Service Endpoints --

1. Create a VNET with 2 subnets

2. Create a service endpoint policy. That enables us to specify which particular storage account to connect to. This is currently enabled for storage accounts alone. Otherwise as part of service endpoints we can specify the resource provider alone and not a specific resource.

We can specify this service endpoint policy while creating a service endpoint. Only storage account allow service endpoint policies as of now.

If we notice then selecting cosmos db or any other service other than storage will not have the ability to accept service endpoint policies.

As mentioned microsoft.storage allows us to add service endpoint policies. Thus we can specify a particular resource within a provider

This is 1 way of enabling service endpoints. Or we can directly go to the storage account and from the networking tab select Sub1. This will automatically configure service endpoints and will add a service endpoint policy that enables the resource to connect to the storage account.

Check out: Service Endpoints (anisharvind.blogspot.com)

3. Add the subnet that has the service endpoint enabled to the storage account ACL.

Now if I try to view the contents of the storage account I will get an unauthorized error.

Comments

Az-500 NSG and ASG

Application security groups Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without manual maintenance of explicit IP addresses. The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic. To better understand application security groups, consider the following example: In the previous picture, NIC1 and NIC2 are members of the AsgWeb application security group. NIC3 is a member of the AsgLogic application security group. NIC4 is a member of the AsgDb application security group. Though each network interface in this example is a member of only one network security group, a network interface can be a member of multiple app...

Azure AD Authentication And Authorization

ROLE BASED AUTHORIZATION Step1: Setup API. 1. Create an app registration and create an app role. Make sure that the app role is assigned to user and applications. We add it to both user groups and applications as this role can be then assigned to both users and applications. Scopes can only be assigned to apps. Now we can have only users with this role access our application. This app role behind the scenes adds an approles section to the manifest.json. We can directly add it to the manifest file also. Step 2: Setup an app registration for the UI/ WEB App. . We will grant this app the read role created in the API app (shown above). Go to Azure AD and select the UI app registration. When we register an application 2 elements get created. 1. App registration 2. Enterprise Application -- service principal that get created for the app Adding roles to applications Go to the App registration => API Persmissions => Add a Permission => My API's The My Api's sec...

ASp.net core 3.1 identity

It is just an extension to cookie authentication. We get a UI, Tables, helper classes, two factor authentication etc. Even EF and its database constructs. So instead of writing code for all of this we can just use these in built features. Extending Default Identity Classes Add a class that inherits from public class AppUser : IdentityUser { public string Behavior { get; set; } } Also change the user type in login partial.cs under shared folder Then add migrations and update db using migrations. We can customize further. services.AddDefaultIdentity<AppUser>(options => { options.SignIn.RequireConfirmedAccount = true; options.Password.RequireDigit = false; ...

Anish's Notebook

Search This Blog