1 - Private Link
Private Link
Azure Private Link enables you to access Azure PaaS Services and Azure-hosted customer-owned/partner services over a Private Endpoint in your virtual network. Traffic between your virtual network and the service traverses over the Microsoft backbone network, eliminating exposure from the public Internet. You can also create your own Private Link Service in your virtual network and deliver it privately to your customers.
This reference architecture utilizes Private Link’s security & privacy benefiting from eliminating exposure from the public Internet and opting into the whole infrastructure being inaccessible from the Internet, apart from a jump-box and ingress functionality.
Private Link Resources
The following table lists all Resources in both EU and IE regions Private Link Networks.
| Name | DNS Zone |
|---|---|
| ACR | privatelink.azurecr.io |
| AKS | privatelink.<region location>.azmk8s.io |
| Key Vault | privatelink.vaultcore.azure.net |
| MySQL Server | privatelink.mysql.database.azure.com |
Calls to Action
Learn more about Azure Private Link and get the most up-to-date information at the Microsoft Docs.
Read about Key Vault in the next section.
2 - Key Vault
Background and Further Reading
Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys.
For more information on Azure Key Vault please refer to the product documentation.
Azure Key Vault RBAC
This reference architecture’s implementation of Azure Key Vault has enabled RBAC authorization as standard. Azure Key Vault RBAC is a new feature (~Feb 2021) which provides the ability to have separate permissions on individual keys, secrets, and certificates. This reduces the number of Key Vaults needed to maintain minimal access rights.
For more information on Azure Key Vault RBAC please refer to the product documentation.
Azure Spring PropertySource
Each of the upstream Spring based applications has been configured to use a Azure Key Vault Spring PropertySource. This allows the applications to load certain Spring properties from Key Vault, however it requires us to use a specific naming pattern for the KeyVault items. The table below shows which naming pattern is used for each key.
See the Azure Key Vault Secrets Spring Boot starter client library for Java documentation and algorithm for more details.
Azure Key Vault Provider for Secrets Store CSI Driver (AKS)
The Azure Key Vault provider for Secrets Store CSI driver allows us to get secret contents stored in an Azure Key Vault instance and use the Secrets Store CSI driver interface to mount them into Kubernetes Pods.
This reference architecture uses this CSI Driver to mount the various certificates into the approperiate Kubernetes Pod’s filesystem. This method was chosen as it reduced the number of upstream code changes necessary, however, ideally this would be replaced with direct integration with Key Vault, discussed in the next section below.
For more information on this CSI driver please refer to the upstream documentation.
Future: Direct integration of Key Vault into the upstream applications
Ideally, each of the upstream applications would never require access to read the various certificate private keys from Key Vault and they would instead integrate directly with the Key Vault sigining APIs. This would significantly reduce the risk of accidentally exposing private keys in the event of a misconfigration, malware, breach or other security incident by storing the Private Keys in a non-exportable HSM backed key.
Due to the number of changes that would be necessary to the upstream codebase, we chose to not implement this as part of this reference architecture, however we would recommend this be implemented for any production workloads.
EU Key Vault
The following table lists all items in the EU Key Vault, along with a short description of their purpose.
| Name | Type | Naming Scheme | Description |
|---|---|---|---|
| trustanchor | Certificate | Freeform | Root Certificate Authority (CA) Private Key and Certificate bundle |
| dgc-trustanchor-certificatealias | Secret | Spring PropertySource | The certificate alias to use from within the trustanchor bundle |
| mysql-pw | Secret | Freeform | The Azure MySQL Administrative User Password. Unused by the Reference Architecture, however may be necessary for day to day opereations in a production environment |
| mysql-encryption-key | Key | Freeform | Encryption key used for Azure MySQL Customer Managed Key |
| aks-encryption-key | Key | Freeform | Encryption key used for Azure Kubernetes Service Customer Managed Key |
IE Key Vault
The following table lists all items in the IE Key Vault, along with a short description of their purpose.
