End-to-end Sensitive Web App - with Azure Confidential Services
An end-to-end demonstration of a Confidential Web App running on an AMD powered Confidential VM with Azure SQL, AKV mHSM and Azure Confidential Ledger.
Overview
This repository demonstrates an architectural design pattern for hosting an end-to-end Confidential Application on Azure Confidential Compute:
Core components
- Sensitive Data - Azure SQL DB - Always Encrypted with secure enclaves: For hosting a sample confidential
ContosoHR
Database - withSSN
andSalary
Columns that are encrypted viaCMK
. - Sensitive Data Encryption Keys - Azure Key Vault - mHSM: A FIPS 140-2 Level 3 validated HSM - used in this case for storing the Always Encrypted Column Master Key - or
CMK
forContosoHR
Database. - Sensitive Application Logic - Azure Confidnetial VM - with AMD EPYC 3 Sev-SNP Private Preview Signup: For hosting an ASP.NET Web app that queries
ContosoHR
Azure SQL DB using the ADO.NET driver, as well as a Python Application that leverages the Azure Confidential Ledger PyPi Python package to persist Sensitive Logs generated on the Web app (in this case, query history). - Sensitive Application logs - Azure Confidential Ledger (Private Preview Signup): As an append-only, immutable ledger (see CCF documentation) for hosting Sensitive Logs.
All components of this architecture, including Sensitive Data, Sensitive Data Encryption Keys, Sensitive Application Logic and Sensitive Application logs - are hosted at or above the blue dotted line highlighted below:
In this demonstration, we leverage a Confidential VM to emphasize one core point - no code changes are required of an existing application (in our case, an ASP.NET Web App) to run on an AMD Sev-SNP enabled Virtual Machine on Azure.
Live Demo
Setup
Pre-requisites
-
Azure Confidential VM -
Standard_DC2as_v4
: At the time of writing, Azure CVMs are in Limited Preview and can be enabled for your subscription by filling out this form here.💡 For the purposes of following along, since CVM's provide a seamless deployment experience for the Web App, you can also leverage any Windows Machine available to you.On this machine, install the following pre-requisite components:
-
Azure Confidential Ledger: For detailed deployment steps on ACL - please refer to the documentation here. The Python package for ACL can be found here on PyPi.
-
Azure SQL DB deployment for
ContosoHR
- To quickly deploy an Azure SQL Database, Azure Key Vault and Microsot Azure Attestation while going through the steps in setting upContosoHR
Database, please refer to this article.
💡 For an automated deployment of 3 - please refer to this repositoryLink TBD
.
Setup
We break down our setup into 3 components from the demo:
1. Web App
-
Download the code from this repo into an Azure Confidential VM with the pre-requisite components installed.
Validate python version by using:
python --version
-
To launch the Web app, we first inject the secrets required in appsettings.json:
# Replace .. with your Directory location cd "..\hrapp-on-confidential-cloud\01-contoso-web-app-asp-net\ContosoHR" # Replace with your SQL Server connection settings dotnet user-secrets set "ConnectionStrings:ContosoHRDatabase" "Data Source = your--azure--sqlserver.database.windows.net; Initial Catalog = ContosoHR; Column Encryption Setting = Enabled;Attestation Protocol = AAS; Enclave Attestation Url = https://your--attestation--url.eus.attest.azure.net/attest/SgxEnclave; User Id = your--sql--username; Password = your--sql--password" # Replace with a Service Principal's Credential that can read the CMK from AKV dotnet user-secrets set "KeyVault:clientId" "your--client--id" dotnet user-secrets set "KeyVault:secret" "your--client--secret"
-
The Web App is expecting to store Sensitive logs from the demo in
D:\ContosoHR_logs
. Create this folder.💡 If you don't have aD:\
drive, please useC:\
, and update line 103. -
You can launch the Web App using IIS Express now and successfully connect to Azure SQL:
Any sensitive queries performed will be streaming to
querylogs.txt
:
2. Console App: Stream to ACL using Python
-
We start a new Python Virtual Environment via:
# Replace .. with your Directory location cd "..\hrapp-on-confidential-cloud\02-acl-ledger-python" # Create venv python -m venv venv # Activate venv ..\hrapp-on-confidential-cloud\02-acl-ledger-python\venv\Scripts\Activate.ps1 # Install pypi dependencies pip install -r requirements.txt # Install ACL wheel (Once available on pypi, please use pip install azure-confidentialledger instead of the .whl below) pip install azure_confidentialledger-1.0.0b1-py2.py3-none-any.whl
And if you had changed the log location to
C:\
drive, then change it within line 13 as well. -
Start the Python ACL Streaming Process:
# python .\stream_logs_to_acl.py clientId clientSecret tenantId ledgerID python .\stream_logs_to_acl.py your--clientID your--clientSecret your--tenantId your--unique--ledger
3. SQL Extended sessions
-
Query the table using
SELECT * FROM [dbo].[Employees]
-
To create a new Extended events session, run 02-enable-XESession-AzSQLDB.sql
-
To intercept queries from the session, run 03-query-XEvents.sql