Understanding Azure’s Encryption in Transit

Understanding Azure’s Encryption in Transit

In this short article, we will have a look at the basic concepts about encryption in transit.

What is it ?

We have seen what encryption at rest is in previous article. It means making sure that stored data should not be easily accessible if malicious users obtain access to the disk.

The term encryption in transit is very clear. It is about protecting the data which is being transferred from one component / layer to other component / layer.

Now a days, distributed systems are very common and often the applications follow microservices kind of architecture. These micro-services are often sending data to one another and hence protecting data in transit must be known to most of us.

It is achieved by enabling Transport Layer Security (TLS). For HTTP based services, it means using HTTPS protocol to make sure that data is not readable when it is on wire.

Why ?

Transport layer security ensures that nobody can eavesdrop or tamper the messages when they are on wire and being transferred. Thus, it not only makes sure that the data is safe and protected but it also helps to maintain data integrity.

What are options ?

Most of the Azure services provides configuration settings to enable TLS. This option is also by default enabled and user can disable it if for any reasons they don’t need it.

Also, for some services like virtual machines RDP, you can create VPNs to add another layer of security.

There is also option to create virtual networks and have azure services part of them instead of directly exposing them to internet. This way, you can configure firewall rules and control who can communicate with which service.

You can use an Azure VPN gateway to send encrypted traffic between your virtual network and your on-premises location across a public connection, or to send traffic between virtual networks.

Examples

The new Azure Resource Manager (ARM) provides different ways by which Azure services can be accessed and managed. You can manage them using PowerShell, CLI, Portal or you can write your own code by using the NuGet packages provided by Azure.

Let’s have a look at what settings storage accounts have for enabling encryption in transit.

Storage Account Transport Layer Security Options
Storage Account Transport Layer Security Options

As you can see, Secure transfer required option is enabled and Minimum TLS version supported is version 1.0. Both of these options can be changed.

If you want you can enable the stricter and latest version of TLS, TLS 1.2. Then as shown in below code, you can specify to connect to storage account only using TLS 1.2:

static void StorageAccountUsingTLS12()
{
// Enable TLS 1.2 before connecting to Azure Storage
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;
// Connect to Azure Storage
CloudStorageAccount storageAccount = CloudStorageAccount.Parse("DefaultEndpointsProtocol=https;AccountName={yourstorageaccount};AccountKey={yourstorageaccountkey};EndpointSuffix=core.windows.net");
CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();
CloudBlobContainer container = blobClient.GetContainerReference("foo");
container.CreateIfNotExists();
}
view raw TlsExample.cs hosted with ❤ by GitHub

You can also use network monitoring tool like fiddler to debug and confirm that the REST request issued by above code really used TLS 1.2.

I hope you enjoyed this article. Let me know your thoughts.

Leave a Reply