Capture-the-Flag with CTFd on Azure PaaS

Azure Database for MariaDB
Azure Key Vault
Azure Log Analytics
Azure Private Link
Azure Container Registry

A Capture the Flag (CTF) event is a gamified exercise designed to test engineering skills such as cybersecurity, DevOps, or operational troubleshooting. This example scenario shows how to run a capture-the-flag game service by using Azure PaaS and the open-source CTFd platform.

Architecture

Diagram showing the architecture overview of the Azure components involved in a CTFd system.

Download a PowerPoint file of this architecture.

Workflow

This scenario covers an open-source capture-the-flag solution based on CTFd in which customers can provision and configure a game service.

  1. A CTFd Docker image is pulled from Azure Container Registry and ready to serve customers.
  2. CTF administrators and participants navigate to the Capture-the-flag web application from any device.
  3. The web application is provided by CTFd platform as a Docker container that runs on an Azure App Service Web App for Containers.
  4. The CTFd data is maintained in an Azure Database for MariaDB that includes users, challenges, flags, and game plays.
  5. The state, user sessions, and other CTFd values are held in Azure Cache for Redis. This configuration makes it suitable for supporting scaling out to multiple CTFd instances.
  6. The keys for both the database and cache are maintained in Azure Key Vault. Access to the secrets is granted only to the web application.
  7. A virtual network connects Azure resources to each other and provides logical isolation. In this architecture, the web application communicates through the network with the database, cache, and key vault.
  8. Logs from the web application are sent to Azure Log Analytics, where they're aggregated from all instances and can be queried easily.

Network configuration

The template supports two network configurations: the preceding one and a simpler configuration without virtual network, using the vnet input parameter. In the latter case, the following diagram describes the solution, and step 7 in the preceding workflow is omitted.

Diagram showing the architecture overview of the Azure components involved in a CTFd system.

Components

  • Azure App Service Web App for Container hosts containerized web applications allowing autoscale and high availability without managing infrastructure.
  • Azure Database for MariaDB is a cloud-based relational database service. This service is based on the MariaDB community edition database engine.
  • Azure Cache for Redis improves the performance and scalability of systems that rely heavily on backend data stores. It does this by temporarily copying frequently accessed data to fast storage that's close to the application.
  • Azure Key Vault provides secure credential and certificate management.
  • Azure Log Analytics, an Azure Monitor Logs tool, can be used for diagnostic or logging information and for querying this data to sort, filter, or visualize it. This service is priced by consumption and is perfect for hosting diagnostic and usage logs from all of the services in this solution.
  • Azure Networking provides various networking capabilities in Azure, and the networks can peer with other virtual networks in Azure. Connections can also be established with on-premises datacenters via ExpressRoute or site-to-site. In this case, private endpoints for Azure Database for MariaDB, Azure Cache for Redis, and Azure Key Vault are used within the virtual network, and an Azure App Service virtual network integration is enabled on the virtual network to ensure all the data is flowing only through the Azure virtual network.

Alternatives

  • You can use the Docker compose definition from CTFd repository on GitHub. However, that provisions the required services (web-application, cache, and database) into a single host machine, which is neither scalable nor highly available.
  • You can provision the required services, as described in the Docker compose definition from CTFd repository on GitHub to Azure Kubernetes Service, but then you're managing infrastructure as a service (IaaS).
  • You can use a CTFd paid tier and get the platform as a service, with added features, per the chosen plan.

Scenario details

Traditionally, Capture the Flag events are cybersecurity exercises in which “flags” are secretly hidden in a program or website, and competitors steal them from other competitors (attack/defense-style CTFs) or the organizers (Jeopardy-style challenges). However, you can teach and practice other engineering practices as CTF events. You might not always use the CTF term. For example, the Microsoft OpenHack content packs are similar to what CTF is all about, and include topics such as AI-Powered Knowledge Mining, ML and DevOps, containers, Serverless, and Azure security.

Open-source CTF frameworks make it easy to turn any challenge into a CTF event with configurable challenge pages, leader boards, and other expected features of such an event, using zero code. For instance, OWASP’s Juice-Shop has a CTF plugin that supports several common CTF platforms you can provision and run for your teams to do security training on.

