Skip to content

Commit 81b2ee8

Browse files
JasonFreebergJasonFreeberg
committed
expanding on the outline
1 parent e2cd201 commit 81b2ee8

File tree

2 files changed

+76
-18
lines changed

2 files changed

+76
-18
lines changed

articles/app-service/app-service-encrypt-at-rest-using-cmk.md

Lines changed: 38 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -16,24 +16,53 @@ Encrypting your Webapp's application data at rest requires the use of an Azure S
1616

1717
## Configure Encryption at Rest
1818

19-
### Create an Azure Storage account.
19+
### Create an Azure Storage account
2020

21-
- Follow these instructions to create an Azure Storage Account and encrypt it with Customer Managed Keys.
22-
- https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption#customer-managed-keys-with-azure-key-vault
21+
First, follow [these instructions](https://docs.microsoft.com/azure/storage/common/storage-service-encryption#customer-managed-keys-with-azure-key-vault) to create an Azure Storage Account and encrypt it with Customer Managed Keys. Once the Storage Account is created, use the [Azure Storage Explorer](https://docs.microsoft.com/azure/vs-azure-tools-storage-manage-with-storage-explorer) to upload package files.
22+
23+
Next, use the Storage Explorer to [generate a Shared Access Signature](https://docs.microsoft.com/azure/vs-azure-tools-storage-manage-with-storage-explorer?tabs=windows#generate-a-sas-in-storage-explorer) (SAS). Save this SAS URL, this will later be used to enable the App Service runtime to access the package securely.
2324

2425
### Configure Run From Package with your storage account
2526

26-
- Add the App Setting as shown here: https://docs.microsoft.com/en-us/azure/app-service/deploy-run-package#run-from-external-url-instead
27-
- Test that this deploys correctly
27+
Once you upload your file to Blob storage and have an SAS URL for the file, set the `WEBSITE_RUN_FROM_PACKAGE` app setting to the SAS URL. The following example does it by using Azure CLI:
28+
29+
```
30+
az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings WEBSITE_RUN_FROM_PACKAGE="<your-SAS-URL>"
31+
```
32+
33+
Adding this app setting will cause your Webapp to restart. Once the Webapp has restarted, browse to it to ensure the application has correctly started with the package in the Storage Account. If the application does not start correctly, see the [Run From Package troubleshooting guide](https://docs.microsoft.com/azure/app-service/deploy-run-package#troubleshooting).
2834

2935
### Encrypt the application setting using Key Vault References
30-
- Now we will replace the App Setting with a Key Vault reference to secure the SAS-encoded URI
31-
- https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references
36+
37+
Now we will replace the value for `WEBSITE_RUN_FROM_PACKAGE` with a Key Vault reference to the SAS-encoded URL. This will keep the SAS URL encrypted in Key Vault, providing an extra layer of security.
38+
39+
1. Create an Azure Key Vault.
40+
41+
```azurecli
42+
az keyvault create --name "Contoso-Vault" --resource-group <group-name> --location eastus
43+
```
44+
45+
1. Follow these instructions to [grant your app access](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references#granting-your-app-access-to-key-vault) to Key Vault.
46+
47+
1. Add your external URL as a secret in Key Vault.
48+
49+
```azurecli
50+
az keyvault secret set --vault-name "Contoso-Vault" --name "external-url" --value "<SAS-URL>"
51+
```
52+
53+
1. Create the `WEBSITE_RUN_FROM_PACKAGE` app setting and set the value as a Key Vault Reference to the external URL.
54+
55+
```azurecli
56+
az webapp config appsettings set --settings WEBSITE_RUN_FROM_PACKAGE="@Microsoft.KeyVault(SecretUri=https://Contoso-Vault.vault.azure.net/secrets/external-url/<secret-version>"
57+
```
58+
59+
Updating this app setting will cause your Webapp to restart. Once the webapp has restarted, browse to it to ensure it has started correctly with the Key Vault reference.
3260
3361
## Summary
3462
35-
- Overview of what we accomplished
36-
- If you want to revoke access to your data, you can either revoke access to the Key Vault or rotate storage account keys (which would invalidate SAS URI)
63+
Your application files are now encrypted at rest in Azure Storage. When your Webapp starts, it wil retrieve the SAS URL from Azure Key Vault. Finally, the Webapp will load the application files from Azure Storage.
64+
65+
If you want to revoke the Webapp's access to your data, you can either revoke access to the Key Vault or rotate the storage account keys, which will invalidate SAS URL.
3766
3867
## Frequently Asked Questions
3968

articles/azure-functions/functions-encrypt-at-rest-using-cmk.md

Lines changed: 38 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -16,24 +16,53 @@ Encrypting your Webapp's application data at rest requires the use of an Azure S
1616

