├── .gitignore ├── LICENSE ├── LICENSE-CODE ├── README.md └── SECURITY.md /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.suo 8 | *.user 9 | *.userosscache 10 | *.sln.docstates 11 | 12 | # User-specific files (MonoDevelop/Xamarin Studio) 13 | *.userprefs 14 | 15 | # Build results 16 | [Dd]ebug/ 17 | [Dd]ebugPublic/ 18 | [Rr]elease/ 19 | [Rr]eleases/ 20 | x64/ 21 | x86/ 22 | bld/ 23 | [Bb]in/ 24 | [Oo]bj/ 25 | [Ll]og/ 26 | 27 | # Visual Studio 2015/2017 cache/options directory 28 | .vs/ 29 | # Uncomment if you have tasks that create the project's static files in wwwroot 30 | #wwwroot/ 31 | 32 | # Visual Studio 2017 auto generated files 33 | Generated\ Files/ 34 | 35 | # MSTest test Results 36 | [Tt]est[Rr]esult*/ 37 | [Bb]uild[Ll]og.* 38 | 39 | # NUNIT 40 | *.VisualState.xml 41 | TestResult.xml 42 | 43 | # Build Results of an ATL Project 44 | [Dd]ebugPS/ 45 | [Rr]eleasePS/ 46 | dlldata.c 47 | 48 | # Benchmark Results 49 | BenchmarkDotNet.Artifacts/ 50 | 51 | # .NET Core 52 | project.lock.json 53 | project.fragment.lock.json 54 | artifacts/ 55 | **/Properties/launchSettings.json 56 | 57 | # StyleCop 58 | StyleCopReport.xml 59 | 60 | # Files built by Visual Studio 61 | *_i.c 62 | *_p.c 63 | *_i.h 64 | *.ilk 65 | *.meta 66 | *.obj 67 | *.iobj 68 | *.pch 69 | *.pdb 70 | *.ipdb 71 | *.pgc 72 | *.pgd 73 | *.rsp 74 | *.sbr 75 | *.tlb 76 | *.tli 77 | *.tlh 78 | *.tmp 79 | *.tmp_proj 80 | *.log 81 | *.vspscc 82 | *.vssscc 83 | .builds 84 | *.pidb 85 | *.svclog 86 | *.scc 87 | 88 | # Chutzpah Test files 89 | _Chutzpah* 90 | 91 | # Visual C++ cache files 92 | ipch/ 93 | *.aps 94 | *.ncb 95 | *.opendb 96 | *.opensdf 97 | *.sdf 98 | *.cachefile 99 | *.VC.db 100 | *.VC.VC.opendb 101 | 102 | # Visual Studio profiler 103 | *.psess 104 | *.vsp 105 | *.vspx 106 | *.sap 107 | 108 | # Visual Studio Trace Files 109 | *.e2e 110 | 111 | # TFS 2012 Local Workspace 112 | $tf/ 113 | 114 | # Guidance Automation Toolkit 115 | *.gpState 116 | 117 | # ReSharper is a .NET coding add-in 118 | _ReSharper*/ 119 | *.[Rr]e[Ss]harper 120 | *.DotSettings.user 121 | 122 | # JustCode is a .NET coding add-in 123 | .JustCode 124 | 125 | # TeamCity is a build add-in 126 | _TeamCity* 127 | 128 | # DotCover is a Code Coverage Tool 129 | *.dotCover 130 | 131 | # AxoCover is a Code Coverage Tool 132 | .axoCover/* 133 | !.axoCover/settings.json 134 | 135 | # Visual Studio code coverage results 136 | *.coverage 137 | *.coveragexml 138 | 139 | # NCrunch 140 | _NCrunch_* 141 | .*crunch*.local.xml 142 | nCrunchTemp_* 143 | 144 | # MightyMoose 145 | *.mm.* 146 | AutoTest.Net/ 147 | 148 | # Web workbench (sass) 149 | .sass-cache/ 150 | 151 | # Installshield output folder 152 | [Ee]xpress/ 153 | 154 | # DocProject is a documentation generator add-in 155 | DocProject/buildhelp/ 156 | DocProject/Help/*.HxT 157 | DocProject/Help/*.HxC 158 | DocProject/Help/*.hhc 159 | DocProject/Help/*.hhk 160 | DocProject/Help/*.hhp 161 | DocProject/Help/Html2 162 | DocProject/Help/html 163 | 164 | # Click-Once directory 165 | publish/ 166 | 167 | # Publish Web Output 168 | *.[Pp]ublish.xml 169 | *.azurePubxml 170 | # Note: Comment the next line if you want to checkin your web deploy settings, 171 | # but database connection strings (with potential passwords) will be unencrypted 172 | *.pubxml 173 | *.publishproj 174 | 175 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 176 | # checkin your Azure Web App publish settings, but sensitive information contained 177 | # in these scripts will be unencrypted 178 | PublishScripts/ 179 | 180 | # NuGet Packages 181 | *.nupkg 182 | # The packages folder can be ignored because of Package Restore 183 | **/[Pp]ackages/* 184 | # except build/, which is used as an MSBuild target. 185 | !**/[Pp]ackages/build/ 186 | # Uncomment if necessary however generally it will be regenerated when needed 187 | #!**/[Pp]ackages/repositories.config 188 | # NuGet v3's project.json files produces more ignorable files 189 | *.nuget.props 190 | *.nuget.targets 191 | 192 | # Microsoft Azure Build Output 193 | csx/ 194 | *.build.csdef 195 | 196 | # Microsoft Azure Emulator 197 | ecf/ 198 | rcf/ 199 | 200 | # Windows Store app package directories and files 201 | AppPackages/ 202 | BundleArtifacts/ 203 | Package.StoreAssociation.xml 204 | _pkginfo.txt 205 | *.appx 206 | 207 | # Visual Studio cache files 208 | # files ending in .cache can be ignored 209 | *.[Cc]ache 210 | # but keep track of directories ending in .cache 211 | !*.[Cc]ache/ 212 | 213 | # Others 214 | ClientBin/ 215 | ~$* 216 | *~ 217 | *.dbmdl 218 | *.dbproj.schemaview 219 | *.jfm 220 | *.pfx 221 | *.publishsettings 222 | orleans.codegen.cs 223 | 224 | # Including strong name files can present a security risk 225 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 226 | #*.snk 227 | 228 | # Since there are multiple workflows, uncomment next line to ignore bower_components 229 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 230 | #bower_components/ 231 | 232 | # RIA/Silverlight projects 233 | Generated_Code/ 234 | 235 | # Backup & report files from converting an old project file 236 | # to a newer Visual Studio version. Backup files are not needed, 237 | # because we have git ;-) 238 | _UpgradeReport_Files/ 239 | Backup*/ 240 | UpgradeLog*.XML 241 | UpgradeLog*.htm 242 | ServiceFabricBackup/ 243 | *.rptproj.bak 244 | 245 | # SQL Server files 246 | *.mdf 247 | *.ldf 248 | *.ndf 249 | 250 | # Business Intelligence projects 251 | *.rdl.data 252 | *.bim.layout 253 | *.bim_*.settings 254 | *.rptproj.rsuser 255 | 256 | # Microsoft Fakes 257 | FakesAssemblies/ 258 | 259 | # GhostDoc plugin setting file 260 | *.GhostDoc.xml 261 | 262 | # Node.js Tools for Visual Studio 263 | .ntvs_analysis.dat 264 | node_modules/ 265 | 266 | # Visual Studio 6 build log 267 | *.plg 268 | 269 | # Visual Studio 6 workspace options file 270 | *.opt 271 | 272 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 273 | *.vbw 274 | 275 | # Visual Studio LightSwitch build output 276 | **/*.HTMLClient/GeneratedArtifacts 277 | **/*.DesktopClient/GeneratedArtifacts 278 | **/*.DesktopClient/ModelManifest.xml 279 | **/*.Server/GeneratedArtifacts 280 | **/*.Server/ModelManifest.xml 281 | _Pvt_Extensions 282 | 283 | # Paket dependency manager 284 | .paket/paket.exe 285 | paket-files/ 286 | 287 | # FAKE - F# Make 288 | .fake/ 289 | 290 | # JetBrains Rider 291 | .idea/ 292 | *.sln.iml 293 | 294 | # CodeRush 295 | .cr/ 296 | 297 | # Python Tools for Visual Studio (PTVS) 298 | __pycache__/ 299 | *.pyc 300 | 301 | # Cake - Uncomment if you are using it 302 | # tools/** 303 | # !tools/packages.config 304 | 305 | # Tabs Studio 306 | *.tss 307 | 308 | # Telerik's JustMock configuration file 309 | *.jmconfig 310 | 311 | # BizTalk build output 312 | *.btp.cs 313 | *.btm.cs 314 | *.odx.cs 315 | *.xsd.cs 316 | 317 | # OpenCover UI analysis results 318 | OpenCover/ 319 | 320 | # Azure Stream Analytics local run output 321 | ASALocalRun/ 322 | 323 | # MSBuild Binary and Structured Log 324 | *.binlog 325 | 326 | # NVidia Nsight GPU debugger configuration file 327 | *.nvuser 328 | 329 | # MFractors (Xamarin productivity tool) working folder 330 | .mfractor/ 331 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Attribution 4.0 International 2 | 3 | ======================================================================= 4 | 5 | Creative Commons Corporation ("Creative Commons") is not a law firm and 6 | does not provide legal services or legal advice. Distribution of 7 | Creative Commons public licenses does not create a lawyer-client or 8 | other relationship. Creative Commons makes its licenses and related 9 | information available on an "as-is" basis. Creative Commons gives no 10 | warranties regarding its licenses, any material licensed under their 11 | terms and conditions, or any related information. Creative Commons 12 | disclaims all liability for damages resulting from their use to the 13 | fullest extent possible. 