WEBVTT 0:00:02.860000 --> 0:00:09.600000 I am a huge proponent of containerizing your workloads. 0:00:09.600000 --> 0:00:12.620000 But if you're going to run containers, you want to make sure that you 0:00:12.620000 --> 0:00:17.340000 are running those containers securely, and that is really what this video 0:00:17.340000 --> 0:00:21.480000 is about. We're going to talk about container security in the Azure environment 0:00:21.480000 --> 0:00:27.800000 and the topics that we're going to cover, include container resource protection, 0:00:27.800000 --> 0:00:31.520000 we're going to look at container authentication, and specifically we're 0:00:31.520000 --> 0:00:36.420000 going to look at Azure Container Registry Authentication, and I'm going 0:00:36.420000 --> 0:00:37.700000 to demonstrate that. 0:00:37.700000 --> 0:00:41.520000 We'll also talk about container isolation, what are some options that 0:00:41.520000 --> 0:00:46.560000 we have there. We will talk about container networking, and I'll talk 0:00:46.560000 --> 0:00:50.280000 about a solution that I personally think might be a little bit overcomplicated, 0:00:50.280000 --> 0:00:53.680000 at least in some circumstances, and then I'm going to go through a demonstration 0:00:53.680000 --> 0:00:56.900000 of container networking as well. 0:00:56.900000 --> 0:01:01.840000 So let's go ahead and let's dive right into this. 0:01:01.840000 --> 0:01:09.420000 Now, in some senses, containers are just ordinary resources, right? 0:01:09.420000 --> 0:01:15.480000 And so we want to really effectively protect those, like we would any 0:01:15.480000 --> 0:01:19.900000 other resource. So for example, we've got role-based access control. 0:01:19.900000 --> 0:01:21.980000 All right, cool. 0:01:21.980000 --> 0:01:26.400000 We've got that for managing the resources, really all of our resources, 0:01:26.400000 --> 0:01:31.520000 and as you'll see, actually even authenticating down to the data level, 0:01:31.520000 --> 0:01:35.140000 right? Going beyond the control plane to the data plane in Azure Container 0:01:35.140000 --> 0:01:39.200000 Registries. Also, our vulnerability scanning that is part of Security 0:01:39.200000 --> 0:01:43.320000 Center applies to Azure Container Registries. 0:01:43.320000 --> 0:01:49.180000 And if you've got IIS Container Solutions, in other words, if you're running 0:01:49.180000 --> 0:01:54.740000 Docker or another Container Solution on a virtual machine, you actually 0:01:54.740000 --> 0:01:57.900000 have agent-based threat monitoring. 0:01:57.900000 --> 0:02:01.260000 And if you're using Azure Kubernetes service, it's actually built in and 0:02:01.260000 --> 0:02:03.720000 you have agent-less threat monitoring. 0:02:03.720000 --> 0:02:10.360000 So you don't need to actually install anything to get that threat monitoring. 0:02:10.360000 --> 0:02:16.100000 Now, as far as security hardening in general, okay, the Kubernetes in 0:02:16.100000 --> 0:02:21.200000 particular is certified by CIS Center for Internet Security, the Docker 0:02:21.200000 --> 0:02:26.820000 benchmark policy, all right, and that monitoring has been set up in Security 0:02:26.820000 --> 0:02:30.660000 Center and it has gotten a seal of approval. 0:02:30.660000 --> 0:02:37.220000 If you are working with IaaS, in other words, if you're working with virtual 0:02:37.220000 --> 0:02:41.240000 machines, then you have to take into account that you are responsible 0:02:41.240000 --> 0:02:48.440000 for everything from the operating system up, which includes your Container 0:02:48.440000 --> 0:02:52.680000 System, right? So there's things, of course, that you can do in the Azure 0:02:52.680000 --> 0:02:57.000000 environment, but in addition to that, you are gonna have to do some work 0:02:57.000000 --> 0:03:03.140000 at a minimum, for example, maybe installing the agent for threat monitoring, 0:03:03.140000 --> 0:03:06.780000 okay? If you're using Kubernetes, there are a lot of capabilities built 0:03:06.780000 --> 0:03:09.960000 in and there are some capabilities that are built in that are currently 0:03:09.960000 --> 0:03:14.860000 in preview at the time of this recording, which is in May. 0:03:14.860000 --> 0:03:20.960000 Now, if, again, you're using Kubernetes just because those tools are baked 0:03:20.960000 --> 0:03:26.260000 in, doesn't mean that you can just spin it up, of course, and ignore it. 0:03:26.260000 --> 0:03:32.080000 So keep that in mind and with that, we're gonna go ahead and we are going 0:03:32.080000 --> 0:03:45.200000 to move on. Okay, next, I wanna talk about Container Authentication, right? 