- Azure Spring Cloud application hosting a Spring Boot application configured by JHipster
- Azure SQL Server
- Azure SQL database
- Azure Key Vault
Demo Spring Boot app is created and by JHipster initializer (currently only maven is supported for automatic deployment of Spring Boot apps to Azure Spring Cloud)
The app needs to have a connection to the Azure SQL DB. For testing purposes allow access to your IP address in Firewalls and virtual networks section of the Azure SQL Server resource.
The command for deploying a Spring Boot app to Azure Spring Cloud using JHipster is:
jhipster azure-spring-cloud
Before executing the command the spring-cloud resource and resource group need to be configured because the jhipster command does not support parameters
az configure --defaults spring-cloud=demo-azure-spring-cloud-api
az configure --defaults group=demo-azure-spring-cloud-api
This command will add a couple of azure related spring dependencies, an azure profile in pom.xml and specific azure configuration files in the resources folder.
-
Enable client application access by creating an Azure Active Directory application (AAD) which enables the Spring Boot app to authenticate itself in order to retrieve the Column Master Key (CMK) for encrypting/decrypting the data. See how to register an application
-
Create an application secret for the AAD and save its value for the actual authentication. Check option 2 for authentication
-
Add privileges for the AAD application to the Azure Key Vault
az keyvault set-policy --name $vaultName --key-permissions get list sign unwrapKey verify wrapKey --resource-group $resourceGroupName --spn $applicationIdor Directly from the portal under Access Policies of the Key Vault resource
-
Install SQL Server Management Studio and connect to the database
-
Right click on the table you want to encrypt the data and select Encrypt Columns…
-
Follow the instructions to use Azure Key Vault for saving the CMK
-
Change the JDBC connection to support Always Encrypted – the driver itself will check the database metadata to see which column is encrypted, get the Column Encryption Key, go to the Key Vault to get the Column Master Key, decrypt the data and return it to the end user.
-
JDBC connections for drivers v 7.4.1 or later:
jdbc:sqlserver://:;columnEncryptionSetting=Enabled;keyStoreAuthentication=KeyVaultManagedIdentity
jdbc:sqlserver://:;columnEncryptionSetting=Enabled;keyStoreAuthentication=KeyVaultManagedIdentity;keyStorePrincipal=
jdbc:sqlserver://:;columnEncryptionSetting=Enabled;keyStoreAuthentication=KeyVaultClientSecret;keyStorePrincipalId=;keyStoreSecret=
az spring-cloud app logs -f –name <azure-spring-cloud-app-name>
- Virtual Network
- Azure Spring Cloud application hosting a Spring Boot in the virtual network
- Azure SQL Server
- Azure SQL database
- Azure Key Vault
- Application Gateway
- Public IP Address
- Managed Identity
- Private DNS Zone
- Create a Virtual Network and Azure Spring Cloud by following the instructions
- Deploy your Spring Application same as described above
- In order to access the application deployed in a virtual network you need to create an Azure Private DNS Zone, link it to the Virtual Network and create DNS records in this zone for the service-runtime-subnet Instructions
In order to expose the application created in a private network to the internet we need an Application Gateway
-
Create a subnet in the same Virtual Network for the Application Gateway
-
Create a Public IP Address which will be used as the Frontend of the Application Gateway. While creating the resource select Static allocation method and Standard SKU
-
Create a Managed Identity resource and give it access to the Key Vault by adding it to the Access Policies
-
Follow the step-by-step instructions to create an Application Gateway resource
-
In the first step provide the Subscription and Resource group where the vnet resides, give a name and select the Virtual Network and the newly created subnet for the gateway.
-
In the second step select the Public IP Address that you have created
-
In the third step add a backend pool using the fully qualified domain name (FQDN) of the endpoint we have assigned to the app running in Azure Spring Cloud
-
In the Configuration add a routing rule connecting the frontend IP with the backend pool.
On the Listener page:
- Listener name: [your listener name]
- Frontend IP: [the created Public IP Address]
- Protocol: HTTPS
- Certificate: Choose certificate from the Key Vault
- Managed Identity: [select the new managed identity]
- Key Vault: [your key vault]
- Certificate: [your certificate]
On the Backend Targets page:
- Target type: Backend pool
- Backend target: [application in Azure Spring Cloud]
- HTTP settings: add new (select HTTPS and Pick Host Name From Backend Target)
-
-
Save and create the gateway
-
Use the Gateway’s public IP/domain name to access the application from the internet
