Internal traffic security with machine to machine authentication on Azure

Communication between two services is a common use case in an infrastructure where an API needs an answer from another API to achieve its request. This communication needs to be secured to prevent unauthorized access to the API. We can secure it by setting machine to machine auth.

The risks without machine to machine auth

First, let’s look at the risks you are incurring by not setting machine to machine auth.

The most common scenario is: that an intruder manages to enter your infrastructure by an unrelated vulnerability, he will be able to communicate with all of your internal API with no restrictions.

Machine to machine authentication makes sure that your API is secured by adding authentication to it. It can be done in multiple way by configuring: oauth2, basic authentication or certificates between our machines.

This API can’t be requested by any other application than the one we authorized. If you don’t have authorization on your API even if it’s not directly serving a user it can induce a potential threat surface.

This is why Defence in depth is so important, if we breach the first layer of security (the website or authentication) there are still tolls to stop intruders from exploiting sensitive data.

This can be done by adding authentication in internal API and also encrypting all data in transit or at rest.

There are other tools to enhance your security posture you can check.

Implementation with Azure and terraform

Here is a quick example of how to set up machine to machine authentication with Azure cloud with an app service, API management and key vault and Terraform.

We will set up a certificate authentication between the Django app running in app service and an API management.

We create a certificate with key vault

Get certs and Create API management

Configure the API management policy on your API

Now the API management is going to check for certificates in all the request that he will receive for this operation. You can configure this on any level you want from the entire API to the operation.

Now all you need to do is configure Django on your app to send a certificate with every request to the API.

resp = requests.get('https://example.com', verify=True, cert=['/path/to/my/ca.crt'])

You have successfully configured machine to machine authentication!

 

 

Machine to machine authentication configuration adds an extra security layer, that reinforce your security posture. Defence in depth is one of the most important aspects in our day and time due to the multiplication of attack vectors with CI/CD pipeline deploying more and more often in production.

You can learn more about this issue through this article that talks about DevSecOps.

Benjamin Sanvoisin

Benjamin Sanvoisin

Benjamin is a Site Reliability Engineer (SRE) in Padok. He is also our DevSecOps & Azure Cloud specialist. Security and infrastructure hold no secrets for him.

What do you think? Leave your comments here !