0:03:45.200000 --> 0:03:50.940000 So how are you going to get to the data plane within the Container environment 0:03:50.940000 --> 0:03:56.620000 itself? And really, as you can see, the options you have are really dependent 0:03:56.620000 --> 0:04:00.420000 upon the platform that you are implementing. 0:04:00.420000 --> 0:04:02.720000 Let's take a look at these. 0:04:02.720000 --> 0:04:05.500000 First of all, fairly straightforward. 0:04:05.500000 --> 0:04:11.020000 If you're using Azure Container Instances, well, then there really isn't 0:04:11.020000 --> 0:04:13.260000 anything built in for authentication. 0:04:13.260000 --> 0:04:16.180000 Now, that doesn't mean you can't have some sort of authentication system 0:04:16.180000 --> 0:04:20.620000 built in to the containers themselves and to your workload, but other 0:04:20.620000 --> 0:04:24.120000 than at the control plane, in other words, being able to start, stop, 0:04:24.120000 --> 0:04:28.360000 create and delete the Container Instances themselves, there's really no 0:04:28.360000 --> 0:04:31.740000 other additional help you're gonna get. 0:04:31.740000 --> 0:04:37.800000 Now, containers that are hosted on IaaS, well, that's gonna be like any 0:04:37.800000 --> 0:04:41.360000 other VM. You do have the administrator login, and that of course is and 0:04:41.360000 --> 0:04:46.720000 can be controlled through the Azure environment, through the portal, or 0:04:46.720000 --> 0:04:48.200000 even through the command line. 0:04:48.200000 --> 0:04:51.480000 But beyond that, that's really pretty much it, right? 0:04:51.480000 --> 0:04:55.600000 Because once you get into the virtual machine, then really managing Docker, 0:04:55.600000 --> 0:04:59.380000 managing your container environment is on you. 0:04:59.380000 --> 0:05:05.740000 Now, the Azure Container Registry, a little bit more interesting. 0:05:05.740000 --> 0:05:12.380000 Azure Container Registry allows for Azure AD authentication. 0:05:12.380000 --> 0:05:16.140000 And in fact, we're gonna take a look at some roles that are actually specific 0:05:16.140000 --> 0:05:20.440000 to the Azure Container Registry or ACR data plane. 0:05:20.440000 --> 0:05:24.160000 In other words, going beyond just managing it as a resource. 0:05:24.160000 --> 0:05:30.120000 The Azure Container Registry does have its own managed identity. 0:05:30.120000 --> 0:05:37.740000 Also, if you are using AKS, AKS has its own managed identity as well. 0:05:37.740000 --> 0:05:42.500000 And I would take my managed identity from AKS and authenticate it into 0:05:42.500000 --> 0:05:43.820000 an Azure Container Registry. 0:05:43.820000 --> 0:05:49.700000 In fact, as you will see in another video, if you watch a video on AKS 0:05:49.700000 --> 0:05:56.380000 or Azure Kubernetes Service, you actually select a container registry 0:05:56.380000 --> 0:06:01.160000 that you want to have it registered with and kind of use as its own, if 0:06:01.160000 --> 0:06:02.880000 you will, repository. 0:06:02.880000 --> 0:06:06.100000 But that's gonna be not really covered in this video, but it is covered 0:06:06.100000 --> 0:06:08.000000 elsewhere within INA. 0:06:08.000000 --> 0:06:09.900000 Two other things we have. 0:06:09.900000 --> 0:06:16.460000 You have the ability to implement an admin user for your ACR, for your 0:06:16.460000 --> 0:06:18.120000 Azure Container Registry. 0:06:18.120000 --> 0:06:24.900000 And that is kind of a traditional Container Registry user account. 0:06:24.900000 --> 0:06:26.940000 It's got full privileges. 0:06:26.940000 --> 0:06:29.800000 You can have the account created, the account will be the same name as 0:06:29.800000 --> 0:06:34.120000 the registry. And then there are two passwords, two secrets that are created 0:06:34.120000 --> 0:06:36.080000 and you can regenerate them. 0:06:36.080000 --> 0:06:40.880000 And you can choose to use that, but if possible, the recommendation is 0:06:40.880000 --> 0:06:45.000000 to use Azure AD for your authentication purposes because you have much 0:06:45.000000 --> 0:06:48.700000 better granular control, monitoring, et cetera. 0:06:48.700000 --> 0:06:55.060000 You can also generate what's called a repository scoped access token. 0:06:55.060000 --> 0:07:02.700000 When you access an ACR, when you access any container registry, you do 0:07:02.700000 --> 0:07:05.380000 so via an access token. 