Tidy up - Unused Project and Nuget package reference using Visual Studio 2019

If you are a Developer/Architect using Visual Studio as IDE for your development activities, this blog post will be of your interest. During the Ignite 2021 conference, Microsoft released Visual Studio 2019 v16.9 and v16.10 Preview 1. As part of version 16.10 Preview 1, one of the cool features they introduced is to "Remove Unused References..." for any Projects and Nuget packages that are not in use. At the time of writing this blog post, we have Visual Studio Version 16.10.0 (official release) which includes this new feature.  As part of development, we generally get carried away and introduce new Nuget package references to your project and add new references to your Projects. By the end of development, you will not be 100% sure which are not being referenced and unused which means you will leave those unused project references in your application. Now you might be wondering what's the big deal in it since it doesn't harm. The advantage of removing unused project r
Post a Comment

How to secure Azure Container Registry?

Azure Container Registry (ACR) is a managed, private Docker registry service that stores and manages your container images in Azure.

Below are the few recommendations for using Azure Container Registry.

  • Image scanning with Azure Security Center

With Azure Security Center, you can get automatic scans of your registries for any threats and vulnerabilities of the images. Note if you're on Azure Security Center's standard tier, you can add the Container Registries bundle. This feature is charged per image scan. Whenever an new image is pushed to your registry, Security Center automatically scans that image. Azure Security Center also provide options or recommendations for resolving those vulnerabilities.

  • Enable Content Trust

Azure Container Registry implements Docker's content trust model, enabling pushing and pulling of signed images. Content trust helps to verify the source and integrity of the images, ensuring that they are the images we expect. As an image publisher, content trust allows you to sign the images you push to your registry. Consumers of your images (people or systems pulling images from your registry) can configure their clients to pull only signed images. 

  • Authorize using Managed Identity and disabling Admin account

As we are aware support for managed identities available for several Azure resources like Key vault, Web Apps, Azure functions etc. similarly option is available for Azure Container Registry.Use a managed identity for Azure resources to authenticate to an Azure container registry from another Azure resource, without needing to provide or manage registry credentials. Whether its System Assigned or User Assigned Managed Identity, ACR supports it.

Additionally you can use an Azure Active Directory (Azure AD) service principal to provide access to your private container registries in Azure Container Registry

Disable the Admin Account on your Container Registry, which is disabled by default. The admin account is designed for a single user to access the registry, mainly for testing purposes. Individual identity is recommended to trace activity on Azure Container Registry

  • Enable Activity Logs for your Container Registry

With the Azure Container Registry, we can get audit log in the "Activity log" menu option in the Azure Portal. Reviewing these logs regularly can helps organisation/teams to explore suspicious and anomalous activity.

  • Role-Based Access Control

Azure Container Registry supports a set of built-in Azure roles that provide different levels of permissions to an Azure container registry. Use RBAC to assign specific permissions to users, service principals, or other identities that need to interact with a registry.

Assign the Reader role to identities/users/principals who needs to only pull images

  • Firewall

With a virtual network or firewall rule in place, you can control the entire traffic flow. 
    • Limit access to a registry by assigning virtual network private IP addresses to the registry endpoints using Azure Private Link.
    • Additionally you can restrict access to a container registry using a service endpoint in an Azure virtual network

  • Repository scoped permissions (Preview)

This enables fine grained control of access to your ACR. For a use case that have multiple images, where different access control is required at repository level instead of providing access to entire registry can be done using scoped permission. With this you can provide an external organization with permissions to a specific repository.This feature is only available in a Premium container registry and still in Preview feature.

  • Encrypt with Customer-Managed Key

This feature enables automatically encrypts the registry content at rest with service-managed keys. This feature is currently in preview and enable as part of creating registry.
Note: Content trust is currently not supported in a registry encrypted with a customer-managed key

References


Comments

Post a Comment

Popular posts from this blog

Tidy up - Unused Project and Nuget package reference using Visual Studio 2019

Image
If you are a Developer/Architect using Visual Studio as IDE for your development activities, this blog post will be of your interest. During the Ignite 2021 conference, Microsoft released Visual Studio 2019 v16.9 and v16.10 Preview 1. As part of version 16.10 Preview 1, one of the cool features they introduced is to "Remove Unused References..." for any Projects and Nuget packages that are not in use. At the time of writing this blog post, we have Visual Studio Version 16.10.0 (official release) which includes this new feature.  As part of development, we generally get carried away and introduce new Nuget package references to your project and add new references to your Projects. By the end of development, you will not be 100% sure which are not being referenced and unused which means you will leave those unused project references in your application. Now you might be wondering what's the big deal in it since it doesn't harm. The advantage of removing unused project r
Read more

Swagger UI for Azure Function v2 & v3 APIs

Image
In this blog post, we will see how to setup Swagger UI for Azure Function APIs in v2 and v3. Now you might be wondering why Swagger? Swagger is a language-agnostic specification for describing REST APIs, it also referred to as OpenAPI. Swagger UI offers a web-based UI that provides information about your REST APIs service. Prerequisites HTTP trigger Azure function provisioned or created in C# Azure DI enabled on Azure Function, for more details refer here  with relevant package version installed based on Azure Function version. Integrating Swagger UI into our Applications 1. Install the appropriate package based on the Azure Function version which you are dealing with from the below table. Unfortunately, it's not a single package for both versions due to Azure function v3 because v3 makes use of ASP.NET Core 3.1 which introduces a new serializer System.Text.Json (STJ) out-of-the-box.  Azure Function Version  Nuget package  v2               AzureFunctions.Extensions.Swashbuckle  v3
Read more

Authenticate Azure Functions - API Keys

Image
In this blog post, we will see one of the ways to secure your Azure Functions using API keys. Security plays a key role as part of SDLC (Software Development Life Cycle) doesn't matter whether it's exposed to the client/public or even if it's internal. There are multiple ways to secure your Azure Functions like API Keys, Certificate,  API Mgmt, App Service Authentication, etc. If you are new to the Cloud and Azure Functions but want to make a start with minimal effort and less setup of Infrastructure, then API Keys is the ideal choice. Azure Functions allows you to secure HTTP-triggered functions by API access key in the request. As part of creating new Azure Functions, we can select the Authorization Level enum value. If we set the Authorisation level to  Anonymous,  no security applied which means no authentication applied for the endpoint. Authorization Level - Function By setting the Authorisation level to Function each Azure Functions require a specific API key to Auth
Read more