Securing Azure KeyVault connections using Managed Identity

In the previous post we saw that we can connect to Azure KeyVault from ASP.NET Core application using the default credentials. If you haven't read that, please find it here

Manage application settings with Azure KeyVault

But this is not a secure way of doing things obviously due to security concerns. In order to overcome this, the recommended approach is used to Managed Identity in Azure. This will work only if your application is hosted in Azure. It is similar to a service principal which connects on your app's behalf to communicate with other resources

Create Managed Identity

The first step is to create a Managed Identity resource in Azure and then give read permission for this identity in the Keyvault which you need to communicate

You can refer to the official documentation given below to perform this step

Managed identities for Azure resources

Connecting to KeyVault from ASP.NET Core Web App

Add a Nuget package called Azure.Identity

<PackageReference Include="Azure.Identity" Version="1.6.0" />

Modify the entries in your appsettings.json to add entries for the key vault URL and managed identity id

Manage application settings with Azure KeyVault

Securing your data and application configuration should be of prime importance for an application developer/architect and needs to be taken care of during the design phase itself. It is always better to take preventive steps rather than do firefighting after an incident. There are a lot of best practices out there to safeguard the data, but from time to time we ignore/forget to securely store app configuration settings.

Very often developers tend to store hard-coded passwords, tokens, authorization keys, etc in the code or in the application configuration files and then commit the code into the version control. If your repo is publically available or some bad actors got access to it, then you may end up in a lot of trouble. There are automated bots that look for this kind of information by scanning the repos publically available in GitHub or BitBucket and then target your infrastructure with these credentials

Securing the configuration settings

There are a lot of ways you can make that secure, for example by encrypting the entries in the configuration files or by keeping that sensitive information in some other medium such as a database. Another option is to rely on resources provided by cloud vendors such as Microsoft or Amazon.

Azure KeyVault is one such cloud service provided by Microsoft for securely storing and accessing not only secrets but also certificates, keys, passwords, etc. Please refer to this official document for more details about Azure KeyVault. Apart from storing it securely, KeyVault provides additional features such as access control, audit logging, versioning, validity, and much more. With the help of these features, we can make sure that only authorized personnel/app has access to the data with proper auditing and expiration controls.

Adding Serilog to Azure Functions created using .NET 5

Before the release of .NET 5, all functions developed using .NET ran as a class library in Azure and it was running inside the same process as the host. But with .NET 5, a function app built with .NET 5 runs in an isolated worker process which lets you decouple your function code from the runtime. A .NET isolated function is basically a console application targeting .NET 5 and requires the following files

• host.json file
• local.settings.json file
• C# project file which defines the project and dependencies
• Program.cs file(entry point of the app)

In this post, I will go through the steps that are needed for creating a .NET 5 Azure function, integrating Serilog for file logging, debugging, and running it locally, and then move on to publishing the function to Azure. You may already know that Azure functions already support some form of logging out of the box, but you may need to implement custom logging mechanisms depending on your need or for satisfying organizational requirements. I am going to use Serilog, which is a third-party logging provider which supports .NET and is also one of the most widely used in the ecosystem

Pre-requisites

There are some things you need before you start implementing this one. Azure Subscription is needed for hosting the functions in Azure, .NET 5 SDK, and Azure Functions Core Tools. Azure CLI is needed for developing, debugging, and publishing the app to Azure and VS Code for writing code. 

Step 1 

The first step is to create a new Functions project, we will be using the func command to create a new one from the command line. Even though you can edit and debug the project in Visual Studio, full support is not yet available as the project templates for creating the project and all. The following command will create a new Azure Function project and specifying the runtime as dotnetisolated enables you to run the app on .NET 5

func init FunctionLogger --worker-runtime dotnetisolated

When this command is executed, it will create all the necessary files including the host.json and local.settings.json files. The host.json file contains the configuration options affecting all the functions in your app whereas the other file can be used for storing options such as connection strings, secrets, and other settings used by your app. Since this file can have sensitive data, it is excluded when you check in the code to source control

Step 2 

Next, we will move on to create a new function in the project which is triggered by an HTTP request. The below statement creates a function named HttpExample using the HttpTrigger template and enables anonymous authentication

func new --name HttpExample --template "HTTP trigger" --authlevel "anonymous"

Learn how to split log data into different tables using Serilog in ASP.NET Core

For most of the application developers, file systems are the primary choice for storing the information generated by the logging providers. One of the main drawbacks of using the files is that it's very difficult for the search for information or to do an analysis of the information written to it over time. Third-party logging providers such as Serilog have facilities to persist the data in database tables instead of the file system. Even then, if you use a single table to write all you errors and other debug information, the size of the table will grow considerably over time which can affect the performance of the whole operation itself.

So, in this post, I will explore the possibility of using multiple tables for storing the logging information using Serilog. If you are new to Serilog, please refer to my previous articles on the same here using the links given below.

• Implementing Logging in a .NET Core Web Application using Serilog
• Rollover log files automatically in an ASP.NET Core Web Application using Serilog
• Write your logs into database in an ASP.NET Core application using Serilog

Step 1: Create a Web Application in .NET Core

To get started we will create a new empty web application using the default template available in Visual Studio. Goto File -> New Project -> ASP.NET Core Web Application

Give a name for the application, leave the rest of the fields with default values and click Create

In the next window, select Web Application as a project template. Before you click on the Create button, make sure that you have selected the desired version of .NET Core in the dropdown shown at the top. Here, for this one, I selected .NET 5.0

You can also do this from .NET CLI using the following command

dotnet new web  --name SerilogMultipleTables

When the command is executed it will scaffold a new application using the MVC structure and then restores the necessary packages needed for the default template.