0:07:05.380000 --> 0:07:11.200000 And you can, actually, for example, use the Azure CLI to just generate 0:07:11.200000 --> 0:07:14.540000 that token. So if I needed to generate the token that I was gonna use 0:07:14.540000 --> 0:07:18.880000 in some other process, I could do that and then having that token, though 0:07:18.880000 --> 0:07:23.300000 you'd have to be careful, would give you the ability to log in with whatever 0:07:23.300000 --> 0:07:26.100000 rights are associated with it. 0:07:26.100000 --> 0:07:32.580000 So in terms of container authentication, the two big topics are ACR, which 0:07:32.580000 --> 0:07:33.820000 we're covering in this video. 0:07:33.820000 --> 0:07:39.020000 And then Kubernetes also, of course, has its own spin in things to think 0:07:39.020000 --> 0:07:41.400000 about when it comes to authentication. 0:07:41.400000 --> 0:07:47.800000 But what I'd like to do now is I would like to demonstrate authenticating 0:07:47.800000 --> 0:07:54.560000 into the ACR. And what I'm gonna do, I've got an Azure Container Registry. 0:07:54.560000 --> 0:07:57.920000 I'm gonna go through the process of provisioning a new container registry 0:07:57.920000 --> 0:07:59.980000 just so you can see those options. 0:07:59.980000 --> 0:08:05.040000 Then I'm really gonna go in and drill into my container registry, and 0:08:05.040000 --> 0:08:07.940000 what's already there, and take a look at the options with that. 0:08:07.940000 --> 0:08:13.520000 And then I'm gonna take a look at how you can leverage Azure AD and the 0:08:13.520000 --> 0:08:19.400000 Azure CLI to simplify the process of interacting with your Azure Container 0:08:19.400000 --> 0:08:24.160000 Registry. So let's go ahead and let's jump into this. 0:08:24.160000 --> 0:08:31.060000 All right, that was actually not exactly where I wanna be, there we go. 0:08:31.060000 --> 0:08:41.140000 Okay, if I wanted to provision a container registry, so you just go, let 0:08:41.140000 --> 0:08:42.120000 me just do registry. 0:08:42.120000 --> 0:08:43.400000 Yeah, there we go. 0:08:43.400000 --> 0:08:46.960000 There's a container registry. 0:08:46.960000 --> 0:08:52.960000 Which to me, it's icon, when it's gonna show close up, looks like an overflowing 0:08:52.960000 --> 0:08:57.040000 bucket of popcorn, but that really has nothing to do with anything. 0:08:57.040000 --> 0:08:59.220000 Okay, so what are my options here? 0:08:59.220000 --> 0:09:01.440000 First of all, I can put it in a resource group. 0:09:01.440000 --> 0:09:04.660000 So let's say for example, I was gonna demo containers. 0:09:04.660000 --> 0:09:06.740000 I would have to give it a registry name. 0:09:06.740000 --> 0:09:12.140000 The registry name is a prefix to .AzureCR.io. 0:09:12.140000 --> 0:09:15.100000 You can take an exam, that's real good to know. 0:09:15.100000 --> 0:09:19.840000 Because it is a prefix to a public DNS fully qualified domain name, it's 0:09:19.840000 --> 0:09:20.900000 gonna be unique. 0:09:20.900000 --> 0:09:29.360000 So I could say, I-any, ACR demo. 0:09:29.360000 --> 0:09:30.860000 Okay, give it a location. 0:09:30.860000 --> 0:09:34.040000 Now, SKUs, basic, standard, and premium. 0:09:34.040000 --> 0:09:36.060000 Basic is gonna be the cheapest. 0:09:36.060000 --> 0:09:40.020000 You get more features as you go up in tier. 0:09:40.020000 --> 0:09:44.260000 Okay, let's see if we get the info on what you get, because it's always 0:09:44.260000 --> 0:09:46.360000 good to know the differences there. 0:09:46.360000 --> 0:09:48.260000 Okay, so here's your pricing. 0:09:48.260000 --> 0:09:52.760000 Basic is 16 cents, US, East US, right now. 0:09:52.760000 --> 0:09:55.980000 Standard, more expensive, premium, more expensive than that. 0:09:55.980000 --> 0:09:57.980000 That's per day though, that's still not bad. 0:09:57.980000 --> 0:10:02.280000 You can see increasing amounts of storage. 0:10:02.280000 --> 0:10:05.180000 Also, webhooks, so you can automate processes. 0:10:05.180000 --> 0:10:09.480000 And if you go to premium, you have geo-replication capabilities. 0:10:09.480000 --> 0:10:13.980000 And again, geo-replication, giving you multiple copies, giving you really 0:10:13.980000 --> 0:10:16.640000 an added security benefit. 0:10:16.640000 --> 0:10:21.980000 Okay, anyways, we'll stick for this with standard. 0:10:21.980000 --> 0:10:23.560000 And then networking. 0:10:23.560000 --> 0:10:29.180000 Okay, you cannot connect this using to a private. 0:10:29.180000 --> 0:10:30.940000 I don't have this set up. 0:10:30.940000 --> 0:10:35.200000 It's only available for premium. 0:10:35.200000 --> 0:10:38.820000 So let's go back, let's go and do premium, just so you can see that. 0:10:38.820000 --> 0:10:45.280000 There we go. Now, I could create a private endpoint. 0:10:45.280000 --> 0:10:50.960000 Okay, and control and restrict access to my container registry. 