14 | 15 | Using Creative Commons Public Licenses 16 | 17 | Creative Commons public licenses provide a standard set of terms and 18 | conditions that creators and other rights holders may use to share 19 | original works of authorship and other material subject to copyright 20 | and certain other rights specified in the public license below. The 21 | following considerations are for informational purposes only, are not 22 | exhaustive, and do not form part of our licenses. 23 | 24 | Considerations for licensors: Our public licenses are 25 | intended for use by those authorized to give the public 26 | permission to use material in ways otherwise restricted by 27 | copyright and certain other rights. Our licenses are 28 | irrevocable. Licensors should read and understand the terms 29 | and conditions of the license they choose before applying it. 30 | Licensors should also secure all rights necessary before 31 | applying our licenses so that the public can reuse the 32 | material as expected. Licensors should clearly mark any 33 | material not subject to the license. This includes other CC- 34 | licensed material, or material used under an exception or 35 | limitation to copyright. More considerations for licensors: 36 | wiki.creativecommons.org/Considerations_for_licensors 37 | 38 | Considerations for the public: By using one of our public 39 | licenses, a licensor grants the public permission to use the 40 | licensed material under specified terms and conditions. If 41 | the licensor's permission is not necessary for any reason--for 42 | example, because of any applicable exception or limitation to 43 | copyright--then that use is not regulated by the license. Our 44 | licenses grant only permissions under copyright and certain 45 | other rights that a licensor has authority to grant. Use of 46 | the licensed material may still be restricted for other 47 | reasons, including because others have copyright or other 48 | rights in the material. A licensor may make special requests, 49 | such as asking that all changes be marked or described. 50 | Although not required by our licenses, you are encouraged to 51 | respect those requests where reasonable. More_considerations 52 | for the public: 53 | wiki.creativecommons.org/Considerations_for_licensees 54 | 55 | ======================================================================= 56 | 57 | Creative Commons Attribution 4.0 International Public License 58 | 59 | By exercising the Licensed Rights (defined below), You accept and agree 60 | to be bound by the terms and conditions of this Creative Commons 61 | Attribution 4.0 International Public License ("Public License"). To the 62 | extent this Public License may be interpreted as a contract, You are 63 | granted the Licensed Rights in consideration of Your acceptance of 64 | these terms and conditions, and the Licensor grants You such rights in 65 | consideration of benefits the Licensor receives from making the 66 | Licensed Material available under these terms and conditions. 67 | 68 | 69 | Section 1 -- Definitions. 70 | 71 | a. Adapted Material means material subject to Copyright and Similar 72 | Rights that is derived from or based upon the Licensed Material 73 | and in which the Licensed Material is translated, altered, 74 | arranged, transformed, or otherwise modified in a manner requiring 75 | permission under the Copyright and Similar Rights held by the 76 | Licensor. For purposes of this Public License, where the Licensed 77 | Material is a musical work, performance, or sound recording, 78 | Adapted Material is always produced where the Licensed Material is 79 | synched in timed relation with a moving image. 80 | 81 | b. Adapter's License means the license You apply to Your Copyright 82 | and Similar Rights in Your contributions to Adapted Material in 83 | accordance with the terms and conditions of this Public License. 84 | 85 | c. Copyright and Similar Rights means copyright and/or similar rights 86 | closely related to copyright including, without limitation, 87 | performance, broadcast, sound recording, and Sui Generis Database 88 | Rights, without regard to how the rights are labeled or 89 | categorized. For purposes of this Public License, the rights 90 | specified in Section 2(b)(1)-(2) are not Copyright and Similar 91 | Rights. 92 | 93 | d. Effective Technological Measures means those measures that, in the 94 | absence of proper authority, may not be circumvented under laws 95 | fulfilling obligations under Article 11 of the WIPO Copyright 96 | Treaty adopted on December 20, 1996, and/or similar international 97 | agreements. 98 | 99 | e. Exceptions and Limitations means fair use, fair dealing, and/or 100 | any other exception or limitation to Copyright and Similar Rights 101 | that applies to Your use of the Licensed Material. 102 | 103 | f. Licensed Material means the artistic or literary work, database, 104 | or other material to which the Licensor applied this Public 105 | License. 106 | 107 | g. Licensed Rights means the rights granted to You subject to the 108 | terms and conditions of this Public License, which are limited to 109 | all Copyright and Similar Rights that apply to Your use of the 110 | Licensed Material and that the Licensor has authority to license. 111 | 112 | h. Licensor means the individual(s) or entity(ies) granting rights 113 | under this Public License. 114 | 115 | i. Share means to provide material to the public by any means or 116 | process that requires permission under the Licensed Rights, such 117 | as reproduction, public display, public performance, distribution, 118 | dissemination, communication, or importation, and to make material 119 | available to the public including in ways that members of the 120 | public may access the material from a place and at a time 121 | individually chosen by them. 122 | 123 | j. Sui Generis Database Rights means rights other than copyright 124 | resulting from Directive 96/9/EC of the European Parliament and of 125 | the Council of 11 March 1996 on the legal protection of databases, 126 | as amended and/or succeeded, as well as other essentially 127 | equivalent rights anywhere in the world. 128 | 129 | k. You means the individual or entity exercising the Licensed Rights 130 | under this Public License. Your has a corresponding meaning. 131 | 132 | 133 | Section 2 -- Scope. 134 | 135 | a. License grant. 136 | 137 | 1. Subject to the terms and conditions of this Public License, 138 | the Licensor hereby grants You a worldwide, royalty-free, 139 | non-sublicensable, non-exclusive, irrevocable license to 140 | exercise the Licensed Rights in the Licensed Material to: 141 | 142 | a. reproduce and Share the Licensed Material, in whole or 143 | in part; and 144 | 145 | b. produce, reproduce, and Share Adapted Material. 146 | 147 | 2. Exceptions and Limitations. For the avoidance of doubt, where 148 | Exceptions and Limitations apply to Your use, this Public 149 | License does not apply, and You do not need to comply with 150 | its terms and conditions. 151 | 152 | 3. Term. The term of this Public License is specified in Section 153 | 6(a). 154 | 155 | 4. Media and formats; technical modifications allowed. The 156 | Licensor authorizes You to exercise the Licensed Rights in 157 | all media and formats whether now known or hereafter created, 158 | and to make technical modifications necessary to do so. The 159 | Licensor waives and/or agrees not to assert any right or 160 | authority to forbid You from making technical modifications 161 | necessary to exercise the Licensed Rights, including 162 | technical modifications necessary to circumvent Effective 163 | Technological Measures. For purposes of this Public License, 164 | simply making modifications authorized by this Section 2(a) 165 | (4) never produces Adapted Material. 166 | 167 | 5. Downstream recipients. 168 | 169 | a. Offer from the Licensor -- Licensed Material. Every 170 | recipient of the Licensed Material automatically 171 | receives an offer from the Licensor to exercise the 172 | Licensed Rights under the terms and conditions of this 173 | Public License. 