Bekker's Blog

Blog archive

Microsoft Shrinks Azure Stack's Attack Surface

In a move that could significantly reduce Azure Stack's attack surface and simplify network integration, Microsoft is consolidating a number of ports for the hybrid cloud platform.

Specifically, Microsoft plans to collapse port requirements for various Azure services running on Azure Stack from 27 different ports to just one. The services will communicate via Port 443, the standard port for HTTP over TLS/SSL. The change will take effect in an upcoming release, according to a Microsoft announcement last Friday.

Microsoft positions Azure Stack as a key differentiator versus other major public cloud providers, in that customers can run an integrated hardware and software system that is supposed to offer the exact same platform as Microsoft's Azure public cloud, but in a private datacenter. The approach enables customers to use the same application code in the public cloud and on the private cloud.

Early demand for the technology includes edge environments, disconnected environments, customers with specialized security requirements and those with specific compliance concerns. Hardware partners currently offering the 4-12 node integrated systems include Cisco, Dell EMC, Hewlett Packard Enterprise, Huawei and Lenovo.

Because it runs the same underlying code as Azure in the public cloud, Azure Stack supports a number of Azure services. Up until now, Microsoft has added the functionality for each service to its Azure Stack portal via a portal extension using a separate network port.

In the announcement, Thomas Roettinger, senior program manager for Azure Stack, acknowledged customer pushback for managing and securing multiple ports. "As the number of Azure services increases, so do the number of ports that must be opened on a firewall that supports Azure Stack," Roettinger said.

Following in Azure's footsteps, the Azure Stack will soon adopt a so-called Extension Host technology to funnel all the ports through Port 443. "In its first release, the User and Admin portal default extensions have moved to this model, thereby reducing the number of ports from 27 to one. Over time, additional services such as the SQL and MySQL providers will also be changed to use the Extension Host model," Roettinger said.

The change will be fully implemented with the 1810 update of the Azure Stack. In preparation, Azure Stack customers will need to import a pair of wild card SSL certificates, one for the admin portal and one for the tenant portal.

The current build, 1807, was only released a few days ago, and Roettinger suggested users have some time to prepare. New deployments of Azure Stack will require the wild card certificates sometime in September, he said.

Posted by Scott Bekker on August 13, 2018 at 12:28 PM


Most   Popular