Writing logs to different files using Serilog in ASP.NET Core Web Application

Application log files play an important role in analyzing the bugs and for troubleshooting issues in an application. It’s worth noting that the log files are also used for writing information about events and other information that occurs when the application is running or serving requests in the case of a web application. Most application developers use a single file to log everything from errors, warnings, debug information, etc. There is no harm in following this approach, but the downside is that it will be harder for you to segregate information from the file easily. We can easily overcome this by maintaining multiple log files depending on the need. In this post, I am going to show how we can achieve this with Serilog

Serilog is a popular third party diagnostic logging library for .NET applications, I have already written some post about it and it’s usage already. If you are new to Serilog, please refer to those posts using the links given below.

• Implementing Logging in a .NET Core Web Application using Serilog
• Rollover log files automatically in an ASP.NET Core Web Application using Serilog
• Write your logs into database in an ASP.NET Core application using Serilog

Step 1 : Create a Web Application in .NET Core

Create a new ASP.NET Core MVC application using the below command

dotnet new mvc  --name MultiLogFileSample

You can also do this from Visual Studio by going into File -> New Project -> ASP .NET Core Web Application

When the command is executed it will scaffold a new application using the MVC structure and then restores the necessary packages needed for the default template.

By default, it will create two json files named, appsettings.json and appsettings.development.json. These are the configuration files for the application and are chosen based on the environment where your application is running. These files will have a default configuration as shown below basically sets the default level for logging.

{
  "Logging":{
    "LogLevel":{
      "Default":Information",
      "Microsoft":Warning",
      "Microsoft.Hosting.Lifetime":Information"
    }
  }
}

By default, it is set as Information, which writes a lot of data to the logs. This setting is very useful while we are developing the application, but we should set it higher severity levels when the application is deployed to higher environments. Since Serilog is not going to reference this section, we can safely remove this from the configuration files

Write your logs into database in an ASP.NET Core application using Serilog

In most scenarios, we normally use a flat-files for writing your logs or exception messages. But what if you write that information into the table in a database instead of a file. To implement this functionality, we can make use of third-party providers such as Serilog to log information in a SQL server database. Even though it's not a recommended approach, one can easily search the logs by executing SQL queries against the table.

Installing Packages

Serilog provides the functionality to write logs to different sources such as files, trace logs, database and the providers for these are called Serilog Sinks. To write logs to a table in a SQL Server database, you will need to add the following NuGet packages

Install-Package Serilog
Install-Package Serilog.Settings.Configuration
Install-Package Serilog.Sinks.MSSqlServer

The first package contains the core runtime, the second package can read the key under the "Serilog" section from a valid IConfiguration source and the last one is responsible for making the connection to the database and writing information into the log table.

Configuring Serilog 

Modify the appsettings.json file to add a new section called "Serilog". We will set up the connection string to the database, provide the name of the table and instruct Serilog to create the table if not found in the DB

"Serilog": {
    "MinimumLevel": "Error",
    "WriteTo": [
      {
        "Name": "MSSqlServer",
        "Args": {
          "connectionString": "Server=(localdb)\\MSSQLLocalDB;Database=Employee;Trusted_Connection=True;MultipleActiveResultSets=true",
          "tableName": "Logs",
          "autoCreateSqlTable": true
        }
      }
    ]
  },

Rollover log files automatically in an ASP.NET Core Web Application using Serilog

We all implement logging in whatever applications we develop and over time it will grow bigger by each passing day. If we don't control that over time we will run into problems, especially with the size. Most of the logging providers help to overcome this by using rolling log providers which automatically archives the current log file when it reaches specific criteria or a threshold and creates the new file to resume the logging. In this article we will how we can make of the rolling file provider supported by Serilog to implement this functionality.

Step 1: Install Packages

First, install the following packages

Install-Package Serilog
Install-Package Serilog.Extensions.Logging
Install-Package Serilog.Sinks.File

The first package has all the core functionalities of Serilog whereas the second one is a provider for the logging subsystem used by ASP.NET Core(Microsoft.Extensions.Logging). The third package is responsible for writing the log information to the file, manages the rollover and all the related functionalities

Step 2: Configure Serilog

Modify the appsettings.json file to include the path for the log file

 "Logging": {
    "LogPath": "logs//ex.log",
    "LogLevel": {
      "Default": "Information",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information"
    }
  }

Then, configure the sink to read this path from the config file and set it up to write to the file by modifying the CreateHostBuilder method in Program.cs file

 
var configSettings = new ConfigurationBuilder()
    .AddJsonFile("appsettings.json")
    .Build();

Log.Logger = new LoggerConfiguration()

    .WriteTo.File(configSettings["Logging:LogPath"], rollOnFileSizeLimit:true,fileSizeLimitBytes:10)
    .CreateLogger()

Implementing Logging in a .NET Core Web Application using Serilog

Setting up default logging

Create a new MVC application from Visual Studio. By default, Logging is enabled in the application via the ILogger interface. It has got some built-in providers for writing the log information to the console, event log as well as for third-party providers such as NLog, Serilog, etc.

For example, if you want to write logging information to the console window or event log, you will need to configure it in the CreateDefaultHostBuilder method in the Program.cs file as shown below.

 public static IHostBuilder CreateHostBuilder(string[] args) =>
    Host.CreateDefaultBuilder(args)
    .ConfigureLogging(logging =>
    {
        logging.AddConsole();
        logging.AddEventLog();
    })
    .ConfigureWebHostDefaults(webBuilder =>
    {
        webBuilder.UseStartup();
    });

In the case of a web app, you will get an ILogger from the DI container and use that object for writing into the configured log providers. Let's see how we can do that in the HomeController

First, create a private variable for the logger interface.

private readonly ILogger<HomeController> _logger;

Then modify the constructor as shown below

public HomeController(ILogger logger)
{
    _logger = logger;
}