0:10:50.960000 --> 0:10:52.400000 I'm gonna do that right now. 0:10:52.400000 --> 0:10:55.660000 Encryption, your data is encrypted, but you also have the ability to have 0:10:55.660000 --> 0:11:02.360000 a custom managed key, which I can either have in Key Vault or enter a 0:11:02.360000 --> 0:11:07.540000 direct key URI. But I'm fine with their management of it. 0:11:07.540000 --> 0:11:09.740000 Should add tags, but I'm not going to. 0:11:09.740000 --> 0:11:12.480000 And at that point, I would create it. 0:11:12.480000 --> 0:11:17.320000 All right, so that's all the setup for a registry. 0:11:17.320000 --> 0:11:20.700000 All right, next, I'm gonna go to my existing registry that I've already 0:11:20.700000 --> 0:11:25.780000 provisioned. And I'm gonna take a look at the registry itself. 0:11:25.780000 --> 0:11:29.560000 And in particular, I'm gonna go to access control. 0:11:29.560000 --> 0:11:33.400000 And let's say I wanted to grant access. 0:11:33.400000 --> 0:11:37.900000 I'm gonna see if I can zoom in a little bit on that. 0:11:37.900000 --> 0:11:39.940000 Okay, there are a few roles. 0:11:39.940000 --> 0:11:43.980000 And if you're studying, for an example, probably want to look these up. 0:11:43.980000 --> 0:11:47.040000 Some of them are pretty self -evident, like ACR delete. 0:11:47.040000 --> 0:11:51.460000 There are right now, what do I think, seven, six or seven, six. 0:11:51.460000 --> 0:11:56.380000 Six different roles that are specific to the data plane of Azure Container 0:11:56.380000 --> 0:11:59.560000 Registry. There's delete, there's image signer. 0:11:59.560000 --> 0:12:01.960000 So if you're using signed images and you want some to be able to sign 0:12:01.960000 --> 0:12:04.460000 them, but that's maybe all you want. 0:12:04.460000 --> 0:12:06.640000 There's pull, there's push. 0:12:06.640000 --> 0:12:08.460000 There's also quarantine. 0:12:08.460000 --> 0:12:12.280000 So if you've got quarantine set up with your vulnerability assessment, 0:12:12.280000 --> 0:12:17.140000 then you have the ability to implement that. 0:12:17.140000 --> 0:12:22.540000 And so I could add, let's say, for example, ACR pull, and then I could 0:12:22.540000 --> 0:12:25.720000 add that to some user account. 0:12:25.720000 --> 0:12:29.800000 I'm not going to because I don't want to just jump things up. 0:12:29.800000 --> 0:12:35.880000 Okay, now I also, as it turns out, I'm going to come down here. 0:12:35.880000 --> 0:12:39.260000 I've got a number of repositories. 0:12:39.260000 --> 0:12:42.660000 And I'm just going to go kind of randomly to one of them. 0:12:42.660000 --> 0:12:50.680000 This has a lot of versions, so I've got this set up with a CI CD workflow. 0:12:50.680000 --> 0:12:54.000000 And I've got a Docker pull command for this. 0:12:54.000000 --> 0:13:03.180000 So let's say that I wanted to retrieve this particular image from this 0:13:03.180000 --> 0:13:16.440000 ACR. Okay, now as it turns out, I have Docker installed on my own system 0:13:16.440000 --> 0:13:19.880000 here. Let's bring that up a little bit. 0:13:19.880000 --> 0:13:22.600000 Okay, and, it's entirely possible. 0:13:22.600000 --> 0:13:24.800000 I'll make sure I had everything right before I did this. 0:13:24.800000 --> 0:13:27.800000 All right, so we'll go ahead and we'll put that in. 0:13:27.800000 --> 0:13:29.040000 And I get an error. 0:13:29.040000 --> 0:13:33.080000 Error response tells me unauthorized authentication required. 0:13:33.080000 --> 0:13:34.400000 Now here's the cool thing. 0:13:34.400000 --> 0:13:39.520000 So I'm using Azure AD authentication, but Docker doesn't know what Azure 0:13:39.520000 --> 0:13:41.320000 ID authentication is. 0:13:41.320000 --> 0:13:51.000000 So if I have the Azure CLI, we'll drill down into this a little bit. 0:13:51.000000 --> 0:13:57.260000 I'm going to azacrhelp. 0:13:57.260000 --> 0:14:03.140000 And here are the different things that I've got azacr log in. 0:14:03.140000 --> 0:14:05.340000 So let's take a look at that. 0:14:05.340000 --> 0:14:19.780000 Okay, so when I go azacr log in, I need to specify the name of a registry. 0:14:19.780000 --> 0:14:25.180000 Now I could also, if I'm using that administrative user, I can put in 0:14:25.180000 --> 0:14:26.480000 the username and password to that. 0:14:26.480000 --> 0:14:31.660000 If I don't put in the username and password, then it's going to assume 0:14:31.660000 --> 0:14:34.460000 that I want to use Azure AD authentication. 0:14:34.460000 --> 0:14:36.580000 So let's go ahead and do that. 0:14:36.580000 --> 0:14:55.940000 I need demos. Okay, so I have now used the Azure CLI to log me in. 0:14:55.940000 --> 0:15:00.800000 Now I go back to that same Docker pull command. 