174 | 175 | b. No downstream restrictions. You may not offer or impose 176 | any additional or different terms or conditions on, or 177 | apply any Effective Technological Measures to, the 178 | Licensed Material if doing so restricts exercise of the 179 | Licensed Rights by any recipient of the Licensed 180 | Material. 181 | 182 | 6. No endorsement. Nothing in this Public License constitutes or 183 | may be construed as permission to assert or imply that You 184 | are, or that Your use of the Licensed Material is, connected 185 | with, or sponsored, endorsed, or granted official status by, 186 | the Licensor or others designated to receive attribution as 187 | provided in Section 3(a)(1)(A)(i). 188 | 189 | b. Other rights. 190 | 191 | 1. Moral rights, such as the right of integrity, are not 192 | licensed under this Public License, nor are publicity, 193 | privacy, and/or other similar personality rights; however, to 194 | the extent possible, the Licensor waives and/or agrees not to 195 | assert any such rights held by the Licensor to the limited 196 | extent necessary to allow You to exercise the Licensed 197 | Rights, but not otherwise. 198 | 199 | 2. Patent and trademark rights are not licensed under this 200 | Public License. 201 | 202 | 3. To the extent possible, the Licensor waives any right to 203 | collect royalties from You for the exercise of the Licensed 204 | Rights, whether directly or through a collecting society 205 | under any voluntary or waivable statutory or compulsory 206 | licensing scheme. In all other cases the Licensor expressly 207 | reserves any right to collect such royalties. 208 | 209 | 210 | Section 3 -- License Conditions. 211 | 212 | Your exercise of the Licensed Rights is expressly made subject to the 213 | following conditions. 214 | 215 | a. Attribution. 216 | 217 | 1. If You Share the Licensed Material (including in modified 218 | form), You must: 219 | 220 | a. retain the following if it is supplied by the Licensor 221 | with the Licensed Material: 222 | 223 | i. identification of the creator(s) of the Licensed 224 | Material and any others designated to receive 225 | attribution, in any reasonable manner requested by 226 | the Licensor (including by pseudonym if 227 | designated); 228 | 229 | ii. a copyright notice; 230 | 231 | iii. a notice that refers to this Public License; 232 | 233 | iv. a notice that refers to the disclaimer of 234 | warranties; 235 | 236 | v. a URI or hyperlink to the Licensed Material to the 237 | extent reasonably practicable; 238 | 239 | b. indicate if You modified the Licensed Material and 240 | retain an indication of any previous modifications; and 241 | 242 | c. indicate the Licensed Material is licensed under this 243 | Public License, and include the text of, or the URI or 244 | hyperlink to, this Public License. 245 | 246 | 2. You may satisfy the conditions in Section 3(a)(1) in any 247 | reasonable manner based on the medium, means, and context in 248 | which You Share the Licensed Material. For example, it may be 249 | reasonable to satisfy the conditions by providing a URI or 250 | hyperlink to a resource that includes the required 251 | information. 252 | 253 | 3. If requested by the Licensor, You must remove any of the 254 | information required by Section 3(a)(1)(A) to the extent 255 | reasonably practicable. 256 | 257 | 4. If You Share Adapted Material You produce, the Adapter's 258 | License You apply must not prevent recipients of the Adapted 259 | Material from complying with this Public License. 260 | 261 | 262 | Section 4 -- Sui Generis Database Rights. 263 | 264 | Where the Licensed Rights include Sui Generis Database Rights that 265 | apply to Your use of the Licensed Material: 266 | 267 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right 268 | to extract, reuse, reproduce, and Share all or a substantial 269 | portion of the contents of the database; 270 | 271 | b. if You include all or a substantial portion of the database 272 | contents in a database in which You have Sui Generis Database 273 | Rights, then the database in which You have Sui Generis Database 274 | Rights (but not its individual contents) is Adapted Material; and 275 | 276 | c. You must comply with the conditions in Section 3(a) if You Share 277 | all or a substantial portion of the contents of the database. 278 | 279 | For the avoidance of doubt, this Section 4 supplements and does not 280 | replace Your obligations under this Public License where the Licensed 281 | Rights include other Copyright and Similar Rights. 282 | 283 | 284 | Section 5 -- Disclaimer of Warranties and Limitation of Liability. 285 | 286 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE 287 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS 288 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF 289 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, 290 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, 291 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR 292 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, 293 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT 294 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT 295 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. 296 | 297 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE 298 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, 299 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, 300 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, 301 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR 302 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN 303 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR 304 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR 305 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. 306 | 307 | c. The disclaimer of warranties and limitation of liability provided 308 | above shall be interpreted in a manner that, to the extent 309 | possible, most closely approximates an absolute disclaimer and 310 | waiver of all liability. 311 | 312 | 313 | Section 6 -- Term and Termination. 314 | 315 | a. This Public License applies for the term of the Copyright and 316 | Similar Rights licensed here. However, if You fail to comply with 317 | this Public License, then Your rights under this Public License 318 | terminate automatically. 319 | 320 | b. Where Your right to use the Licensed Material has terminated under 321 | Section 6(a), it reinstates: 322 | 323 | 1. automatically as of the date the violation is cured, provided 324 | it is cured within 30 days of Your discovery of the 325 | violation; or 326 | 327 | 2. upon express reinstatement by the Licensor. 328 | 329 | For the avoidance of doubt, this Section 6(b) does not affect any 330 | right the Licensor may have to seek remedies for Your violations 331 | of this Public License. 332 | 333 | c. For the avoidance of doubt, the Licensor may also offer the 334 | Licensed Material under separate terms or conditions or stop 335 | distributing the Licensed Material at any time; however, doing so 336 | will not terminate this Public License. 337 | 338 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public 339 | License. 340 | 341 | 342 | Section 7 -- Other Terms and Conditions. 343 | 344 | a. The Licensor shall not be bound by any additional or different 345 | terms or conditions communicated by You unless expressly agreed. 346 | 347 | b. Any arrangements, understandings, or agreements regarding the 348 | Licensed Material not stated herein are separate from and 349 | independent of the terms and conditions of this Public License. 350 | 351 | 352 | Section 8 -- Interpretation. 353 | 354 | a. For the avoidance of doubt, this Public License does not, and 355 | shall not be interpreted to, reduce, limit, restrict, or impose 356 | conditions on any use of the Licensed Material that could lawfully 357 | be made without permission under this Public License. 358 | 359 | b. To the extent possible, if any provision of this Public License is 360 | deemed unenforceable, it shall be automatically reformed to the 361 | minimum extent necessary to make it enforceable. If the provision 362 | cannot be reformed, it shall be severed from this Public License 363 | without affecting the enforceability of the remaining terms and 364 | conditions. 