One of the most popular open CTF platforms is CTFd. It's easy to use and customize, and it's built with open-source components. It offers several plans for managed hosting and features from which you can choose, or you could deploy and maintain your own environment. Managing an environment has cost and maintenance implications, but you own the data, you can integrate it with your organization’s network if required, and it typically costs less. Furthermore, using PaaS maintained by your cloud vendor has the benefit of both worlds: free, open-source software and easier maintenance and IT handling than virtualized infrastructure components.

This document can help you set up a self-hosted CTFd environment using Azure PaaS, so your CTF environment is easy to maintain and scalable to accommodate your participants.

Potential use cases

This solution is optimized for the developer, DevOps, and cybersecurity communities, and for teams that want to run a CTF event.

Ultimately, any up-skilling, hack, or bug bash event can use this setup to run CTFd to manage and track challenge-based, team, or individual, progress.

Considerations

These considerations implement the pillars of the Azure Well-Architected Framework, which is a set of guiding tenets that can be used to improve the quality of a workload. For more information, see Microsoft Azure Well-Architected Framework.

Security

Security provides assurances against deliberate attacks and the abuse of your valuable data and systems. For more information, see Overview of the security pillar.

  • Review the security considerations in the appropriate App Service web application reference architecture.
  • All data in Azure Database for MariaDB is automatically encrypted and backed up. You can configure Microsoft Defender for Cloud for further mitigation of threats. For more information, see Enable Microsoft Defender for open-source relational databases and respond to alerts.
  • Access to Azure Database for MariaDB over TLS helps protect against "man in the middle" attacks by encrypting the data stream between the server and your application. It requires the root certificate to be available in the Docker image. This solution uses a custom Docker image that fetches the certificate at build time. The custom image is managed in an Azure Container Registry.
  • Managed identities for Azure resources provide access to other internal resources to your account. This solution uses a managed identity to authorize the web application in Azure App Service to read secrets from Azure Key Vault.
  • Credentials such as database or cache connection strings are stored in Azure Key Vault as secrets. Azure App Service is configured to access the Key Vault with its managed identities to avoid storing secrets in application settings or code.
  • Network security is considered throughout the design. All traffic from the publicly available web application to the internal services is routed through the Virtual Network, and all back-end services (database, cache, and key vault) do not allow public network access.

Cost optimization

Cost optimization is about looking at ways to reduce unnecessary expenses and improve operational efficiencies. For more information, see Overview of the cost optimization pillar.

  • The CTFd environment is ephemeral. You can easily deploy the environment with the required resources for the event, then tear it down just as easily.
  • To estimate the cost of implementing this solution, use the Azure Pricing Calculator.

Operational excellence

Operational excellence covers the operations processes that deploy an application and keep it running in production. For more information, see Overview of the operational excellence pillar.

Azure Monitor integrates with Azure App Service to support logging from all web application instances to a single location. Azure Monitor diagnostics settings collect CTFd container logs and send them to a Log Analytics workspace. From there, you can use the Kusto query language to write queries across the aggregated logs.

Azure Log Analytics and Azure Monitor are billed per gigabyte (GB) of data ingested into the service (see Azure Monitor pricing)

Performance efficiency

Performance efficiency is the ability of your workload to scale to meet the demands placed on it by users in an efficient manner. For more information, see Performance efficiency pillar overview.

  • This solution requires at least the Basic tier, because lower tiers do not support hybrid connections into the virtual network.
  • The CTFd web application component requires at least 1 CPU and 1 GB of RAM per instance.
  • For information about scaling a basic web app, see Scaling the App Service app.
  • You can scale up Azure Database for MariaDB to meet higher demands. You can dynamically change the number vCores, the amount of storage, and the pricing tier (except to and from Basic), so you should carefully consider the right tier for your target workload.

Deploy this scenario

You can find the solution deployment files as Bicep Infrastructure-as-Code at GitHub.

The easiest way to deploy the solution to your subscription is to use the Deploy to Azure button in the Quickstart section of the repo's main README.

Contributors

This article is maintained by Microsoft. It was originally written by the following contributor.

Principal author:

To see non-public LinkedIn profiles, sign in to LinkedIn.

Next steps