| Name | Type | Naming Scheme | Description |
|---|---|---|---|
| trustanchor-content | Secret | Freeform | Root Certificate Authority (CA) Private Key and Certificate bundle |
| dgc-gateway-connector-trustanchor-password | Secret | Spring PropertySource | Password for the trustanchor bundle |
| dgc-gateway-connector-trustanchor-alias | Secret | Spring PropertySource | The certificate alias to use from within the trustanchor bundle |
| msal-authentication-client-secret | Secret | Freeform | The Application Client Secret used for AAD Authentication on the Issuance Web Portal |
| tls-trust-store-content | Secret | Freeform | The TLS Trust Store bundle in PKCS #12 format. This is used for HTTP Public Key Pinning on all HTTP connections. |
| dgc-gateway-connector-tlstruststore-password | Secret | Spring PropertySource | Password for the TLS Trust Store bundle |
| tls-key-store | Certificate | Freeform | The TLS Key Store bundle contains the Auth certificate which is used to Authenticate a country to the EU Gateway |
| dgc-gateway-connector-tlskeystore-alias | Secret | Spring PropertySource | The certificate alias to use from within the TLS Key Store bundle |
| upload-key-store | Certificate | Freeform | The Upload Key Store bundle contains the Upload certificate which is used to sign uploads from a country to the EU Gateway |
| dgc-gateway-connector-uploadkeystore-alias | Secret | Spring PropertySource | The certificate alias to use from within the Upload Key Store bundle |
| dsc-key-store | Certificate | Freeform | The DSC Key Store bindle contains the Document Signer Certificates which are used to sign end user Digital Covid Certificates |
| issuance-certalias | Secret | Spring PropertySource | The certificate alias to use from within the DSC Key Store bindle |
| mysql-pw | Secret | Freeform | The Azure MySQL Administrative User Password. Unused by the Reference Architecture, however may be necessary for day to day operations in a production environment |
| mysql-encryption-key | Key | Freeform | Encryption key used for Azure MySQL Customer Managed Key |
| aks-encryption-key | Key | Freeform | Encryption key used for Azure Kubernetes Service Customer Managed Key |
Calls to Action
Learn more about Azure Key Vault and get the most up-to-date information at the Microsoft Docs.
Read about Customer managed keys in the next section.
3 - Customer Managed Keys
Customer Managed Keys
Service Encryption provides a layer of encryption for customer data-at-rest giving customers two options for encryption key management: Microsoft-managed keys or Customer-managed Key. When using Microsoft-managed keys, Microsoft online services automatically generate and securely store the root keys used for Service Encryption.
Customers with requirements to control their own root encryption keys can use Service Encryption with Customer-managed Key. Using Customer-managed Key, customers can generate their own cryptographic keys using either an on-premises Hardware Service Module (HSM) or Azure Key Vault (AKV). Customer root keys are stored in AKV, where they can be used as the root of one of the keychains that encrypts customer files. Customer root keys can only be accessed indirectly by Microsoft online service code for data encryption and cannot be accessed directly by Microsoft employees.
We use CMK to ensure that the cloud provider does not have access to the medical information of the citizens how have Digital COVID Certs issued by this system.
We have the Key Vault service generate the 2 keys used (details below) in a HSM backed key slot, ensuring the key is generated in a HSM and it cannot be exported from the HSM by the customer, or the cloud provider, and we grant limited access to the keys for the services that need access to use them. This means that the AKS service has access to the AKS key, but not the MySQL key, and visa versa. We also restrict the operations on this key to the bare minimum - so this key will only be able to wrap and unwrap other keys.
MySQL
The MySQL server has its data encrypted by a Data Encryption Key (DEK), which itself is encrypted by a Key Encryption Key, which is stored in Key Vault, and has access controls applied to it. These controls mean that if the MySQL server Managed Identity has its access revoked, it can no longer access the DEK, which means it cannot access the encrypted data.
There is more documentation for this here - Azure Documentation
AKS
For AKS we have enabled encryption of Kubernetes Persistent Volumes (using the Azure Disks Storage Class), and the OS Disks, using a CMK.