0:15:00.800000 --> 0:15:04.660000 And now it's pulling. 0:15:04.660000 --> 0:15:10.960000 The cool thing is I am now logged in to that ACR on my machine. 0:15:10.960000 --> 0:15:14.980000 In fact, before this demonstration, I had to remember to log out. 0:15:14.980000 --> 0:15:18.680000 It was kind of what that upper information was that was on the screen 0:15:18.680000 --> 0:15:21.360000 when I first popped over here, because I remembered to log out for the 0:15:21.360000 --> 0:15:23.200000 demonstration, but I forgot to clear that. 0:15:23.200000 --> 0:15:24.680000 So my apologies. 0:15:24.680000 --> 0:15:26.620000 But in any case, it's cranky now, right? 0:15:26.620000 --> 0:15:28.240000 Awesome. We're good to go. 0:15:28.240000 --> 0:15:32.620000 Now let's go back and take in a little more content. 0:15:32.620000 --> 0:15:36.860000 So we've gone through and seen Azure ACR authentication. 0:15:36.860000 --> 0:15:43.300000 The next thing I'm going to do is I'm going to talk about container isolation. 0:15:43.300000 --> 0:15:48.060000 Now with containers, right, if we think about containers and we think 0:15:48.060000 --> 0:15:55.020000 about kind of the traditional environment for containers, I've got, and 0:15:55.020000 --> 0:15:59.340000 I'm going to freehand this, so part of my inability to draw a straight 0:15:59.340000 --> 0:16:03.140000 line. All right, let's say I'm on a physical host, right? 0:16:03.140000 --> 0:16:06.300000 And the physical host's got a BIOS. 0:16:06.300000 --> 0:16:14.240000 It's got an operating system. 0:16:14.240000 --> 0:16:18.580000 It's got a container management system. 0:16:18.580000 --> 0:16:21.000000 We'll say Docker. 0:16:21.000000 --> 0:16:28.760000 And above that, I've got my containers. 0:16:28.760000 --> 0:16:35.460000 Now these containers are logically isolated, but they're still using the 0:16:35.460000 --> 0:16:37.000000 same kernel, right? 0:16:37.000000 --> 0:16:40.040000 And so that looks like a scary robot. 0:16:40.040000 --> 0:16:45.000000 But aside from that, they're still using the same kernel. 0:16:45.000000 --> 0:16:50.740000 So that could be somewhat problematic from a security standpoint. 0:16:50.740000 --> 0:16:53.180000 You could argue either direction. 0:16:53.180000 --> 0:17:02.820000 There is within Windows containerization, another solution. 0:17:02.820000 --> 0:17:06.880000 And let's say that I'm in Azure. 0:17:06.880000 --> 0:17:09.500000 And so I've got Azure. 0:17:09.500000 --> 0:17:20.180000 And I've got a VM running in Azure. 0:17:20.180000 --> 0:17:29.200000 Now I could install Docker directly on that, but I can also run hyper 0:17:29.200000 --> 0:17:37.720000 V. All right, I'm going to say hyper V D because I can run hyper V and 0:17:37.720000 --> 0:17:43.840000 Docker. And then when I'm running containers, those containers are actually 0:17:43.840000 --> 0:17:50.380000 OS isolated because they're each running as their own independent virtual 0:17:50.380000 --> 0:17:53.220000 machine. So I'm running them as virtual machines, essentially inside of 0:17:53.220000 --> 0:17:57.420000 a virtual machine, giving me OS level. 0:17:57.420000 --> 0:18:06.340000 Let's see here, get back away from that. 0:18:06.340000 --> 0:18:11.340000 Ah, there we go. 0:18:11.340000 --> 0:18:18.180000 So that hyper V isolation, by the way, is a standard element of Windows 0:18:18.180000 --> 0:18:20.320000 server containerization. 0:18:20.320000 --> 0:18:26.740000 Okay, but it also works for container instances. 0:18:26.740000 --> 0:18:34.740000 Okay. Now, if you are running IAS, IAS by definition is giving you VM 0:18:34.740000 --> 0:18:36.280000 level isolation, right? 0:18:36.280000 --> 0:18:38.960000 You don't necessarily need to have that hyper V on top of it. 0:18:38.960000 --> 0:18:43.400000 Although you can, if you're running Windows virtual machines, if you've 0:18:43.400000 --> 0:18:47.100000 got, there's a lot that needs to go into, but you can run hyper V on a 0:18:47.100000 --> 0:18:51.100000 virtual machine that's on Azure and so you could take advantage of that 0:18:51.100000 --> 0:18:58.120000 isolation. You also, if you want really the highest level of isolation, 0:18:58.120000 --> 0:19:01.340000 Azure does offer Azure dedicated hosts, right? 0:19:01.340000 --> 0:19:03.820000 And what that means is exactly what it sounds like. 0:19:03.820000 --> 0:19:07.860000 You are going to get physical hosts that are dedicated specifically to 0:19:07.860000 --> 0:19:12.320000 you. Okay, giving you really that isolation down to the hardware level. 