365 | 366 | c. No term or condition of this Public License will be waived and no 367 | failure to comply consented to unless expressly agreed to by the 368 | Licensor. 369 | 370 | d. Nothing in this Public License constitutes or may be interpreted 371 | as a limitation upon, or waiver of, any privileges and immunities 372 | that apply to the Licensor or You, including from the legal 373 | processes of any jurisdiction or authority. 374 | 375 | 376 | ======================================================================= 377 | 378 | Creative Commons is not a party to its public 379 | licenses. Notwithstanding, Creative Commons may elect to apply one of 380 | its public licenses to material it publishes and in those instances 381 | will be considered the “Licensor.” The text of the Creative Commons 382 | public licenses is dedicated to the public domain under the CC0 Public 383 | Domain Dedication. Except for the limited purpose of indicating that 384 | material is shared under a Creative Commons public license or as 385 | otherwise permitted by the Creative Commons policies published at 386 | creativecommons.org/policies, Creative Commons does not authorize the 387 | use of the trademark "Creative Commons" or any other trademark or logo 388 | of Creative Commons without its prior written consent including, 389 | without limitation, in connection with any unauthorized modifications 390 | to any of its public licenses or any other arrangements, 391 | understandings, or agreements concerning use of licensed material. For 392 | the avoidance of doubt, this paragraph does not form part of the 393 | public licenses. 394 | 395 | Creative Commons may be contacted at creativecommons.org. -------------------------------------------------------------------------------- /LICENSE-CODE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | Copyright (c) Microsoft Corporation 3 | 4 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and 5 | associated documentation files (the "Software"), to deal in the Software without restriction, 6 | including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, 7 | and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, 8 | subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included in all copies or substantial 11 | portions of the Software. 12 | 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT 14 | NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 15 | IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, 16 | WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 17 | SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # Overview 4 | 5 | Azure API Management (APIM) is a Cloud-based PaaS service that helps organizations publish APIs to external, partner, and internal developers to unlock the potential of their data and services. It includes a built-in gateway service that brokers network API calls to your backend so that you may enforce user-based access, take advantage of quotas and rate limiting, cache responses, and more. A great overview of APIM on azure.com is [here](https://docs.microsoft.com/en-us/azure/api-management/api-management-key-concepts). 6 | 7 | If you are reading this whitepaper, it is probably because you are an IT Pro in need of guidance on how to deploy APIM in Azure to meet your high security data requirements. Else you are just interested in what is possible with APIM and want to know more. Either way, this white paper is for you. Here, we will discuss exactly what happens when you deploy APIM inside an Azure VNet, and how to take your security footprint to the next level by using firewalls, Network Security Groups (NSGs), User Defined Routes (UDRs), and more. 8 | 9 | # APIM and VNet Injection 10 | 11 | For Enterprise, high security is a must for any application foot print that contains sensitive data. From the networking prospective, a common method to help protect this data is by blocking public Internet access to it, and only allowing access to it over the company’s private, internal network. This can also carry benefits to uptime and availability as well. Azure enables this functionality for many PaaS platforms by means of a technique called VNet Injection. 12 | 13 | VNet Injection uses Azure’s automation and SDN capabilities to deploy a given PaaS service directly into a specific customer VNet that has been configured with a special, delegated subnet for this purpose. This VNet is typically an extension of the customer’s on-premises private network by way of VPN, ExpressRoute, or both. The target VNet can be established and does not have to be created at the time of deployment. The delegated subnet, however, will need to be empty and designated exclusively for the PaaS service prior to deployment. 14 | 15 | It’s good idea to make sure your subnet mask is no bigger than a /27 (e.g. /28 etc.) due to scale requirements in the future. Also, because a VNet is a flat layer 3 switch, you can always add a new network range to the VNet for this subnet, if need be. Remember, by default, any subnet in a VNet can talk to any other subnet in the same VNet. NSGs and firewalls are used to curtail this. 16 | 17 | VNet injection carries some key benefits that Enterprise requires for high-security APIM deployments: 18 | 19 | • It allows for the creation of an APIM Gateway that listens on a private IP within the VNet. 20 | 21 | • It supports RFC1918 or custom address space assignment to PaaS nodes and endpoints. 22 | 23 | • It allows a PaaS service to talk to other VMs inside of the VNet. 24 | 25 | • It supports ExpressRoute and/or VPN connectivity. 26 | 27 | • It supports NSGs, ASGs, and UDRs by surrounding the PaaS service with a subnet. 28 | 29 | • It allows for inbound and outbound security through devices like firewalls, WAF, IDS/IPS, etc. 30 | 31 | # Benefits of a Firewall with APIM 32 | 33 | For any network service that is tasked with transmitting high security data, protecting this service with a firewall is a must. This can be for both inbound and outbound network traffic flows. Because APIM is typically a web-based service, you can safeguard your inbound flows using a traditional firewall, a WAF, or any other combination of security platforms that are supported as Network Virtual Appliances (NVAs) within your VNet. The Azure WAF is one example of a supported inbound security device here. 34 | 35 | For outbound flow protection, the common motion is to apply User Defined Routes (UDRS) to the delegated subnet to steer traffic though a firewall for inspection, auditing, and logging. For Internet-based/public destinations, you will need to apply a forced tunnel route (0.0.0.0/0) to your delegated subnet. This makes your firewall to function as the default gateway for your APIM service. 36 | 37 | Many people will take advantage of “Next-Gen” or application firewalls here, as they provide the ability to filter outbound calls at the fqdn or application-based message level. This functionality is highly recommended to secure your APIM service. Ideally, your application firewall is situated in your VNet to keep it close to your applications. However, the forced-tunnel route can also be injected via BGP over ExpressRoute or VPN, so your application firewall can live within your corporate network perimeter. 38 | 39 | # Understanding Traffic Types in VNet Injected Services 40 | 41 | ## Control Plane 42 | 43 | When a PaaS service is deployed into a delegated subnet by way of VNet Injection, it will be still be dependent on Azure management services for health checking, reporting, deployment, etc. This type of traffic is referred to as control plane. It is somewhat confusing, because some will refer to this as “management traffic”, but in reality, this tier maps neatly into what the industry already understands as control plane traffic. For any given PaaS deployment in a VNet, there will be both outbound calls to, and inbound calls from, these control plane endpoints. 