Dinusha's Blog: August 2023

Tuesday, August 15, 2023

Secure Azure app services behind Azure Front Door using private link

When an Azure App Service is exposed through Azure Front Door, it utilizes the public address and directs the traffic over the public network. However, we can leverage Azure Front Door as the gateway and restrict all public traffic to our origin (Azure App Service app) by utilizing the Private Link integration feature available in Azure Front Door Premium.

Private Link integration enables Front Door to connect with your origin using the Private Link service. This approach eliminates the necessity for your origin to be accessed over the public internet. Instead, it permits Front Door to access the origin using Microsoft's backbone network.

This process establishes the Private Link connection for the origin and necessitates your approval at the origin.

Tuesday, August 1, 2023

Configure SonarQube in Azure Container Instances and connect with Azure DevOps pipelines for Static Application Security Testing (SAST)

Static Application Security Testing (SAST) is a type of security testing that analyzes the source code of an application for security vulnerabilities. SonarQube is a popular platform for SAST that provides powerful code analysis tools for identifying security issues in software code.

SAST is an essential part of a DevSecOps process. DevSecOps aims to integrate security into the development process to identify and fix security issues early in the software development lifecycle.

In this article I will illustrate how we can configure SonarQube in Azure and connect it in Azure DevOps pipeline to detect vulnerabilities early in the development stage.

To organize this article, I will break the workload into two sections.

Configure SonarQube community edition as a container in Azure Container Instances (ACI) with backend as Azure SQL instance
Configure SonarQube in Azure DevOps

Let's start.

Step 1 - Configure Azure SQL database and SoarQube image in ACI

I found this article very useful in configuring with Azure CLI

# Login to Azure environment and select the subscription
az login
az account set --subscription "My Demos"


# Create SQL instance and firewall rules
az sql server create --name srv-sql-sonarqube --resource-group rg-sonarqube --location australiaeast --admin-user sonar --admin-password [Password]
az sql server firewall-rule create --resource-group rg-sonarqube --server srv-sql-sonarqube -n AzureServices --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0

# Create the database in SQL instance
az sql db create --resource-group rg-sonarqube --server srv-sql-sonarqube --name sonarqubeDb --service-objective S0 --collation SQL_Latin1_General_CP1_CS_AS
   
# Create a container instance with offical SonarQube image
az container create --resource-group rg-sonarqube --location australiaeast  --name sonarqube --cpu 2 --memory 3.5 --image sonarqube:7.7-community --os-type Linux --ip-address Public --environment-variables 'SONARQUBE_JDBC_USERNAME'='sonar' 'SONARQUBE_JDBC_PASSWORD'='[Password]' 'SONARQUBE_JDBC_URL'='jdbc:sqlserver://srv-sql-sonarqube.database.windows.net:1433;database=sonarqubeDb;user=sonar@srv-sql-sonarqube;password=[Password];encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30' --ports 9000 --protocol TCP

Once it is deployed, test your ACI instance as below

You can connect to SonarQube instance with admin/admin as default credentials and port 9000.

Now you need to generate a token which will be used when configuring this with Azure DevOps pipeline. For that, navigate to My Account and click on Security.