0:19:12.320000 --> 0:19:20.140000 If you need that much isolation, that capability is in fact there. 0:19:20.140000 --> 0:19:26.620000 Now, the next thing that I want to talk about is container networking. 0:19:26.620000 --> 0:19:30.720000 Now, there's a few things with container networking, one of which you 0:19:30.720000 --> 0:19:34.920000 already saw. And that is the Azure Container Registry has its own service 0:19:34.920000 --> 0:19:40.380000 endpoint. Okay. Currently in preview, but it is there. 0:19:40.380000 --> 0:19:44.540000 Also, if you're running infrastructure as a service, you have the standard 0:19:44.540000 --> 0:19:46.720000 networking. It is a virtual machine. 0:19:46.720000 --> 0:19:48.540000 It is running on a virtual network. 0:19:48.540000 --> 0:19:53.360000 You can choose to have a public IP address or not to. 0:19:53.360000 --> 0:19:58.980000 And then what you can do is you can use that in conjunction with your 0:19:58.980000 --> 0:20:03.740000 Docker networking definition and designation. 0:20:03.740000 --> 0:20:05.480000 Okay. Container instances. 0:20:05.480000 --> 0:20:10.960000 If you're using container instances, then you have port mapping. 0:20:10.960000 --> 0:20:12.520000 That's really what you have. 0:20:12.520000 --> 0:20:14.240000 There's nothing beyond that. 0:20:14.240000 --> 0:20:16.680000 So right now, just be aware of that. 0:20:16.680000 --> 0:20:18.920000 Now, there is a plugin. 0:20:18.920000 --> 0:20:23.560000 The Azure Virtual Network Container Network Interface plugin, which is 0:20:23.560000 --> 0:20:25.140000 kind of hard to say. 0:20:25.140000 --> 0:20:30.060000 What this plugin does is it sets it up. 0:20:30.060000 --> 0:20:34.700000 You install this plugin in your virtual machine. 0:20:34.700000 --> 0:20:38.680000 Okay. Or you use it with Kubernetes. 0:20:38.680000 --> 0:20:42.720000 Okay. So if I'm running infrastructure as a service, I can install this 0:20:42.720000 --> 0:20:44.560000 on a Docker host. 0:20:44.560000 --> 0:20:50.820000 And what it's going to do is every time I create a new container, it's 0:20:50.820000 --> 0:20:56.920000 actually going to map that container to a new private IP address on a 0:20:56.920000 --> 0:20:57.740000 virtual network. 0:20:57.740000 --> 0:21:03.260000 And so now, instead of having one virtual IP address and then kind of 0:21:03.260000 --> 0:21:12.820000 delegating out ports to differentiate any network communication, now each 0:21:12.820000 --> 0:21:17.680000 one of your containers could have its own private IP address in the virtual 0:21:17.680000 --> 0:21:19.800000 network and you can go from there. 0:21:19.800000 --> 0:21:27.480000 This works well, frankly, in Kubernetes service. 0:21:27.480000 --> 0:21:33.200000 It's fine. Personally, I have found that if you're using infrastructure 0:21:33.200000 --> 0:21:36.560000 as a service, if you're using your own Docker host, I don't really find 0:21:36.560000 --> 0:21:38.660000 this network plugin worthwhile. 0:21:38.660000 --> 0:21:43.020000 And the reason why is because it's really not that hard to configure the 0:21:43.020000 --> 0:21:44.560000 networking on your own. 0:21:44.560000 --> 0:21:49.700000 And that is actually what I'm going to show you in the next demo. 0:21:49.700000 --> 0:21:54.780000 And what I'm going to do with this demo is I have a virtual machine in 0:21:54.780000 --> 0:21:58.760000 Azure that is running Docker. 0:21:58.760000 --> 0:22:03.280000 It's a Ubuntu machine, I think 1804, doesn't really matter, but it's a 0:22:03.280000 --> 0:22:05.660000 Ubuntu machine that is running Docker. 0:22:05.660000 --> 0:22:10.780000 And what I want to do is I want to fire up a container. 0:22:10.780000 --> 0:22:15.180000 And I want to use Docker's port mapping capability so that that container 0:22:15.180000 --> 0:22:20.240000 has an active port on the VM host itself. 0:22:20.240000 --> 0:22:25.040000 Then I'm going to tie that in to an application gateway. 0:22:25.040000 --> 0:22:29.440000 And I'll use the application gateway that has the web application firewall 0:22:29.440000 --> 0:22:36.760000 already configured to allow access, but allow protected access to my individual 0:22:36.760000 --> 0:22:39.460000 container. So a few moving parts there. 0:22:39.460000 --> 0:22:40.560000 I've got the container. 0:22:40.560000 --> 0:22:43.160000 It's on a VM host running Docker. 0:22:43.160000 --> 0:22:47.760000 And I've got a application gateway set up in that network. 