How Azure can provide a secure remote access without VPN
Apr 8, 2020, 11:45 AM
Enabling your users to work efficiently from home is pretty much a must-have requirement for all modern IT-infrastructures, and after the coronavirus hit us, more and more people need remote working possibilities. MS Azure offers us some alternatives to traditional VPN connections.
VPN connections have been used for a long time to allow remote workers to access the business applications which they need for their day-to-day work. But these VPN solutions can require costly licenses for each concurrent user and can become the single point of failure when too many users try to use it at the same time. And when the VPN connections do work, they might also act as a gateway for some unwanted applications (malware, viruses, etc..) to connect to your internal network.
So instead of relying on a VPN for all your remote working needs, you should consider exposing at least some of your internal applications directly to the internet. This way, your users can always access them from anywhere and even with their mobile devices, which may not be able to connect to your VPN solution.
Azure active directory
If your organization is using Exchange Online, SharePoint Online, or any other Microsoft O365 services, then those applications are already authenticating your users through Azure Active Directory. Azure AD provides secure single-sign-on and multi-factor-authentication capabilities not just to your Microsoft provided services but also to your business applications.
New business applications can (and should) be designed with Azure AD authentication in mind. Azure AD supports the OpenID Connect (OIDC) -authentication protocol, which is the most used authentication mechanism for modern web applications today. In most application development frameworks, OIDC can be enabled with just a few lines of code. In addition to OIDC, you can also integrate your application to the Azure AD by using the older SAML-protocol.
If you run your application inside Azure App Services, you can gain some extra security by enabling authentication in the App Service settings. This will create a reverse proxy in front of your application and ensure that no requests ever hit your application code if the user has not been authenticated first.
Azure AD is not limited to applications running inside Azure either. You can use it to control access to your applications regardless of your hosting platform. At Nitor, for example, we’re controlling access to some of our internal tools by a custom pre-authenticating proxy running in Amazon AWS.
What about your existing apps?
Of course, many of your existing business applications are already running inside your internal network. Exposing these applications to the public internet in a secure fashion or replacing their current authentication mechanisms with OIDC might not be feasible. Freeing them from the shackles of VPN connection can, in many cases, be done with Azure AD Application Proxy -service.
Azure Application Proxy sits on the public internet and acts as a gateway to your application. It allows authenticated users to connect to the on-premises web application from the public internet via an Application Proxy Connector.
When a user tries to access an application behind Azure Application Proxy, they are first authenticated against your Azure AD -tenant. Only after successful authentication (or multi-factor-authentication), the request is proxied to the actual application running inside your on-premises network. The application proxy can even automatically log the user in your application using Integrated Windows Authentication, which is often used in applications running in internal networks. Application Proxy also supports single-sign-on for applications using header-based authentication, forms- or password-based authentication, or SAML.
Installing and configuring the Application Proxy and the required connectors are quite straight-forward. All you need to do is install the Application Proxy Connector to a couple of servers running in your internal network with a couple of mouse clicks, and you should be ready to start publishing your applications to your users. And since Application Proxy Connectors utilize only outbound connections, this setup does not even require you to allow any new inbound connections in your firewall rules.
Improving the security of your publicly exposed application
Making your application accessible from the public internet also exposes you to attackers who may try to work their way around your authentication mechanisms or find other vulnerabilities in your system.
Using a pre-authenticating proxy offered by Azure App Services or Azure AD Application Proxy mitigates some of these issues by limiting access to only authenticated users. But you can improve your application security even more by deploying Azure Web Application Firewall (WAF) between your application and your users.
Azure Web Application Firewall can be used to protect both applications running behind Azure Application Proxy and applications hosted natively in the cloud. It provides automatic protection to the most common exploits and vulnerabilities, and it’s continuously updated to include protection against new vulnerabilities, with no additional configuration needed.
Some of the attack types that WAF provides automatic protection against are for example: SQL injections, Cross-site scripting, HTTP request smuggling and common application misconfigurations.
Nitor is a digital engineering company that lets your employees concentrate on their daily tasks regardless of their physical location. We’re here to help you if you’re planning to create new remote-friendly applications or want to make it easier to access your existing applications.
Arto Kaitosaari is a Senior Software Architect at Nitor. He has been designing and implementing IT solutions for over 20 years. Even though Arto has a history of implementing document management and archival systems, he still takes his notes using pen and paper.