0

I want to deploy a microservice on Azure Ubuntu VM using one of following stacks: docker-compose/AKS using Traeffic as reverse proxy.

I'm looking for cheapest but reasonable in terms of security solution.

Will opening port 443 in my VM firewall (rest will be closed) and forwarding it to public IP in Azure create a major risk or break security rules (it will be test environment so things like DDOS doesn't bother me).

Using AKS it will be LoadBalancer service port 443 mapped to Azure Public IP so preety much same approach but without direct control of VM firewall (Kubernetes manages everything else).

There is NSG to only allow Internet inbound for port 443. All microservices will be secure with proper authentication and only services needed for end-users will be exposed via reverse proxy to public internet. I was looking for this type architecture in internet but never found anything.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
rethon012
  • 3
  • 2
  • What's your security worries? What is the alternative to deploying it this way? – vidarlo Apr 01 '23 at 10:38
  • I was thinking if I really have to deploy azure firewall in front of my vm, or some WAF in terms of public internet access. I also found this and it concerned me a lot https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Network/unrestricted-https-access.html – rethon012 Apr 01 '23 at 10:52
  • This sounds suspicious. And you have found documentation that states there are components missing for what you are doing. Now you are shopping it around to see if you can find anyone that agrees that you do not need something external to *your application* that will perform logging and filtering. 99% of decision criteria is cost. You don't provide what the service is doing, types of data, data flows, network diagrams, or any other decision criteria. Except it is a test environment. Are we missing anything? – Greg Askew Apr 01 '23 at 11:33
  • I'll provide diagram in a moment with explanation – rethon012 Apr 01 '23 at 11:35

1 Answers1

1

There's no yes or no answer to such questions. In short, you have to weigh risks and benefits.

A WAF may make some attacks more difficult. Against other attacks it doesn't make any difference. It has a cost - both in complexity and monetary value.

This is in general true for everything you do - it has costs and benefits.

Running stuff on a machine exposed to the Internet was until a few years ago the common way of doing small-medium deployments; it really only changed with cloud environments.

vidarlo
  • 6,654
  • 2
  • 18
  • 31