0:22:47.760000 --> 0:22:49.260000 And I'll show you all of this. 0:22:49.260000 --> 0:22:51.080000 But that's really what I'm going to do. 0:22:51.080000 --> 0:22:55.900000 So I'll simple container excuse me that has a web application and then 0:22:55.900000 --> 0:23:00.080000 make sure that I can get to that web application via my application gateway. 0:23:00.080000 --> 0:23:05.720000 Let's take a look at this demonstration. 0:23:05.720000 --> 0:23:17.000000 Okay. If I go to my container now, I am connected to my container. 0:23:17.000000 --> 0:23:19.380000 You probably can't see this. 0:23:19.380000 --> 0:23:23.960000 But what I'm about to run, I've got this up in a text file, making it 0:23:23.960000 --> 0:23:25.060000 nice and simple. 0:23:25.060000 --> 0:23:26.920000 All right. I've got a Docker run. 0:23:26.920000 --> 0:23:28.420000 It's going to run in the background. 0:23:28.420000 --> 0:23:38.160000 And I'm mapping port 8080 on the actual host to port 80 of the actual 0:23:38.160000 --> 0:23:41.660000 container. Given a name. 0:23:41.660000 --> 0:23:46.220000 And then I'm basing it off of some instance, just simple instance. 0:23:46.220000 --> 0:23:54.420000 And I run this. And it starts up now, I'm going to make a slight variation. 0:23:54.420000 --> 0:23:58.980000 I'm going to run a second instance of this. 0:23:58.980000 --> 0:24:01.780000 Cleverly named demo one. 0:24:01.780000 --> 0:24:06.020000 I'm just going to map that to 81 81. 0:24:06.020000 --> 0:24:09.720000 A little cavalier, but it'll work. 0:24:09.720000 --> 0:24:12.380000 Okay. And now even though you may not be able to see it's a little small, 0:24:12.380000 --> 0:24:20.740000 but if I run a Docker PS, you should see that I've got two containers 0:24:20.740000 --> 0:24:27.420000 running. One is mapped to port 8080 and the other's mapped to port 8081. 0:24:27.420000 --> 0:24:29.040000 They do the same thing. 0:24:29.040000 --> 0:24:31.860000 Now the reason why it's so small, and I didn't just say, oh, let me just 0:24:31.860000 --> 0:24:35.980000 SSH into that, is because I really tried to implement some basic security 0:24:35.980000 --> 0:24:39.540000 measures. And I'm going to take a look at that. 0:24:39.540000 --> 0:24:46.200000 Okay. Here is the resource group that I've got for this particular container. 0:24:46.200000 --> 0:24:48.480000 And what I'm going to do is I'm going to pop into the container itself 0:24:48.480000 --> 0:24:52.480000 and notice a couple things. 0:24:52.480000 --> 0:24:55.380000 Oh, I did actually, I meant to take away. 0:24:55.380000 --> 0:24:56.220000 Ah, there we go. 0:24:56.220000 --> 0:25:03.060000 Even though I do have a public IP address, and I did allow port 8080 access. 0:25:03.060000 --> 0:25:06.180000 Okay. So I can get access that way. 0:25:06.180000 --> 0:25:10.760000 Notice that there's no port 22, so I can't just SSH in. 0:25:10.760000 --> 0:25:14.300000 All right. So if I wanted to test that, I could take this public IP here 0:25:14.300000 --> 0:25:27.080000 and go to 8080. And there we go. 0:25:27.080000 --> 0:25:29.960000 Now I've got access, but that really kind of violates what I was talking 0:25:29.960000 --> 0:25:34.940000 about. I don't want direct public access to that virtual machine. 0:25:34.940000 --> 0:25:41.200000 So instead, what I could do is I could go to my VM and I could remove 0:25:41.200000 --> 0:25:46.600000 this rule. I'm going to delete that rule. 0:25:46.600000 --> 0:25:54.480000 Now, I'm not going to try it again right away because it sometimes takes 0:25:54.480000 --> 0:26:00.960000 a few minutes for the NSG rules, network security group rules to fully 0:26:00.960000 --> 0:26:02.940000 propagate. Okay. 0:26:02.940000 --> 0:26:06.480000 But that will prevent direct access. 0:26:06.480000 --> 0:26:10.220000 Now in the meantime, go back up here. 0:26:10.220000 --> 0:26:17.020000 All right. I want to notice my private IP address is 10.0.1.4. 0:26:17.020000 --> 0:26:22.040000 I also happen to have an application gateway. 0:26:22.040000 --> 0:26:29.080000 All right. So I've got an application gateway set up. 0:26:29.080000 --> 0:26:36.080000 And if I take a look, notice that I've got WAF version two. 0:26:36.080000 --> 0:26:38.640000 So that's the web application firewall. 0:26:38.640000 --> 0:26:41.340000 I've got two instances of this running. 0:26:41.340000 --> 0:26:44.880000 So I could configure my web application firewall. 0:26:44.880000 --> 0:26:48.100000 Now I've got a back end pool. 0:26:48.100000 --> 0:26:52.980000 And the back end pool has one item. 0:26:52.980000 --> 0:26:56.380000 And I've got a back end target. 0:26:56.380000 --> 0:27:01.720000 And I've got the virtual machine, which is the container. 