Simple internal-facing (intranet/private) .NET web application — is App Service a fit, and if so, how to secure it (and Azure SQL)?

Forgive the newbie question… We are exploring the development of an in-house application for our business users that we wish to remain private and secure (i.e., intranet-facing); however, we wish to host the application in Azure. The application will likely be pretty small and use old school ASP.NET / web forms and MS SQL to leverage existing code (a handful of pages, maybe a couple dozen stored procs, light database payload — megabytes at most; heaviest data payload would likely be images and even that in the grand scheme is modest). The app will not see much utilization and would generally be during business hours.

From a technical currency perspective it would appear App Service might be a fit, even if our code would be older school. We also see this as an opportunity for our dev team to dabble and learn with and get some comfort with App Service. Similarly, it would seem like standard Azure SQL could fit. However, we are early in our cloud journey, and while we have a footprint in Azure, it is all IaaS, and shifting to a PaaS frame of mind, especially from a security perspective and in particular a network security perspective is leading to a lot of puzzled looks. With IaaS, it’s more familiar to folks, there are VMs and they sit behind a nexgen firewall appliance, connectivity is over private network, and so on and so forth.

Are there clear and simple ways to establish the pattern for how we’d safely secure a web app like this affordably using PaaS? Following the paradigm we have in place with IaaS led us to the realization that to get a private IP via ILB on App Service would mean a dedicated tenant (“isolated” ASE) and that’s absurdly expensive for what we’re trying to accomplish.

We know we could simply stand up some VMs, whether in Azure or on-prem but if possible we’d like to stretch and learn and use PaaS. Or is this a bad engineering concept, fitting a square peg into a round hole, just to get the learning?

It would seem like there ought to be a way to leverage Identity based security (Azure AD) and use tight IP whitelisting to accomplish somewhat similar ends as to what the truly “private IP” approach would otherwise give us, but what really is the right way to go and what does it look like? Are there any white papers or other resources, even just some basic pointers, that lay the PaaS model for something like this while keeping it cheap, secure, and reasonable to manage?

Change is hard, especially when it involves people, habits, and multiple technical disciplines. 🙂

Thanks to anyone who might be able to help!

submitted by /u/imagination_stretch
[link] [comments]

Leave a Reply