44 | Extra care needs to be taken here, because the control plane IPs are part of Azure’s own public IP ranges. These IPs will need their own static host routes (i.e. UDRs) to ensure that responses to inbound calls do not follow the forced tunnel route out to the firewall. Else, an asymmetrical response will occur, and the PaaS service will enter a degraded state. This white sheet will supply specific instructions on how to configure these special routes so that a forced tunnel route to a firewall can be supported. 45 | 46 | ## Just how Public is the Control Plane? 47 | 48 | It is critical to note that control plane traffic never leaves Azure’s internal network. It will enter and leave your PaaS service on special public listeners that do not face the Internet. Control plane communication is strictly internal, Azure-to-Azure communication. These IPs need to be public because the Azure management service tier is multi-regional to withstand the failure of a single region and is often built on other Azure PaaS platforms under the hood. 49 | In fact, even though you use the UDR tag “Internet” to point your management host routes away from your firewall, this just tells the Azure Network Stack to use the default gateway of the hypervisor host, which lives deep within an Azure data center. It only leads out to the Internet – and out of Azure’s internal network – if the destination is outside of Azure. Else, traffic pointed to the “Internet” tag stays inside of Azure and follows Microsoft dark fiber to its regional destinations. 50 | 51 | ## Management Plane 52 | 53 | Management plane is a second kind of traffic that will be part of any PaaS service in a VNet. This type of traffic refers to user defined input that is sent into the PaaS service to configure the service according to a specific, desired outcome. This input can come in through the Azure Portal, PowerShell, Azure Cloud Shell, Visual Studio, or any other number of popular implementation tools, like Ansible, Terraform, etc. This traffic is inbound only and is typically RESTful over HTTPS. Management plane traffic needs to be highly secured in all instances, because it represents the “Keys to the Kingdom” for the IT pros who create and code in these PaaS environments. Two important management plane platforms for APIM are the Azure portal, and the Developer portal. However, there are also four special fqdns that provide management plane access for administrators. We will review these in another section below. 54 | 55 | ## Data Plane 56 | 57 | The data plane is also referred to end-user traffic, or customer traffic. This is traffic that your end users generate when they access your service for content, to query it, to upload data, and so on. It can also be the traffic that your application generates to talk to other backend services in response to end user input. Thus, the data plane traffic can be both inbound and outbound depending on the application platform and design. 58 | 59 | ## A Word about the Backend 60 | 61 | A lot of Azure PaaS platforms use both Azure Storage and Azure SQL services to get the job done across all three planes, or some combination of them. The classification of this backend traffic will need to be performed independently for each PaaS service that supports VNet Injection. For APIM, we will consider traffic to Azure Storage and Azure SQL as both control plane and data plane traffic, as the APIM reads and writes both types of data here. The bulk of the transfer does belong to data plane, however, so from a compliance or DLP perspective, APIM storage and SQL needs to fall into this same regulatory stance. 62 | 63 | # Internal vs External APIM [GitHub Pages] 64 | 65 | When you deploy [APIM into your VNET](https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet), you will have the choice of placing your APIM Gateway behind a Public Azure Load Balancer IP (External), or behind an Internal Azure Load Balancer IP (Internal). The setting that actually determines this outcome is found under the “Virtual Network” settings of your APIM. You will see a choice of “External” or “Internal” for your VNet deployment. In either case, the actual APIM nodes themselves are build using private IPs from the subnet. 66 | Because high-security architectures often require moving endpoints to private network space and placing a firewall in front of the service, the “Internal” VNet mode is the ideal choice here. For hybrid motions, this Internal Gateway IP will be accessible over VPN and or ExpressRoute, such that on-prem clients do not have to use the Internet to contact your APIM Gateway. 67 | 68 | The [Internal APIM deployment](https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet#--routing) guide discusses in detail what will happen to your APIM management plane when you move in behind a private IP in your VNet. The next section will dive into this in more detail. It is crucial that you read this solution carefully so you know how to design and access your APIM management plane. 69 | 70 | ## Management endpoints with Internal VNet mode. 71 | 72 | As discussed above, the management plane is how admins and developers come in to configure and view your service. In addition to the Azure and Developer portals, the following special management fqdns will need to resolve to the APIM private gateway IP, which will be hosting these services: 73 | 74 | • .azure-api.net 75 | 76 | • .portal.azure-api.net 77 | 78 | • .management.azure-api.net 79 | 80 | • .scm.azure-api.net 81 | 82 | 83 | ![alt text](https://github.com/jgmitter/images/blob/master/1.png) 84 | 85 | You will need to set up a custom DNS solution for these four fdqns such that the A record for each of these hostnames will resolve to the private IP address of the APIM Gateway. The hostnames above are required in the HTTP request, such that the client will pass the correct hostname value to the APIM Gateway to forward to the right backend service. This [solution](https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances) does a great job of outlining how to set up custom DNS in Azure. Note you should set up the custom DNS service prior to deploying APIM into the VNet, so your management calls work correctly post-deployment. 86 | 87 | Per the linked Internal APIM deployment guide, there are two other strategies you can use to simplify your DNS configuration: 88 | 89 | 1. Change the DNS fqdns of your APIM service to a domain name of your choice, e.g., change “contoso.azure-api.net” to “contoso.contoso-api.net”. 90 | 91 | 2. Set up a VM jumpbox in your VNet and modify the /etc/hosts record for these fqdns such that they resolve to the private IP of your APIM service. 92 | 93 | # The Essential Architecture 94 | 95 | The best-practice implementation of the high security APIM architecture is provided below. It is provided as a framework to discuss the full inbound and outbound requirements in the following sections. 