J3F5fMCk4wOzAfMAcGBSsOAwIaBBSxgh2xyF+88V4vAffBmZXv8Txt4AQU4O/NX4MjxSodbE7ApNAMIvrtREwCAgfQ",
  "pwd": "123",
  "policy": {
    "key_props": {
      "exportable": true,
      "kty": "RSA",
      "key_size": 2048,
      "reuse_key": false
    },
    "secret_props": {
      "contentType": "application/x-pkcs12"
    }
  }
}

Retrieving Keys, Secrets, and Certificates
 

Retrieving Keys

GET https://azurekeyvaultsampletwo.vault.azure.net/keys/sampleKey?api-version=7.1

Retrieving Secrets

GET https://azurekeyvaultsampletwo.vault.azure.net/secrets/sampleSecret?api-version=7.1

Retrieving Certificates

GET https://azurekeyvaultsampletwo.vault.azure.net/certificates/sampleCertificate?api-version=7.1

Deleting Keys, Secrets, and Certificates
 

Deleting Keys

DELETE https://azurekeyvaultsampletwo.vault.azure.net/keys/sampleKey?api-version=7.1

Deleting Secrets

DELETE https://azurekeyvaultsampletwo.vault.azure.net/secrets/sampleSecret?api-version=7.1

Deleting Certificates

DELETE https://azurekeyvaultsampletwo.vault.azure.net/certificates/sampleCertificate?api-version=7.1

Azure App Configuration with Azure Key Vault in a .Net Web API using Managed Identities

Pre-requisites

  • Azure App Configuration previously created. Here named appConfigurationSample.
  • Azure Key Vault was previously created. Here named sampleazkeyvault.
  • Have a secret in your Azure Key Vault. Here named sampleSecret.
  • Nuget Azure.Identity.
  • Nuget Microsoft.Extensions.Configuration.AzureAppConfiguration.

From your Azure App Configuration, go to Configurations Explorer, under Operations, and click on Create and then Key Vault reference.

Configurations Explorer

Point to your existing secret on your Azure Key Vault.

Azure Key Vault

Enable managed identity for your App Configuration. (It could be already enabled)

Then, click on Azure role assignments.

Azure role assignments

In Scope, select Key Vault then in Resource select your Key Vault resource, select an appropriate role for it, and click on Save. Here I will set it as Owner.

Owner

From our .Net project, update the Program.cs class to include the connection to your Azure App Configuration and Azure Key Vault.

.ConfigureAppConfiguration((hostingContext, config) =>
{
    var settings = config.Build();

    config.AddAzureAppConfiguration(options =>
    {
        options.Connect("your app configuration connection string goes here")
               .ConfigureKeyVault(kv =>
               {
                   kv.SetCredential(new DefaultAzureCredential());
               });
    });
})

In your Controller, update it to receive an IConfiguration through dependency injection and retrieve your secrets.

private readonly IConfiguration configuration;

public HomeController(IConfiguration configuration)
{
    this.configuration = configuration;
}

[HttpGet]
public IActionResult Index()
{
    ViewBag.Secret = this.configuration["samplekeyonappconfiguration"];
    return View();
}

Result

HTTP

Complete the code on GitHub.

Other Managed Identities practical examples

This is a huge topic deeply covered by my friend in his article with a .net Web API practical example. Please check Use Azure Active Directory Managed Identities for your services.

External References