Microsoft Shrinks Azure Stack's Attack Surface
    In a move that could  significantly reduce Azure Stack's attack  surface and simplify network integration, Microsoft is consolidating a number of ports for the hybrid cloud platform.
Specifically, Microsoft plans to collapse  port requirements for various Azure services running on Azure Stack from 27  different ports to just one. The services will communicate via Port 443, the  standard port for HTTP over TLS/SSL. The change will take effect in an upcoming release, according to a Microsoft announcement last Friday. 
Microsoft positions Azure Stack as a key differentiator  versus other major public cloud providers, in that customers can run an  integrated hardware and software system that is supposed to offer the exact  same platform as Microsoft's Azure public cloud, but in a private datacenter. The  approach enables customers to use the same application code in the public cloud  and on the private cloud.
Early demand for the technology includes edge environments,  disconnected environments, customers with specialized security requirements and  those with specific compliance concerns. Hardware partners currently offering  the 4-12 node integrated systems include Cisco, Dell EMC, Hewlett Packard  Enterprise, Huawei and Lenovo.
Because it runs the same underlying code as Azure in the  public cloud, Azure Stack supports a number of Azure services. Up until now,  Microsoft has added the functionality for each service to its Azure Stack  portal via a portal extension using a separate network port.
In the announcement, Thomas Roettinger, senior program manager  for Azure Stack, acknowledged customer pushback for managing and securing  multiple ports. "As the number of Azure services increases, so do the  number of ports that must be opened on a firewall that supports Azure Stack,"  Roettinger said.
Following in Azure's footsteps, the Azure Stack will soon  adopt a so-called Extension Host technology to funnel all the ports through  Port 443. "In its first release, the User and Admin portal default  extensions have moved to this model, thereby reducing the number of ports from  27 to one. Over time, additional services such as the SQL and MySQL providers  will also be changed to use the Extension Host model," Roettinger said.
The change will be fully implemented with the 1810 update of  the Azure Stack. In preparation, Azure Stack customers will need to import a  pair of wild card SSL certificates, one for the admin portal and one for the  tenant portal.
The current build, 1807,  was only released a few days ago, and Roettinger suggested users have some time  to prepare. New deployments of Azure Stack will require the wild card certificates  sometime in September, he said.
 
	Posted by Scott Bekker on August 13, 2018