96 | 97 | 1. An APIM service deployed in a [delegated subnet](https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet): 98 | 99 | - [Custom DNS](https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#name-resolution-that-uses-your-own-dns-server) will need to be configured prior to APIM VNet Injection 100 | 101 | - The APIM Gateway should be configured in Internal mode. 102 | 103 | 2. [A routing table](https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#custom-routes) applied to the APIM delegated subnet with these configurations: 104 | 105 | - A set of User-defined routes (UDRs) that steer egress control plane traffic to the Azure backbone using the “Internet” tag. 106 | 107 | - A set of User-defined routes (UDRs) that steer egress management plane traffic into a private firewall IP using the “Virtual 108 | Network Appliance” tag. 109 | 110 | - A set of User-defined routes that steer egress data plane management traffic into the firewall using the “Virtual Network 111 | Appliance” tag. 112 | 113 | - A User-defined route that points the default gateway of the subnet (0.0.0.0/0) to the firewall using the “Virtual Network 114 | Appliance” tag, if your firewall resides in your VNet. Else, this route will arrive via BGP into the APIM subnet over ExpressRoute 115 | or VPN. 116 | 117 | 3. A [Network Security Group](https://docs.microsoft.com/en-us/azure/virtual-network/security-overview) which will curtail inbound access. The best approach is to deny all inbound traffic, from both the Internet and the VNet, then white list the following groups: 118 | 119 | - Control plane, management plane, and data plane channels (discussed below in detail) 120 | 121 | - The APIM subnet itself for internal communication 122 | 123 | - Any private network ranges and ports that will be opening inbound connections to APIM. 124 | 125 | 4. This NSG will also need to restrict outbound access. The best approach here is to deny all outbound traffic, to both the Internet and to the VNet, then white list the following groups: 126 | 127 | - Control plane, management plane, and data plane channels (discussed below in detail) 128 | 129 | - The APIM subnet itself for internal communication. 130 | 131 | - Any private network ranges and ports to which APIM will open outbound connections. 132 | 133 | 5. An application firewall in an adjacent subnet or VNet to provide inbound and outbound protection. 134 | 135 | # Symmetric Routing for Inbound APIM Control Plane Traffic 136 | 137 | As we learned, the APIM control plane will be making inbound calls to your APIM delegated subnet, targeting a special management IP hosted by the fabric. This public endpoint will then forward control plane connection requests to the private IPs of your APIM role instances. In order to ensure that responses symmetrically map back to these inbound source IPs, you will need to create a route table and build a set of UDRs to steer traffic back to Azure by setting the destination of these host routes to “Internet”. The host routes you will need to create are as follows: 138 | 139 | 1. Destination: 13.84.189.17/32 => Next Hop: Internet 140 | 141 | 2. Destination 13.85.22.63/32 => Next Hop: Internet 142 | 143 | 3. Destination 23.96.224.175/32 => Next Hop: Internet 144 | 145 | 4. Destination 23.101.166.38/32 => Next Hop: Internet 146 | 147 | 5. Destination 52.162.110.80/32 => Next Hop: Internet 148 | 149 | 6. Destination 104.214.19.224/32 => Next Hop: Internet 150 | 151 | 7. Destination 13.64.39.16/32 => Next Hop: Internet 152 | 153 | 8. Destination 40.81.47.216/32 => Next Hop: Internet 154 | 155 | 9. Destination 40.90.185.46/32 => Next Hop: Internet 156 | 157 | 10. Destination 20.40.125.155/32 => Next Hop: Internet 158 | 159 | 11. Destination 52.142.95.35/32 => Next Hop: Internet 160 | 161 | 12. Destination 51.145.179.78/32 => Next Hop: Internet 162 | 163 | ![alt text](https://github.com/jgmitter/images/blob/master/17.png) 164 | 165 | ## A Word About the Future of APIM Control Plane 166 | 167 | Today the APIM control plane uses the four endpoints above for high availability. This range will grow in the future as Azure continues to grow. In the future, is possible that some control plane functions for your APIM deployment will dynamically shift to a new IP which is not listed above. If this happens, your first motion will be to open a support ticket and add the new host routes in to your Route Table. Any disturbance to your control plane will not impact your other planes, and your end-user traffic will not be affected. 168 | 169 | To address this issue, Microsoft Azure is developing a special route tag that will dynamically support all control plane targets. At the time of this writing, this is currently in development, but this white sheet will be updated when this feature is in production. 170 | 171 | # Security for Inbound APIM Traffic 172 | 173 | When planning your high security deployment, it is essential to understand all the inbound sources and channels so that you can implement your routes, and NSGs, and firewall rules for maximum security. Here are the [inbound services](https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet#a-namenetwork-configuration-issues-acommon-network-configuration-issues) that will be calling to your APIM subnet: 174 | 175 | ![alt text](https://github.com/jgmitter/images/blob/master/2.png) 176 | 177 | ![alt text](https://github.com/jgmitter/images/blob/master/3.png) 178 | 179 | Let’s map the “Purpose” column to the three traffic types we have discussed for a better understanding of how to fine tune your NSG: 180 | 181 | 1. Client communication to API Management 182 | 183 | - This traffic will be both data plane and management plane calls and will hit the private IP address of your APIM Gateway (Internal VNet mode). 184 | 185 | - The source IP can be restricted to the private NAT IP of your WAF or firewall. The key idea here is that your firewall sits in front of APIM, and will forward calls from its trusted interface to your APIM Gateway. 186 | 187 | - The destination IP range can be restricted to subnet mask of your APIM Gateway. 188 | 189 | - The source port range needs to be “*” 190 | 191 | - The destination ports need to be 80 and 443 192 | 193 | 2. Management endpoint for Azure portal and Powershell 194 | 195 | - This traffic will be control plane only. Do not be confused by the term “management” here. 196 | 197 | - The source IP range can be restricted to the “ApiManagement” NSG service tag 198 | 199 | - The destination IP range can be restricted to the subnet mask of your APIM Gateway. 200 | 201 | - The source port range will need to be “*” 202 | 203 | - The destination port range will need to the 3443 204 | 205 | 3. Access Azure Cache for Redis Instances between RoleInstances 206 | 207 | - This traffic will be internal data plane calls that will stay within your APIM subnet. 208 | 209 | - The source IP range will need to be the APIM subnet mask 210 | 211 | - The source port range will need to be “*” 212 | 213 | - The destination IP range will need to be the APIM subnet mask 214 | 215 | - The destination port range will need to be 6381-6383 216 | 217 | 4. Azure Infrastructure Load Balancer 218 | 219 | - This traffic will be internal control plane calls that will hit the Azure Internal Load Balancer that provides the private IP 220 | endpoint for your APIM Gateway. 221 | 222 | - The source IP range will need to be the “AzureLoadBalancer” NSG service tag 223 | 224 | - The source port range will need to be “*” 225 | 226 | - The destination IP range will need to be the APIM subnet mask 227 | 228 | - The destination IP port will need to be “*” 229 | 230 | ![alt text](https://github.com/jgmitter/images/blob/master/4.png) 231 | 232 | # Routing for Outbound APIM Traffic 233 | 234 | For steering outbound connection requests from your APIM deployment though an NVA firewall, you may need the following UDRs with the Route Table which is applied to the delegated subnet of APIM: 235 | 236 | 1. Destination: 0.0.0.0/0 => Next Hop: Virtual Network IP 237 | 238 | - This UDR will not be required if you are injecting 0.0.0.0/0 into the VNet over BGP. In this case, your firewall is on-prem. 239 | 240 | - This route will carry all public traffic permitted by your NSG to your firewall for inspection. This will include outbound traffic 241 | for all three types: control plane, management plane, and data plane. 242 | 243 | 2. Destination: [Azure subnet range] => Net Hop: Virtual Network IP 244 | 245 | - These routes will differ per deployment and are optional. They will forward traffic destined to other subnets or hosts in your 246 | subscription into your NVA firewall for inspection. 247 | 248 | - These routes will technically service both requests and responses between this other subnet and your APIM deployment. 249 | 250 | - This is typically due to data plane calls to and from a backend service, but can also be for management or admin traffic from a 251 | jumpbox etc. 252 | 253 | - It is important to note that the subnet or host in question will also need a corresponding UDR to the firewall for the APIM 254 | subnet, to ensure symmetrical traffic through your firewall. This would be configured in a separate Routing Table and applied to the 255 | remote subnet in question. 