This ensures any data stored in Kubernetes is encrypted at rest, using a DEK that has been wrapped by a KEK, that is stored in the Key Vault. Revoking the AKS clusters managed identity’s access to the key will mean that AKS can no longer decrypt the key, and as such cannot decrypt the data.
There is more documentation for this here - Azure Documentation
Key Vault Options
For this example we chose a Key Vault Premium instance and used HSM backed keys for the KEK, that are generated on the HSM. This gives a good level of protection from the KEK being leaked (as it never leaves the HSM), but may not fufil specific FIPS level requirements, or other regulations. For these cases, a Managed HSM may be required.
This can support importing KEKs from an onsite HSM that ensures the import never leaves a HSM boundary, while allowing customers to have secure external backups of the key.
As Managed HSMs use a similar API to Key Vault, any changes needed to use a Managed HSM would be minimal.
For lower security requirements, software backed encryption keys can also be used for CMK, for reduced cost, and easier, but less secure backup.
Table of Service which Use Customer-Managed Keys
| Service | Key Name | Key role assignment scope | Key Type | Key Size | Key Options |
|---|---|---|---|---|---|
| AKS | aks-encryption-key | AKS User Assigned Identity | RSA-HSM | 2048 | unwrapKey, wrapKey |
| MySQL Server | mysql-encryption-key | MySQL Server System Assigned Identity | RSA-HSM | 2048 | unwrapKey, wrapKey |
Calls to Action
Learn more about Customer-managed keys for Azure Storage encryption to get the most up-to-date information at the Microsoft Docs.
Learn more about Connecting with Managed Identity to Azure Database for MySQL to get the most up-to-date information at the Microsoft Docs.
Read about AAD configuration in the next section.
4 - AAD authentication
Azure Active Directory (AAD) Authentication
This reference architecture utilises Azure Active Directory (AAD) for Authentication where possible to do so. Fortifying the integrity of the whole system by removing stored passwords. User accounts and Managed Identities are used through and reference architecture in place of passwords.
AAD authentication for Azure Kubernetes Service
Within Azure Kubernetes Service (AKS), AAD Pod Identity enables Kubernetes applications to access cloud resources securely with Azure Active Directory.
Using Kubernetes primitives, administrators configure identities and bindings to match pods. Then without any code modifications, your containerized applications can leverage any resource in the cloud that depends on AAD as an identity provider.
This reference architecture uses AAD Pod Identity on all AKS Pods.
Each AKS Pod has a managed identity which has been granted least privilege rights to the resources it consumes, for example, single secret RBAC grants within Key Vault or single database access within Azure Database for MySQL.
AAD authentication for Key Vault
Key Vault is configured to use RBAC based on AAD, please refer to the Key Vault section for more information.
AAD authentication for Azure Database for MySQL
Authentication to Databases' with static passwords or shared credentials stored in internal systems may be a security and privacy risk, as credentials may become exposed due to over sharing the passwords to other parties or not being having a short rotation policy.
This reference architecture implements AAD authentication for MySQL on all deployed MySQL servers which enables authentication via short life tokens instead of passwords for applications connecting to Azure Database for MySQL.
AAD authentication for Web Authentication
The verification and the authentication of users who have the correct authority to create a certificate on an issuing service is paramount, straightening the issuing web service with AAD allowing the ability for Organization level access levels and User and Groups policies.
Web Authentication to the certificate issuing service with AAD is documented in detail in the Deployment Section of the documentation.
Calls to Action
Learn more about Azure Active Directory (AAD) and get the most up-to-date information at the Microsoft Docs.
Read about Log Analytics in the next section.
5 - Azure Log Analytics
Azure Log Analytics
The Azure Log Analytics agent collects telemetry from Azure resources, on-premises machines, and machines monitored by System Center Operations Manager and sends the collected data to your Log Analytics Workspace in Azure Monitor. The Log Analytics agent also supports insights and other services in Azure Monitor such as VM insights and Azure Security Center.
