Azure Managed Identities is the concept of associating identities to internal resources inside Azure AD, those identities have their own roles as far as its own token. Managed Identities increase your security because you can link directly resources to access others resources without sharing any kind of security information on the network, those resources are going to be authenticated against Azure AD in order to validate if they have enough rights to manipulate other resources. As an example, we can make our Applications access Azure Key Vault in order to retrieve a secret without having to expose any kind of password. Managed Identities is available in two types, as follows,
- System-assigned Identities, which are created and managed by Azure AD when we create a managed identity in a service instance;
- User-assigned Identities, also named custom managed identities and are created and managed manually.
What is Azure Key Vault?
Azure Key Vault is the Azure Cloud service designed to store differents Keys, Secrets, and Certificates. Azure Key Vault increases your application security and customization, the Azure Key Vault can make use of Azure AD security in order to be accessed to others applications or services without requiring any confidential information to be exposed to request information from Azure Key Vault.
Your security is increased because it avoids exposing your app secrets, such as connection strings, passwords, and certificates, when deploying your apps or storing them at a shared repository. You can store all your app secrets, keys, and certificates in the Azure Key Vault and give access to your app internally to retrieve this information.
Your customization is increased because you can define environment variables stored in your Azure Key Vault, those variables are going to be secured stored and those variables may be used by a wide range of applications. Also, you can have a different environment pointing to different values.
Azure Key Vaults has two different types of containers: vaults and HSM pools. Vault Containers support the storing of software and HSM-backed keys, secrets, and certificates, while the HSM pools only support HSM-backed keys. In order to understand more about Key Vault, the following main terminologies need to be explained,
- Key, API Keys with support of multiple types of key types and algorithms;
- Secret, can be any kind of password or protected information;
- Certificate, Certificates with an autorenewal feature;
Also, Azure provides a Rest API in order to manage your Azure Key Vault with its main functionalities as follows,
- Create a key or secret;
- Import a key or secret;
- Revoke a key or secret;
- Delete a key or secret;
- Authorize user or apps to access its keys or secrets;
- Monitor and manage key usage;
Azure Key Vault Rest API has three different types of authentications, as follows,
- Managed Identities, using managed identities authentication mode is recommended as best practices;
- Service Principal and Certificate, using a pre-configured security user with an associated certificate;
- Service Principal and Secret, using a pre-configured security user with a secret;
What is Azure App Configuration?
Azure App Configuration is an Azure service that helps you to centralize your application settings into a single location. Azure App Configuration is great for multi-environment and multi-geography applications whereas it offers a dynamic way to change your application settings without requiring to restart them, it also works together with Azure Key Vault, which is the place where the application secrets are stored.
Azure App Configuration main benefits are as follows,
- Easy and fast to set up;
- Data encryption in rest or in transit;
- Labels;
- High security through access of other resources with Managed Identites;
- A point-In-Time replay of settings with the Restore functionality;
- Data Import and Export;
- Data Comparison;
Practical Examples
Connecting Azure Key Vault with .Net Web API