Secure a web app architecture with Azure confidential computing
In this post, we’ll show you how to build a Personal Identifiable Information (PII) - protecting web application architecture using Azure confidential computing (ACC). ACC completes your traditional cloud privacy with protections for data in use based on state-of-the-art hardware available in Azure today.
Architecture
The diagram below showcases a typical architecture pattern for hosting a web application (e.g. On-Premises or Cloud Platform):
Typical architecture for a web application
The problem with this typical approach is that malicious actors could gain access to, as well as manipulate, sensitive data running on this architecture. For example:
- Curious SQL DBA - with db_owner access can access sensitive tables, as well as leverage SQL Server Extended Events Sessions to intercept query predicates.
- Curious VM admin - with access to application logs can manipulate sensitive application logs, e.g. to erase a subset of the history.
- Curious host/provider admin - with access to the underlying Hypervisor can access the Virtual Machines.
Azure confidential computing enhances the security posture of your applications by protecting data and code when in use, that is when running and being processed in memory. This additional level of protection elevates the existing security posture in Azure by running application in hardware-encrypted trusted execution environments.
For an overview of what Azure confidential computing offers, please refer to this article: Navigating confidential computing across Azure.
Going Confidential
Next, we'll show you how to enhance your web application privacy with Azure confidential computing.
Confidential architecture leveraging Azure confidential computing services
Core components:
- Sensitive Data - Azure SQL DB - Always Encrypted with secure enclaves: For hosting a confidential database - with sensitive columns that are encrypted via CMK (Column Master Key).
- Sensitive Data Encryption Keys - Azure Key Vault - mHSM: A FIPS 140-2 Level 3 validated HSM - used in this case for storing the Always Encrypted Column Master Key - or CMK for the sensitive database.
- Sensitive Application Logic - Azure Confidential VM - with AMD EPYC 3 Sev-SNP: For hosting a Web app that queries the sensitive database within Azure SQL DB, and persists sensitive logs generated on the Web app (e.g. query history).
(Confidential VM AMD EPYC 3 Sev-SNP is not yet generally available at time of writing; sign-up for preview here). - Sensitive Application logs - Azure Confidential Ledger: As an append-only, immutable ledger for hosting sensitive logs.
All components of this architecture, including Sensitive Data, Sensitive Data Encryption Keys, Sensitive Application Logic and Sensitive Application logs - are hosted at or above the blue dotted line highlighted below:
Trust boundary across Azure confidential computing services.
To transform an existing (or net-new) application to leverage confidentiality via ACC – the following activities can be easily accomplished for each of the 3 tiers of the application: Data, Code and Logs:
- Sensitive Data: For an existing database, to migrate the data to Azure SQL DB – Always Encrypted with secure enclaves, we can leverage any of the migration techniques available with Azure SQL DB today. For a net new database, we can leverage several techniques to hydrate our database – as illustrated in this repository via T-SQL.
- Sensitive Application Code: Azure Confidential VM with AMD EPYC 3 Sev-SNP allows us to lift-and-shift existing application logic - meaning there are no code changes expected of our application to take advantage of the elevated confidentiality. Any web app framework (see demo below for a simple ASP.NET example) can continue to function as is.
- Sensitive Application Logs: To programmatically send sensitive application logs to Azure Confidential Ledger, we can use any of the SDKs available. In the demo below, we use the Python SDK from PyPi for demonstration – at the time of writing Java and .NET SDK are available as well.
Demonstration
A live demonstration of this architecture pattern is showcased in the short demo video below. In this demonstration, we leverage a Confidential VM to emphasize one core point - no code changes are required of an existing application (in our case, an ASP.NET Web App) to run on an AMD Sev-SNP enabled Virtual Machine on Azure:
Demo Video from Build – starts at 27:34
Get Started
Instructions on how to publish this app are described on the author's GitHub repo.
Published on:
Learn moreRelated posts
Introducing the Data-Bound Reference Layer in Azure Maps Visual for Power BI
Imagine managing a nationwide sales team and needing to understand how your sales align with factors like population density, competitor locat...
GitHub Copilot for Azure: 6 Must-Try Features
As developers, we are constantly seeking tools that streamline our workflows and boost productivity. … Enter GitHub Copilot for Azure, now in ...
Unlocking the Best of Azure with AzureRM and AzAPI Providers
With the recent release of AzAPI 2.0, Azure offers two powerful Terraform providers to meet your infrastructure needs: AzureRM and AzAPI. The ...
Azure Communication Services Ideas Board: Share your feedback with the product team
Innovation is not a solitary pursuit, and we recognize that some of the best ideas come from you, our Azure Communication Services community. ...
Engage with the Azure Community Services Ideas Board: Your Voice Matters
Innovation is not a solitary pursuit, and we recognize that some of the best ideas come from you, our Azure Communication Services community. ...
Optimizing custom copilot (agent) performance with Azure Load Testing: A comprehensive guide
As we move into the next phase of digital transformation, the role of custom copilots is set to become increasingly pivotal. By leveragin...
Azure Storage - TLS 1.0 and 1.1 retirement
Overview TLS 1.0 and 1.1 retirement on Azure Storage was previously announced for Nov 1st, 2024, and it was postponed recently to 1 year later...
Streamline Your Azure Workflow: Introducing GitHub Copilot for Azure in VS Code
I'm excited to announce the public preview of GitHub Copilot for Azure - a new addition to your toolkit that seamlessly integrates with G...
VMware HCX Design with Azure VMware Solution
Overview VMware HCX is one of the Azure VMware Solution components that generates a large number of service requests from our customers. The A...