256 | 257 | ![alt text](https://github.com/jgmitter/images/blob/master/5.png) 258 | 259 | # Security for Outbound APIM Traffic 260 | 261 | Here are the [outbound destinations](https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet#a-namenetwork-configuration-issues-acommon-network-configuration-issues) that APIM will need to access through your NSG. We will discuss each one in more detail: 262 | 263 | ![alt text](https://github.com/jgmitter/images/blob/master/6.png) 264 | 265 | Let’s map the “Purpose” column to the three traffic types we have discussed for a better understanding of how to build the NSG on your APIM delegated subnet for outbound security: 266 | 267 | 1. Dependency on Azure Storage 268 | 269 | - This will allow outbound data plane and control plane traffic to the dedicated Azure Storage tier for your APIM deployment 270 | 271 | - The source port range will need to be “*” 272 | 273 | - The source IP range will need to be the subnet range of your APIM deployment 274 | 275 | - The destination port range will need to be “80” and “443” 276 | 277 | - The destination IP range will need to be the NSG service tag “Storage.” It is best if you use the global tag in the event APIM needs to connect to back up storage in another region. 278 | 279 | - This traffic will follow the forced tunnel route out to your firewall and can be further protected at the application/fqdn level. 280 | 281 | 2. Azure Active Directory 282 | 283 | - This will allow outbound management plane traffic for admin and user authentication. 284 | 285 | - The source port range will need to be “*” 286 | 287 | - The source IP range will need to be the subnet range of your APIM deployment 288 | 289 | - The destination port range will need to be “80” and “443” 290 | 291 | - The destination IP range will need to be the NSG service tag “AzureActiveDiretory” 292 | 293 | - This traffic will follow the forced tunnel route out to your firewall and can be further protected at the application/fqdn level. 294 | 295 | 3. Access to Azure SQL endpoints 296 | 297 | - This will allow outbound data plane and control plane traffic to Azure SQL. 298 | 299 | - The source port range will need to be “*” 300 | 301 | - The source IP range will need to be the subnet range of your APIM deployment 302 | 303 | - The destination port range will need to be “1433” 304 | 305 | - The destination IP range will need to be the NSG service tag “SQL.” It is best if you use the global tag in the event APIM needs 306 | to connect to back up SQL in another region. 307 | 308 | - This traffic will follow the forced tunnel route out to your firewall and can be further protected at the application/fqdn level. 309 | 310 | 4. Dependency for Log to Event Hub policy and monitoring agent. 311 | 312 | - Logging and monitoring traffic is part of parcel of the APIC management plane. 313 | 314 | - The source port range will need to be “*” 315 | 316 | - The source IP range will need to be the subnet range of your APIM deployment 317 | 318 | - The destination port range will need to be “80” and “443” 319 | 320 | - The destination IP range will need to be the NSG service tag “EventHub”. 321 | 322 | - This traffic will follow the forced tunnel route out to your firewall and can be further protected at the application/fqdn level. 323 | 324 | 5. Dependency on Azure File Share for GIT 325 | 326 | - The handling of code updates to/from GIT is part of the management plane for APIM 327 | 328 | - The source port range will need to be “*” 329 | 330 | - The source IP range will need to be the subnet range of your APIM deployment 331 | 332 | - The destination port range will need to be “445”. 333 | 334 | - The destination IP range will need to be the NSG service tag “Storage.” It is best if you use the global tag in the event APIM 335 | needs to connect to back up storage in another region. 336 | 337 | - This traffic will follow the forced tunnel route out to your firewall and can be further protected at the application/fqdn level. 338 | 339 | 6. Health status to Resource Health 340 | - Health status reporting will be initiated by each role instance inside of your APIM subnet and will be part of the APIM control 341 | plane 342 | 343 | - The source port range will need to be “*” 344 | 345 | - The source IP range will need to be the subnet range of your APIM deployment 346 | 347 | - The destination port range will need to be “1886”. 348 | 349 | - The destination IP range will need to be set to the NSG service tag “Internet” 350 | 351 | - This traffic will follow the forced tunnel route out to your firewall and can be further protected at the application/fqdn level. 352 | 353 | 7. Publish Diagnostics Logs and Metrics 354 | 355 | - APIM Logs and Metrics for consumption by admins and your IT team are all part of the management plane. 356 | 357 | - The source port range will need to be “*” 358 | 359 | - The source IP range will need to be the subnet range of your APIM deployment 360 | 361 | - The destination port range will need to be “443”. 362 | 363 | - The destination IP range will need to be set to the NSG service tag “AzureMonitor” 364 | 365 | - This traffic will follow the forced tunnel route out to your firewall and can be further protected at the application/fqdn level. 366 | 367 | 8. Connect to SMTP Relay for sending e-mails (25, 587, 25028) 368 | 369 | - APIM features the ability to generate email traffic as part of the data plane and the management plane. 370 | 371 | - The source port range will need to be “*” 372 | 373 | - The source IP range will need to be the subnet range of your APIM deployment 374 | 375 | - The destination port range will need to be “25”, “587”, and “25028” 376 | 377 | - The destination IP range will need to be set to the NSG service tag “Internet” 378 | 379 | - This traffic will follow the forced tunnel route out to your firewall and can be further protected at the application/fqdn level. 380 | 381 | ![alt text](https://github.com/jgmitter/images/blob/master/7.png) 382 | 383 | ## Benefits of an Outbound Application Firewall 384 | 385 | It is important to note that outbound IP destinations listed above are public IPs, and all of them belong to Microsoft. Thus, while you will need to open ACLs to “Internet” for things like SMTP and Diagnostics, the endpoints themselves are trusted Microsoft Public IPs. Still, many high security deployments benefit from further inspection of outbound traffic at the application level – fqdns and hostnames, for example – to ensure that the destination of outbound connection requests are trusted endpoints, and not some unknown URL that could be due to fault in code, or worse. 386 | 387 | Fortunately, all of the outbound services above carry known fqdns that we can use for just such a purpose. Most are printed in this [solution](https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet#a-namenetwork-configuration-issues-acommon-network-configuration-issues) and will need to be added to your application firewall’s outbound security settings for application level (layer7) whitelisting. I add them here for your convenience: 388 | 389 | Outbound control plane and management plane fqdns for Azure Consumer Cloud 390 | 391 | - prod.warmpath.msftcloudes.com 392 | 393 | - shoebox2.metrics.nsatc.net 394 | 395 | - prod3.metrics.nsatc.net 396 | 397 | - prod3-black.prod3.metrics.nsatc.net 398 | 399 | - prod3-red.prod3.metrics.nsatc.net 400 | 401 | - prod.warm.ingestion.msftcloudes.com 402 | 403 | - [azure region].prod.warm.ingestion.msftcloudes.com 404 | 405 | - where [East US 2] is eastus2.prod.warm.ingestion.msftcloudes.com 406 | 407 | - SMTP Relay: ies.global.microsoft.com (25, 587, 25028) 408 | 409 | - Diagnostic Log output: dc.services.visualstudio.com (443) 410 | 411 | Outbound control plane and management plane fqdns for Azure Gov Cloud 412 | 413 | - fairfax.warmpath.usgovcloudapi.net 