1717
## Configure Encryption at Rest
1818

19-
### Create an Azure Storage account.
19+
### Create an Azure Storage account
2020

21-
- Follow these instructions to create an Azure Storage Account and encrypt it with Customer Managed Keys.
22-
- https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption#customer-managed-keys-with-azure-key-vault
21+
First, follow [these instructions](https://docs.microsoft.com/azure/storage/common/storage-service-encryption#customer-managed-keys-with-azure-key-vault) to create an Azure Storage Account and encrypt it with Customer Managed Keys. Once the Storage Account is created, use the [Azure Storage Explorer](https://docs.microsoft.com/azure/vs-azure-tools-storage-manage-with-storage-explorer) to upload package files.
22+
23+
Next, use the Storage Explorer to [generate a Shared Access Signature](https://docs.microsoft.com/azure/vs-azure-tools-storage-manage-with-storage-explorer?tabs=windows#generate-a-sas-in-storage-explorer) (SAS). Save this SAS URL, this will later be used to enable the App Service runtime to access the package securely.
2324

2425
### Configure Run From Package with your storage account
2526

26-
- Add the App Setting as shown here: https://docs.microsoft.com/en-us/azure/app-service/deploy-run-package#run-from-external-url-instead
27-
- Test that this deploys correctly
27+
Once you upload your file to Blob storage and have an SAS URL for the file, set the `WEBSITE_RUN_FROM_PACKAGE` app setting to the SAS URL. The following example does it by using Azure CLI:
28+
29+
```
30+
az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings WEBSITE_RUN_FROM_PACKAGE="<your-SAS-URL>"
31+
```
32+
33+
Adding this app setting will cause your Webapp to restart. Once the Webapp has restarted, browse to it to ensure the application has correctly started with the package in the Storage Account. If the application does not start correctly, see the [Run From Package troubleshooting guide](https://docs.microsoft.com/azure/app-service/deploy-run-package#troubleshooting).
2834

2935
### Encrypt the application setting using Key Vault References
30-
- Now we will replace the App Setting with a Key Vault reference to secure the SAS-encoded URI
31-
- https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references
36+
37+
Now we will replace the value for `WEBSITE_RUN_FROM_PACKAGE` with a Key Vault reference to the SAS-encoded URL. This will keep the SAS URL encrypted in Key Vault, providing an extra layer of security.
38+
39+
1. Create an Azure Key Vault.
40+
41+
```azurecli
42+
az keyvault create --name "Contoso-Vault" --resource-group <group-name> --location eastus
43+
```
44+
45+
1. Follow these instructions to [grant your app access](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references#granting-your-app-access-to-key-vault) to Key Vault.
46+
47+
1. Add your external URL as a secret in Key Vault.
48+
49+
```azurecli
50+
az keyvault secret set --vault-name "Contoso-Vault" --name "external-url" --value "<SAS-URL>"
51+
```
52+
53+
1. Create the `WEBSITE_RUN_FROM_PACKAGE` app setting and set the value as a Key Vault Reference to the external URL.
54+
55+
```azurecli
56+
az webapp config appsettings set --settings WEBSITE_RUN_FROM_PACKAGE="@Microsoft.KeyVault(SecretUri=https://Contoso-Vault.vault.azure.net/secrets/external-url/<secret-version>"
57+
```
58+
59+
Updating this app setting will cause your Webapp to restart. Once the webapp has restarted, browse to it to ensure it has started correctly with the Key Vault reference.
3260
3361
## Summary
3462
35-
- Overview of what we accomplished
36-
- If you want to revoke access to your data, you can either revoke access to the Key Vault or rotate storage account keys (which would invalidate SAS URI)
63+
Your application files are now encrypted at rest in Azure Storage. When your Webapp starts, it wil retrieve the SAS URL from Azure Key Vault. Finally, the Webapp will load the application files from Azure Storage.
64+
65+
If you want to revoke the Webapp's access to your data, you can either revoke access to the Key Vault or rotate the storage account keys, which will invalidate SAS URL.
3766
3867
## Frequently Asked Questions
3968

0 commit comments

Comments
 (0)