1

We are looking at using webhooks from various vendors outside our network. They would publish the event to us. We would be the webhook listener/receiver, not pushing the events. We have done proof of concept of creating an Azure Function to receive the event. From the research we have done most have the security of passing a sha1/sha256/sha512 hash for us to verify they are who we want to receive the events. This all worked as expected with the POC Azure Function.

From a enterprise network security standpoint is there anything else available? The process above puts the security in the function. I'm sure our Network Security group would not want us to have 10 functions, one for each vendor to worry about the security. I've read about whitelisting of IP's that would be sending the events but most of our vendors are Cloud based so I'm not sure how readily that would be available. Maybe one function to validate all events that come in then let pass through? Would that be an acceptable solution? Azure API Gateway or API Management able to address somehow? Any other network type of product that handles webhook security specifically?

Any insight or link to information most appreciated.

Thanks.

SliderBlues
  • 43
  • 1
  • 8

1 Answers1

1

Wow, that's really really so open conversation.

You can use Azure Front Door with the Web Application Firewall attached to it. So any SQL injection, DDoS or similar attacks can be prevented by AFD and WAF.

However, I would say the securest way is to put IP restriction as well. So you need to force your vendor to get their IP address. That can be multiple maybe hundreds. But that doesn't matter. You can implement CIDR IP address format so you can cover all network. And you can easily set these IP address restriction during the CI/CD pipeline with Azure PowerShell script.

You can also useAPI Management in front of Azure Functions and you can create access restriction policies. You can either restrict IP based or JWT based. APIM might be a little bit pricey tho.

https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies

You can also create advanced policies with APIM

https://learn.microsoft.com/en-us/azure/api-management/api-management-advanced-policies

Apart from that, the AFD & WAF and IP restriction are on the network layer. But you can also implement token-based authentication on your code side.

https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization

You can either you Azure Active Directory, IdentityServer or JWT for this.

Good luck!

Mehmet Taha Meral
  • 3,315
  • 28
  • 30
  • Thanks! A lot out there it seems. Definitely want to keep the security out of the code if possible. At first webhook events almost all used the method of validating the hash, like Github currently uses. Going back and lookng at a few like paypal, twilio and snipcart they have changed and have an SDK or a handshake type model to verify. Others may change to something different as well. If you are a company having events coming in this way from multiple vendors being able to verify at the network layer seems the best way to go. Front Door and WAF are new for me so I will definitely chk out. – SliderBlues Jun 11 '20 at 19:56
  • You are welcome :) Yeap, the Azure Front Door is relatively new on Azure. We use Twilio as well and they use AccountSid & AuthToken for authentication and PathServiceSid to determine which service you use in Twilio, such as Verify. So it's similar to what I said on my answer. Even Stripe, the biggest and for me the best payment gateway system, uses Public Key and Secret Key for authentication. Have a look and raise another question if you feel you stuck on somewhere :) – Mehmet Taha Meral Jun 12 '20 at 09:04
  • Thks for info on Stripe. For us we are specifically only looking at consuming webhooks. Most use verify signature as described here https://stripe.com/docs/webhooks/best-practices . They do have other items listed to help which is good to know. Twilio is similar, note their statement on IP addresses. https://www.twilio.com/docs/usage/webhooks/webhooks-security In the end it will be up to our Security group to find the best way. Your info has given some good knowledge to use when looking at solutions. Thanks! – SliderBlues Jun 12 '20 at 13:39