Authentication reverse proxy to an app (a static website) for internal users

Giulio Home 1 Reputation point
2023-01-07T17:25:27.047+00:00

This is a follow up of a previous questions where I already posted a few comments.

https://learn.microsoft.com/en-us/answers/questions/149991/restrict-public-access-to-static-website.html?childToView=1155052#comment-1155052

I'm realizing now that there is another issue (for me, in my situation) that I didn't notice before:

"It's important to understand that Azure AD Application Proxy is intended as a VPN or reverse proxy replacement for roaming (or remote) users who need access to internal resources. It's not intended for internal users on the corporate network. Internal users who unnecessarily use Application Proxy can introduce unexpected and undesirable performance issues."

quoted from https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/what-is-application-proxy

So, if I have internal users and I want to authenticate them and restrict to certain internal AAD user groups the access to an application, which is the corresponding "authentication" reverse proxy offered by Azure cloud?
Do you know or can you elaborate more about this point? Thank you in advance!
We can assume that the app I'm talking about is a static website and is intended only for a group of internal users.

As a second, related, question: initially I was thinking to accomplish it through a nginx (which I have already done and lgtm and I would add oauth probably as written here https://kristhecodingunicorn.com/post/k8s_nginx_oauth/ or maybe an apache e.g as described here https://cloudiseasy.com/2021/06/13/deploying-apache-server-on-aks-with-azure-files/ but I've not yet tried) on aks, mounting the storage account as file share instead of using the static website of the storage account. Is it a solution much heavier to maintain or for any reasons doesn't it scale well, also in terms of effort to support multiple projects? I don't want to reinvent the wheel if there is already an azure component doing all that "authentication reverse proxy" stuff, but I also wonder whether the classical nginx or apache pods are the right choice instead.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,608 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
1,543 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,105 questions
{count} votes

4 answers

Sort by: Most helpful
  1. TP 10,446 Reputation points
    2023-01-07T20:57:40.743+00:00

    Hi,

    Does the static website need to stay on the internal network for some reason? How much storage space for all of the files?

    I was thinking you could use Azure App Service with Azure AD authentication. Quick and easy to set up if all you need is to grant certain AAD users/groups access to the site.

    -TP


  2. risolis 5,926 Reputation points
    2023-01-07T20:58:00.887+00:00

    Hello @Gilushish

    Thank you for posting this concern on this community space.

    I would like to share the following observation regarding to this case scenario stated previously. So, please see them down below:

    1- First, I want to bring back some of your statement in order to add some complements for those ideas....

    So, if I have internal users and I want to authenticate them and restrict to certain internal AAD user groups the access to an application, which is the corresponding "authentication" reverse proxy offered by Azure cloud?
    Do you know or can you elaborate more about this point? Thank you in advance!
    We can assume that the app I'm talking about is a static website and is intended only for a group of internal users.

    I don't want to reinvent the wheel if there is already an azure component doing all that "authentication reverse proxy" stuff

    Observation:

    With Application Proxy, Azure AD keeps track of users who need to access web apps published on-premises and in the cloud. It provides a central management point for those apps. While not required, it's recommended you also enable Azure AD Conditional Access. By defining conditions for how users authenticate and gain access, you further ensure that the right people access your applications.

    Let me know if that was useful but if not, I can keep assisting you further.

    Looking forward to your feedback,

    Cheers,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


  3. Giulio Home 1 Reputation point
    2023-01-08T11:00:36.003+00:00

    Just to track my own approach, as mentioned in the question itself.
    I would follow https://kristhecodingunicorn.com/post/k8s_nginx_oauth/ and indeed I've already mounted the storage share on an nginx deploy in AKS and I would keep up with:

    No comments

  4. SaiKishor-MSFT 15,001 Reputation points Microsoft Employee
    2023-01-10T22:17:36.743+00:00

    @Giulio Home Please used this detailed documentation to understand the storage services available and you can pick one based on your requirement- https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/storage-options#learn-more-about-azure-storage-services

    Since you mentioned Blob storage/File storage and Static Website:


    Blob Storage is an object storage solution for the cloud. Blob Storage is optimized for storing massive amounts of unstructured data. Unstructured data is data that doesn't adhere to a specific data model or definition, such as text or binary data.

    Use Blob Storage for the following needs:

    • Serving images or documents directly to a browser.
    • Storing files for distributed access.
    • Streaming video and audio.
    • Writing to log files.
    • Storing data for backup and restore, disaster recovery, and archiving.
    • Storing data for analysis by an on-premises or Azure-hosted service.

    Azure Files provides fully managed, native SMB file shares, without the need to run a virtual machine. You can mount an Azure Files share as a network drive to any Azure virtual machine or on-premises computer.

    And here is the documentation for static website- https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-static-website

    When talking about AKS specifically-

    Best practice guidance

    Understand the needs of your application to pick the right storage. Use high performance, SSD-backed storage for production workloads. Plan for network-based storage when you need multiple concurrent connections.

    Applications often require different types and speeds of storage. Determine the most appropriate storage type by asking the following questions.

    • Do your applications need storage that connects to individual pods?
    • Do your applications need storage shared across multiple pods?
    • Is the storage for read-only access to data?
    • Will the storage be used to write large amounts of structured data?

    The following table outlines the available storage types and their capabilities:

    278076-image.png

    AKS provides two primary types of secure storage for volumes backed by Azure Disks or Azure Files. Both use the default Azure Storage Service Encryption (SSE) that encrypts data at rest. Disks cannot be encrypted using Azure Disk Encryption at the AKS node level. With Azure Files shares, there is no limit as to how many can be mounted on a node.


    According to the documentation Azure Files and Azure Blob storage seem to be the recommended solutions especially if you have multiple pods needing concurrent access to the same storage volume.

    Hope this helps. Please do let me know if you have any further questions and I will be glad to assist further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    No comments