Azure Log Analytics Workspaces
Log Analytics is a tool in the Azure portal to edit and run log queries from data collected by Azure Monitor Logs and interactively analyze their results. You can use Log Analytics queries to retrieve records that match particular criteria, identify trends, analyze patterns, and provide a variety of insights into your data.
Azure Log Analytics Cluster
Azure Monitor Logs Dedicated Clusters are a deployment option that enables advanced capabilities for Azure Monitor Logs customers. Customers can select which of their Log Analytics workspaces should be hosted on dedicated clusters. Capabilities that require dedicated clusters currently include: Customer-managed Keys, Double encryption, Availability Zones, Lockbox and Multi-workspace.
NOTE: Dedicated clusters require customers to commit for at least 500 GB of data ingestion per day.
Linking Log Analytics Workspaces to a Log Analytics Cluster in your current subscription
- To link an existing Log Analytics Cluster to a
COVID 19 EU Digital Green Certificate Project’s Log Analytics Workspaces, finstly enableenable_log_analytics_workspacetotrueand add the resource id of the cluster inlog_analytics_cluster_idinterraform.tfvars
...
enable_log_analytics_workspace = true
log_analytics_cluster_id = "<id>"
...
Azure Log Analytics Solution
Monitoring solutions in Azure Monitor provide analysis of the operation of an Azure application or service.
Azure Log Analytics Solutions table
| Log Analytics Solution | Publisher | Product | Description |
|---|---|---|---|
| ContainerInsights | Microsoft | OMSGallery/ContainerInsights | Container insights is a feature designed to monitor the performance of container workloads. |
| KeyVaultAnalytics | Microsoft | OMSGallery/KeyVaultAnalytics | Key Vault insights provides comprehensive monitoring of your key vaults by delivering a unified view of your Key Vault requests, performance, failures, and latency. |
| SecurityInsights | Microsoft | OMSGallery/SecurityInsights | Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.The Azure Sentinel PowerShell module (Az.SecurityInsights) allows you to interact with the following components: Incidents Analytics Rules (Alert Rules) |
| NetworkMonitoring | Microsoft | OMSGallery/NetworkMonitoring | Network Monitoring insights is a feature designed to monitor the performance of Network Monitoring traffic. |
| ServiceMap | Microsoft | OMSGallery/ServiceMap | Service Map automatically discovers application components on Windows and Linux systems and maps the communication between services. With Service Map, you can view your servers in the way that you think of them: as interconnected systems that deliver critical services. Service Map shows connections between servers, processes, inbound and outbound connection latency, and ports across any TCP-connected architecture, with no configuration required other than the installation of an agent. |
| AzureActivity | Microsoft | OMSGallery/AzureActivity | The Activity log is a platform log in Azure that provides insight into subscription-level events. This includes such information as when a resource is modified or when a virtual machine is started. You can view the Activity log in the Azure portal or retrieve entries with PowerShell and CLI. This article provides details on viewing the Activity log and sending it to different destinations. |
| Updates | Microsoft | OMSGallery/Updates | Enable Update Management using Azure Resource Manager template |
| SQLAssessmentPlus | Microsoft | OMSGallery/SQLAssessmentPlus | SQL Health Check solution to assess the risk and health of your server environments on a regular interval, provides a prioritized list of recommendations specific to your deployed server infrastructure. The recommendations are categorized across six focus areas which help you quickly understand the risk and take corrective action |
Azure Log Analytics Diagnostic Setting
Manages a Diagnostic Setting for an existing Resource
Azure Log Analytics Diagnostic Setting table
| Resource | Log | Metric |
|---|---|---|
| KeyVault | AuditEvent | AllMetrics |
| ACR | ContainerRegistryRepositoryEvents | ContainerRegistryLoginEvents |
| MySQL Server | MySqlAuditLogs, MySqlSlowLogs | AllMetrics |
| AKS | oms_agent | oms_agent |
Calls to Action
Learn more about Azure Log Analytics and get the most up-to-date information at the Microsoft Docs.
Read about Terraform in the next section.