Enhancing Security in Azure App Service With Key Vault

Securing sensitive data like database credentials, API keys, and connection strings is critical in the digital transformation. Azure App Service, a fully managed platform for hosting web applications, offers a robust security mechanism using Managed Identity and Azure Key Vault. This blog explores how to leverage these services to enhance your application’s security by eliminating the need to store sensitive information in your code. 

What is Managed Identity? 

Managed Identity services in Azure that allow you to authenticate any service or App without needing to manage credentials explicitly. It also provides an identity for your application to access Azure resources securely. It eliminates the need to manage credentials in your application code. 

Benefits of Managed Identity 

Key benefits include: 

It avoids storing credentials in your code and does not allow accidental exposure. 

Managed Identity automatically manages and rotates credentials to simplify the access management lifecycle. 

Any Azure service that supports Managed Identity can be easily integrated into an App Service or Key Vault without implementing custom solutions. 

Types of Managed Identity 

Azure supports two types of managed identities: 

• System-assigned: Automatically created and tied to a specific Azure resource. 

• User-assigned: Created independently and can be shared across multiple resources. 

Xavor can help you implement Managed Identity in your Azure environment today to leverage these benefits and make your applications more secure. 

What is Azure Key Vault? 

Azure Key Vault is a cloud service provided by Microsoft Azure that is designed to securely store and manage secrets, encryption keys, and certificates. It provides: 

You can use Key Vault to safely store and retrieve secrets (connection strings, API keys, or passwords, for instance). Secrets are encrypted at rest and in transit, and you receive an added layer of security. 

With Key Vault, you can generate and manage cryptographic keys. Those keys may support encryption, decryption, or signing operations. 

Key Vault supports X.509 certificate storage and management, and you can import, create, and renew certificates directly from the service. 

Key Vault provides access control based on fine granularity by policies or RBAC. This allows you to provide specific access rights to users and applications. 

Xavor can assist you in integrating Key Vault with Managed Identity; you can securely fetch secrets from Key Vault without embedding sensitive data in your application. 

Step-by-Step Guide to Enhancing Security 

Step# 1. Enable Managed Identity for Azure App Service 

1. Go to your Azure App Service in the Azure portal. 
2. Navigate to the Identity section. 
3. Enable the System-assigned managed identity and save the changes. 

• Azure will automatically create an identity for your app. 

Step# 2. Create and Configure Azure Key Vault 

Create a Key Vault: 

• In the Azure portal, navigate to Key Vaults and create a new Key Vault. 

Add Secrets: 

• Navigate to the Secrets section in your Key Vault and create a new secret (e.g., DatabaseConnectionString). 

Step# 3. Grant Access to Managed Identity 

1. In the Key Vault, go to Access Policies.
2. Add an Access Policy and grant permissions for the managed identity to Get and List secrets. 
3. Save the changes. 

Step# 4. Access Secrets in Your Application 

In your application, fetch secrets using the Azure SDK. Below is a sample code snippet for a .NET application: 

using Azure.Identity; 

using Azure.Security.KeyVault.Secrets; 

public class KeyVaultService 

    private readonly SecretClient _secretClient; 

    public KeyVaultService(string keyVaultUri) 

        _secretClient = new SecretClient(new Uri(keyVaultUri), new DefaultAzureCredential()); 

    public string GetSecret(string secretName) 

        var secret = _secretClient.GetSecret(secretName); 

        return secret.Value.Value; 

Replace keyVaultUri with the URI of your Key Vault (e.g., https://<YourKeyVaultName>.vault.azure.net). 

Step# 5. Use Secrets in App Service Configuration 

1. Update your application code to replace hardcoded values with values retrieved from Key Vault. 
2. Use environment variables or app settings in Azure App Service to configure the keyVaultUri dynamically. 

Best Practices of Managed Identity 

1. Minimize Secret Access: Use granular access policies in Key Vault to restrict access to specific secrets. 
2. Regularly Rotate Secrets: Periodically update secrets stored in the Key Vault to reduce the risk of unauthorized access. 
3. Monitor Key Vault Access: Enable Azure Monitor and Azure Security Center to track access logs and identify suspicious activity. 
4. Combine with Azure Application Insights: Leverage Application Insights for end-to-end monitoring of your app, including security metrics. 

Conclusion 

By using Azure Managed Identity and Key Vault, you can significantly enhance the security posture of your applications hosted on Azure App Service. If the credentials are not embedded into the code, the risk of leakage decreases greatly, and access management is simplified.  

Remember that security is not a single-point activity but a continuous process. Review and update your security practices occasionally to evolve with threats and ensure that applications are secure. 

If you need further help, you can contact us at [email protected]. We will schedule a free consultation to explore how Xavor can assist you.