after you provision a resource, you'll often need to configure it to meet the needs of your applications and environment. For example, you might need to set up network access or open a firewall port to enable your applications to connect to the resource. Now you learn how to enable network access to your resources and how you can prevent accidental exposure of your resources to third parties. You'll see how to use authentication and access control to protect the data managed by your resources. The default connectivity for Azure, cosmos DB and Azure storage is to enable access to the world at large. You can connect to these services from an on premises network, the internet or from within an Azure virtual network. Although this level of access sounds risky, most Microsoft Azure services mitigate this risk by requiring authentication before granting access authentication is described later in this lesson, you should note that an Azure virtual network is a representation of your own network in the cloud. A virtual network enables you to connect virtual machines and Azure services together in much the same way that you might use a physical network on premises Microsoft. Azure ensures that each virtual network is isolated from other virtual networks created by other users and from the internet. Microsoft Azure enables you to specify which machines real and virtual and services are allowed to access resources on the virtual network and which ports they can use. To restrict connectivity, you should use the networking page for a service. To limit connectivity, choose selected networks. Three further sections will appear labeled virtual network firewall and exceptions in the virtual network section, you can specify which virtual networks are allowed to route traffic to the service. When you create items such as web applications and virtual machines, you can add them to a virtual network if these applications and virtual machines require access to your resource at the virtual network containing these items to the list of allowed networks. If you need to connect to the service from an on premises computer in the firewall section, add the IP address of the computer. This setting creates a firewall rule that allows traffic from that address to reach the service. The exception setting allows you to enable access to any other of your services created in your Azure subscription. For detailed information, read configure azure storage, firewalls and virtual networks in the additional readings at the end of this lesson, as your Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. Private Endpoint uses a private IP address from your Vnet, effectively bringing the service into your Vnet. The service could be an Azure service such as as your storage as your Cosmos dB sequel or your own private link service. For detailed information, read what is Azure Private Endpoint which is linked to in the additional readings at the end of this lesson. The private endpoint connections page for a service allows you to specify which private endpoints, if any are permitted to access your service, you can use the settings on this page together with the firewalls and virtual networks. Page two completely lockdown users and applications from accessing public endpoints to connect to your Cosmos DB account. Many services, including access key, that you can specify when you attempt to connect to the service. If you provide an incorrect key, you'll be denied access to find the access key for an Azure storage account. You select access keys on their settings on the main page for the account. Many other services allow you to view the access key in the same way from the Azure portal. If your key is compromised, you can generate a new access key. You should note that Azure services actually provide two keys labeled key one and key to an application can use either key to connect to the service. Any user or application that knows the access key for resource can connect to that resource. However, access keys provide a rather coarse grained level of authentication. Additionally, if you need to regenerate an access key after accidental disclosure, for example, you may need to update all applications that connect using that key as your Active Directory or Azure. AD provides superior security and ease of use over access key authorization. Microsoft recommends using Azure AD authorization when possible to minimize potential security vulnerabilities inherent in using access keys as your AD, is a separate Azure service. You add users and other security principles such as an application, to a security domain managed by Azure AD. Let's take a closer look at how authentication works with Microsoft Azure. When a user application attempts to authenticate, they specify the domain to authenticate against as your AD. Will typically require the user or application to provide some credentials, often a password to prove their identity. It's also possible to configure multi factor authentication to reduce the possibility of a fraudulent user with a stolen password from authenticating. For example, you could specify that not only does the user have to provide a password but must also respond to a text or phone message sent to their mobile device before authentication. If authentication is successful Azure AD creates an authentication token for the user or application after a security principle has been authenticated, it might then attempt to access a resource. The authentication token is passed as part of a request to the service. The token is used by the service to authorize access to the specified resource Azure AD. Enables you to specify who or what can access your resources. Access control defines what a user application can do with your resources after they've been authenticated. Access management for cloud resources is a critical function for any organization that is using the cloud. Azure role based access control Azure OBAC helps you manage who has access to Azure resources and what they can do with those resources. For example using OBAC you could allow one user to manage virtual machines in a subscription and another user to manage virtual networks, allow a database administrator group to manage SQL databases in a subscription. Allow a user to manage all resources in a resource group, such as virtual machines, webites and subnets and allow an application to access all resources in a resource group. You control access to resources using Azure OBAC to create role assignments. A role assignment consists of three elements a security principle, a role definition and scope. A security principle is an object that represents a user group service or managed identity that is requesting access to Azure resources. A role definition, often abbreviated to Roll, is a collection of permissions. A role definition lists the operations that can be performed, such as read, write and delete. Roles can be given high level names like owner or specific names like virtual machine reader. Microsoft Azure includes several built in roles that you can use, including starting with the least set of permissions. Reader can view existing as your resources contributor can create and manage all types of Azure resources but can't grant access to others. Owner has full access to all resources, including the right to delegate access to others. User access administrator lets you manage user access to Azure resources. You can also create your own custom roles for detailed information so you create or update Azure custom roles using the Azure portal on the Microsoft website. A scope lists the set of resources that the access applies to when you assign a role, you can further limit the actions allowed by defining a scope. This is helpful if for example you want to make someone a website contributor but only for one resource group. You add role assignments to a resource in the Azure portal using the access control or I am page. The role assignments tab enables you to associate a role with a security principle defining the level of access the role has to the resource. For further information read at a remove as your role assignments using the Azure portal. Apart from authentication and authorization, many services provide additional protection through security. Security implements threat protection and assessment, threat protection, track security incidents and alerts across your service. This intelligence monitors the service and the text unusual patterns of activity that could be harmful or compromise the data managed by the service. Recommendations, identifies potential security vulnerabilities and recommends actions to mitigate them. You can control the security settings from the security page for Azure storage. The corresponding page for other non relational services, such as Cosmos DB, is similar.