0:27:01.720000 --> 0:27:05.320000 Okay. That's my back end pool. 0:27:05.320000 --> 0:27:09.980000 All right. Now I've got a front end IP configuration. 0:27:09.980000 --> 0:27:11.560000 I've got a public IP address. 0:27:11.560000 --> 0:27:14.040000 And you can see that public IP address. 0:27:14.040000 --> 0:27:18.420000 I've got listeners. 0:27:18.420000 --> 0:27:21.180000 I have a web app listener. 0:27:21.180000 --> 0:27:26.840000 Okay. And the web app listener is listening to port 80. 0:27:26.840000 --> 0:27:29.220000 It's a basic listener. 0:27:29.220000 --> 0:27:36.980000 Pretty simple. And if I go to rules, I have one rule. 0:27:36.980000 --> 0:27:40.900000 And what it's going to do, it's going to take that web app listener, which 0:27:40.900000 --> 0:27:47.700000 again, is listening to my public endpoint on the application gateway. 0:27:47.700000 --> 0:27:54.040000 And it's going to map it to my back end target, which is just that web 0:27:54.040000 --> 0:27:56.600000 app, which is my container machine. 0:27:56.600000 --> 0:28:00.500000 And it has HTTP settings. 0:28:00.500000 --> 0:28:01.680000 Okay. So what are those? 0:28:01.680000 --> 0:28:03.380000 A lot of parts to this. 0:28:03.380000 --> 0:28:07.380000 If I go to HTTP settings. 0:28:07.380000 --> 0:28:11.380000 Here I've got my back end port. 0:28:11.380000 --> 0:28:12.480000 So there it is right there. 0:28:12.480000 --> 0:28:14.480000 It's mapping to port 8080. 0:28:14.480000 --> 0:28:18.500000 And that's really what I care about most. 0:28:18.500000 --> 0:28:25.460000 And I'm going to override with the request with whatever the host name 0:28:25.460000 --> 0:28:28.660000 is from the back end target, which is fine. 0:28:28.660000 --> 0:28:30.460000 Not going to use a custom probe. 0:28:30.460000 --> 0:28:35.320000 So I've got the end of the day, I've got this application gateway setup 0:28:35.320000 --> 0:28:42.100000 to provide access over port 80 to that back end container. 0:28:42.100000 --> 0:28:45.820000 And so what I'm going to do is I'm going to make sure that works. 0:28:45.820000 --> 0:28:54.560000 And there we go. 0:28:54.560000 --> 0:28:58.840000 So I went through that and I got to that back end container. 0:28:58.840000 --> 0:29:04.480000 So that's this is what the container that's running on my back end server 0:29:04.480000 --> 0:29:05.900000 is actually doing. 0:29:05.900000 --> 0:29:07.220000 And it got to itself. 0:29:07.220000 --> 0:29:08.420000 And that's fantastic. 0:29:08.420000 --> 0:29:12.920000 Now in this case, now that I know I've got the application gateway, really 0:29:12.920000 --> 0:29:18.960000 at this point, what I would want to do is simply go back to that network 0:29:18.960000 --> 0:29:26.680000 interface and go to my IP configuration for that network interface and 0:29:26.680000 --> 0:29:29.880000 actually disassociate the public IP. 0:29:29.880000 --> 0:29:38.660000 Right. And so now there is no direct public access to my Docker host that's 0:29:38.660000 --> 0:29:39.960000 running my container. 0:29:39.960000 --> 0:29:43.760000 Instead, any public access is going through the application gateway, which 0:29:43.760000 --> 0:29:47.040000 is running the web application firewall, making sure that it's looking 0:29:47.040000 --> 0:29:48.620000 for common threats. 0:29:48.620000 --> 0:29:53.040000 Right. And just in general, not giving direct access to that underlying 0:29:53.040000 --> 0:29:54.760000 virtual machine. 0:29:54.760000 --> 0:29:57.860000 Furthermore, I've got bastion set up. 0:29:57.860000 --> 0:30:01.420000 So I don't need to get to that via port 22. 0:30:01.420000 --> 0:30:03.380000 I don't have a gateway. 0:30:03.380000 --> 0:30:05.760000 I don't have a VPN gateway or an express route gateway. 0:30:05.760000 --> 0:30:09.060000 So I'm just going through the portal, but that still gives me more security. 0:30:09.060000 --> 0:30:12.660000 And that's really what you want to think about when you're dealing with 0:30:12.660000 --> 0:30:15.540000 containerized solutions and you're thinking about securities. 0:30:15.540000 --> 0:30:17.440000 OK, I've got this container. 0:30:17.440000 --> 0:30:19.540000 It's running an Azure. 0:30:19.540000 --> 0:30:20.940000 What do I need to do? 0:30:20.940000 --> 0:30:24.280000 Well, I've shown you the Azure things you can do. 0:30:24.280000 --> 0:30:27.900000 Right. But particularly if you're running this in infrastructure as a 0:30:27.900000 --> 0:30:30.880000 service, you also to keep in mind that you're going to be responsible 0:30:30.880000 --> 0:30:33.260000 for the operating system and above.