Presenters
Source
Welcome to an exhilarating deep dive into the world of cloud automations, where we transform complex tasks into seamless, secure workflows! I’m Leo Visser, and I’m passionate about tinkering with technology, especially in AI, automation, and cloud. As an Azure MVP for PowerShell and an organizer for the Dutch PowerShell user community, I love sharing insights that make your tech journey smoother.
Today, we’re tackling a crucial topic: securing your cloud automations. Let’s explore why we automate in the cloud and how we can make these automations robust and secure.
🚀 Why Automate in the Cloud?
Cloud automations offer a multitude of benefits that on-premises solutions often struggle to match:
- Shift Left Tasks: Automations empower individuals with lower permissions, like service desk personnel, to perform tasks traditionally reserved for high-privilege users (e.g., sysadmins). This broadens access while maintaining control and security scope.
- Effortless Maintenance: Cloud platforms boast extensive APIs, making it incredibly easy to automate maintenance and streamline infrastructure management. For Site Reliability Engineering (SRE) and Platform Engineering practices, automations are a must-have.
- Consumption-Based Billing: Unlike on-premises setups that require constant compute resources, cloud automations leverage consumption-based billing. You only pay for what you use, avoiding wasted money on idle infrastructure designed for peak loads.
- Seamless Integration: The cloud excels at connecting diverse platforms. Whether it’s your ticketing, monitoring, or security systems, cloud services offer low-code or high-code solutions to integrate and orchestrate complex workflows across many different systems.
While I will primarily focus on PowerShell for scripting and the Azure platform, remember that most principles and solutions discussed have equivalents in GCP, AWS, and other cloud environments.
💾 Automation 101: The Scheduled Script on a VM
Our automation journey often begins simply: a scheduled script running on a Virtual Machine (VM).
Imagine a basic PowerShell script that retrieves information from an Azure Storage Account table. While straightforward, running this on a VM presents immediate challenges:
- No Consumption-Based Billing: VMs run continuously, incurring costs even when the script isn’t active.
- Limited Logging: Basic VM scripts lack centralized, robust logging, making troubleshooting difficult.
- Data Gaps on Failure: If a script fails (e.g., due to an outage or authentication issue), it might miss critical data (like entries from a specific hour), leading to incomplete records.
💡 Level Up: Adding Resilience & Security with Key Vault & App Insights
To overcome the initial pitfalls, we can significantly enhance our VM-based automations with powerful Azure services:
- Managed Identity for Authentication: Instead of managing credentials
manually, you can assign a Managed Identity directly to your VM. This
allows your scripts to authenticate seamlessly against Azure services,
simplifying your authentication scheme and boosting security. You simply
change your connection command to use
identity. - Application Insights for Observability: Integrate Application Insights
to centralize your logging and monitoring. It allows you to:
- Send logs instantly from your script.
- Trigger alerts when specific events occur or failures happen.
- Create easy dashboards to visualize automation runs, performance (how long scripts took), and other custom metrics.
- The Telemetry Helper PowerShell module makes integration incredibly easy.
- Azure Key Vault for Secure Secrets Management: Store sensitive information
like secrets, connection strings, or even state variables (e.g., the last run
time of a script) in Azure Key Vault. This makes your scripts stateless,
centralizes secret management, and allows for easy rotation or replacement of
secrets.
- Challenge: If a script fails before updating a state variable (like a
check datein Key Vault), the next run can reprocess all previous instances, ensuring no data is missed. - Tradeoff: Careful placement of state variable updates within the script is crucial to manage potential small overlaps due to execution time.
- Challenge: If a script fails before updating a state variable (like a
🤖 Stepping into Serverless: Azure Automation Accounts
Moving beyond VMs, Azure Automation Accounts offer a serverless, consumption-based environment for your scripts.
- Runbooks: Within an Automation Account, you create Runbooks (PowerShell, Python, or graphical, though graphical ones are being deprecated). These runbooks execute your scripts on shared infrastructure, queuing jobs and running them when resources are available.
- Webhooks: Automation Accounts support webhooks, allowing external
systems (like ServiceNow or Topdesk) to trigger your automations by sending an
HTTP request.
- Challenge: Webhooks contain a secret token in the URL. Exposing this token in your code or external systems is a security risk.
- Solution: Store webhook URLs, including their tokens, securely in an Azure Key Vault and retrieve them via Managed Identity.
- Built-in Logging: Automation Accounts provide built-in logging for up to 90 days. For many automations, this retention period is sufficient.
- Tradeoff: While convenient, webhooks transmit data over the internet. For highly sensitive data, consider network integration (e.g., connecting your Automation Account to Azure networks) to keep traffic within your organization’s boundaries.
👨💻 The Evolution Continues: Azure Functions for Agile Automation
For more agile, high-code serverless solutions, Azure Functions are an excellent choice. They offer even faster startup times and granular control.
- Function Apps: You deploy your scripts as Function Apps, which can run on a consumption tier (highly cost-effective) or a service plan (for shared resources with other apps).
- Instant Execution: Azure Functions spin up almost instantly, making them ideal for responsive automations and even complete website backends.
- Function Keys (API Keys): Functions use function keys (similar to API
keys) for authentication. You can generate multiple keys per endpoint,
allowing for rotation and revocation if a key is compromised.
- Challenge: Like webhook tokens, function keys are secrets that shouldn’t live directly in your code.
- Solution: Store function keys in Azure Key Vault and retrieve them securely at runtime.
- Real-time & Integrated Logging: Azure Functions offer real-time logging within the portal, greatly aiding troubleshooting. These logs are also automatically saved to Application Insights, providing comprehensive monitoring and analytics.
🔒 Enterprise-Grade Security: API Management & User Authentication
For scenarios demanding user-account-based authentication rather than just API keys, Azure API Management is your next step.
- Secure Gateway: API Management acts as a secure front-door for your Azure Functions. It stores the underlying function keys securely, abstracting them from external callers.
- JWT Validation: You can configure API Management to validate JWT (JSON
Web Token) tokens for all incoming requests. This enforces robust user
authentication.
- How it works: If a request lacks a valid JWT, API Management blocks the call with an “Unauthorized” error, preventing your function from even being invoked.
- Enhanced Control: API Management allows you to expose a different endpoint to consumers, providing a layer of abstraction and control over your backend functions.
- Tradeoff: Implementing API Management adds another layer of complexity to your architecture. However, the significant security enhancement through user authentication and token validation often outweighs this complexity for enterprise applications.
✨ The Big Picture: Combining for Secure & Resilient Automations
Remember, no single solution is perfect. The true power lies in strategically combining these tools and techniques to build resilient and secure automation systems tailored to your specific needs.
We’ve journeyed from simple VM scripts to sophisticated, user-authenticated serverless functions. By integrating Managed Identities, Azure Key Vault, Application Insights, Azure Automation Accounts, Azure Functions, and API Management, you can craft powerful, observable, and secure cloud automations. Consider your context: sometimes a simple script on a VM is sufficient, but often, looking beyond basic tools to build a string of services together creates a far stronger outcome.
My dream is to automate myself right out of daily IT work and go on a perpetual holiday. With the rapid advancements in AI and automation, this goal feels more attainable than ever!
🌐 Connect with Leo!
I hope you enjoyed this journey into securing cloud automations! If you have any questions or want to discuss further, feel free to connect with me:
- LinkedIn: [QR code on screen in the original talk]
- Website: ordersysops.com
- Socials: @ordersysops
I regularly share insights on automations, personal projects, and general technology topics on my blog and social channels. If you ever meet me in person at a conference, come say hello – I love handing out stickers!
Thank you for listening, and enjoy the rest of the conference!