414 | 415 | - shoebox2.metrics.nsatc.net 416 | 417 | - prod3.metrics.nsatc.net 418 | 419 | - SMTP Relay: ies.global.microsoft.com (25, 587, 25028) 420 | 421 | - Diagnostic Log output: dc.services.visualstudio.com (443) 422 | 423 | Outbound control plane and management plane fqdns for Azure China Cloud 424 | 425 | - mooncake.warmpath.chinacloudapi.cn 426 | 427 | - shoebox2.metrics.nsatc.net 428 | 429 | - prod3.metrics.nsatc.net 430 | 431 | - SMTP Relay: ies.global.microsoft.com (25, 587, 25028) 432 | 433 | - Diagnostic Log output: dc.services.visualstudio.com (443) 434 | 435 | ![alt text](https://github.com/jgmitter/images/blob/master/8.png) 436 | ![alt text](https://github.com/jgmitter/images/blob/master/9.png) 437 | ![alt text](https://github.com/jgmitter/images/blob/master/10.png) 438 | ![alt text](https://github.com/jgmitter/images/blob/master/11.png) 439 | ![alt text](https://github.com/jgmitter/images/blob/master/12.png) 440 | ![alt text](https://github.com/jgmitter/images/blob/master/14.png) 441 | 442 | ## Per-Service FQDNs for APIM 443 | 444 | The remainder of the fqdns that your APIM service will use, like for Azure Storage, SQL, EventHub, etc, will be customized per your deployment. To learn them, you will need to call a “Network Status” API post deployment, then add these fqnds into the security policy of your application firewall along with the others listed above. The Network Status API is listed in this solution and also here. 445 | 446 | ![alt text](https://github.com/jgmitter/images/blob/master/15.png) 447 | 448 | # IMPORTANT: Using ServiceEndpoints with APIM when your Force Tunnel 449 | 450 | Currently, as of this writing, [Service Endpoints](https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview) are not supported directly by APIM. However, you can still make good use of them alongside your NVA firewall, and here is why: Without ServiceEndpoints, critical backend traffic between your APIM deployment and Azure will follow your forced tunnel route, which may lead to the subnet just next door, or all the way to your on-premise firewall. 451 | 452 | Technically, your on-premise firewall can in turn forward traffic to backend services like Azure Storage, SQL, and Eventhub back over the Internet and to Azure again, where these PaaS services are listening. However, this can introduce a fair amount of latency and slow down your APIM deployment’s data plane activity. To avoid this scenario, you will need to move your firewall footprint into an adjacent subnet or VNet, next to your APIM subnet. This design is called a VDMZ or virtual DMZ. 453 | 454 | When you have a NVA firewall living right next door to APIM and then force tunnel to it, a couple of really good things happen: 455 | 456 | 1. You can enable ServiceEndpoints on the firewall’s egress subnet so that network traffic from APIM to the supported backend services (Storage, SQL, and EventHub) will flow directly to your firewall, then directly out of the VNet though Azure’s internal network. This keeps the traffic very secure and makes your round-trip times to your backend very fast! 457 | 458 | ![alt text](https://github.com/jgmitter/images/blob/master/16.png) 459 | 460 | 2. For those control plane and management plane IPs are not supported by Service Endpoints, you can still use Azure’s “Internet” path on the egress NIC of your firewall to keep all that traffic on the Azure backbone. This will have the same outcome – your critical control plane and management plane traffic stays in Azure and reaps the benefit of security and speed. 461 | 462 | For these reasons, the high security APIM deployment really benefits from a VDMZ, as opposed to a forced tunnel route to an on-prem firewall. 463 | 464 | # Tips for Deploying your High Security APIM 465 | 466 | 1. Deploy your VDMZ tier if you are going to use an NVA firewall 467 | 468 | 2. Next, create the delegated subnet for your APIM in your target VNet. /29 is the smallest supported size but /27 is highly recommended. 469 | 470 | 3. Next, set up custom DNS in the APIM VNet as discussed in the [Internal APIM Deployment Guide](https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet). 471 | 472 | 4. Deploy your APIM into the subnet and set your VNet mode to “Internal” 473 | 474 | 5. Prepare your application firewall with the right outbound and inbound policy 475 | 476 | 6. Set up your route table correctly and apply it your APIM subnet 477 | 478 | 7. Set up your NSG for inbound and outbound correctly and apply it to our APIM subnet. 479 | 480 | 481 | 482 | 483 | 484 | 485 | 486 | 487 | 488 | 489 | 490 | 491 | 492 | 493 | 494 | 495 | 496 | 497 | 498 | 499 | 500 | 501 | 502 | 503 | 504 | 505 | 506 | 507 | 508 | 509 | 510 | 511 | 512 | 513 | 514 | 515 | # Contributing 516 | 517 | This project welcomes contributions and suggestions. Most contributions require you to agree to a 518 | Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us 519 | the rights to use your contribution. For details, visit https://cla.microsoft.com. 520 | 521 | When you submit a pull request, a CLA-bot will automatically determine whether you need to provide 522 | a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions 523 | provided by the bot. You will only need to do this once across all repos using our CLA. 524 | 525 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). 526 | For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or 527 | contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. 528 | 529 | # Legal Notices 530 | 531 | Microsoft and any contributors grant you a license to the Microsoft documentation and other content 532 | in this repository under the [Creative Commons Attribution 4.0 International Public License](https://creativecommons.org/licenses/by/4.0/legalcode), 533 | see the [LICENSE](LICENSE) file, and grant you a license to any code in the repository under the [MIT License](https://opensource.org/licenses/MIT), see the 534 | [LICENSE-CODE](LICENSE-CODE) file. 535 | 536 | Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation 537 | may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries. 538 | The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks. 539 | Microsoft's general trademark guidelines can be found at http://go.microsoft.com/fwlink/?LinkID=254653. 540 | 541 | Privacy information can be found at https://privacy.microsoft.com/en-us/ 542 | 543 | Microsoft and any contributors reserve all other rights, whether under their respective copyrights, patents, 544 | or trademarks, whether by implication, estoppel or otherwise. 545 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Security 4 | 5 | Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). 6 | 7 | If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below. 8 | 9 | ## Reporting Security Issues 10 | 11 | **Please do not report security vulnerabilities through public GitHub issues.** 12 | 13 | Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report). 14 | 15 | If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey). 16 | 17 | You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 18 | 19 | Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: 20 | 21 | * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) 22 | * Full paths of source file(s) related to the manifestation of the issue 23 | * The location of the affected source code (tag/branch/commit or direct URL) 24 | * Any special configuration required to reproduce the issue 25 | * Step-by-step instructions to reproduce the issue 26 | * Proof-of-concept or exploit code (if possible) 27 | * Impact of the issue, including how an attacker might exploit the issue 28 | 29 | This information will help us triage your report more quickly. 30 | 31 | If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs. 32 | 33 | ## Preferred Languages 34 | 35 | We prefer all communications to be in English. 36 | 37 | ## Policy 38 | 39 | Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd). 40 | 41 | 42 | --------------------------------------------------------------------------------