[Azure] Real Example to know different types of app concepts in Azure
We will discuss the differences between App Registration, Service Principle, App Service, and Function app.
Introduction
When I was studying Microsoft Azure Penetration Testing, I had to pass through important concepts like App Registration, Service Principle, App Service, and Function app and they're hard to know the differences between all of them as a scientific definition, that's why I want to discuss with you in a real example the meaning of each one of them. Let's get started!
Scenario
Let's walk through a real-world scenario involving a web application for an online bookstore called BookStore.com. We'll see how each Azure componentâApp Registration, App Services, Service Principals, and Function Appsâfits into this scenario.
BookStore.com wants to build a web application that allows users to browse and purchase books, an API for mobile apps, and an administrative portal for managing inventory. The application will also have an automated process to update book inventory based on sales data.
App Registration
Purpose: To secure the application and provide authentication and authorization using Azure Active Directory (Azure AD).
Example:
Register the web application: In Azure AD, you create an App Registration for the web application
BookStoreWebApp
.Register the API: Another App Registration for the API
BookStoreAPI
.Register the admin portal: An App Registration for the admin portal
BookStoreAdminPortal
.
Details:
BookStoreWebApp:
Client ID:
xxxxxx
Redirect URI:
https://www.bookstore.com/signin-oidc
BookStoreAPI:
Client ID:
yyyyyy
BookStoreAdminPortal:
Client ID:
zzzzzz
Redirect URI:
https://admin.bookstore.com/signin-oidc
Functionality: Users logging into the web application or admin portal will authenticate through Azure ADâthe web app and API uses OAuth 2.0 to secure communication.
App Services
Purpose: To host the web application, API, and admin portal.
Example:
Web Application: Hosted on Azure App Service as a Web App.
Domain:
https://www.bookstore.com
Service:
BookStoreWebAppService
API: Hosted on Azure App Service as an API App.
Domain:
https://api.bookstore.com
Service:
BookStoreAPIService
Admin Portal: Hosted on Azure App Service as a Web App.
Domain:
https://admin.bookstore.com
Service:
BookStoreAdminPortalService
Details:
BookStoreWebAppService:
Hosting the main website.
Scales are automatically based on traffic.
BookStoreAPIService:
Provides endpoints for mobile apps and other clients to interact with the bookstore's data.
BookStoreAdminPortalService:
Provides a secure interface for administrators to manage inventory.
Service Principals
Purpose: To grant the web application, API, and automated processes access to Azure resources securely.
Example:
Web App Service Principal:
BookStoreWebAppSP
API Service Principal:
BookStoreAPISP
Admin Portal Service Principal:
BookStoreAdminPortalSP
Details:
BookStoreWebAppSP:
Permissions: Access to Azure SQL Database for user data.
Role:
db_reader
on the SQL Database.
BookStoreAPISP:
Permissions: Read and write access to the storage account for storing book images.
Role:
Storage Blob Data Contributor
.
BookStoreAdminPortalSP:
Permissions: Full access to the inventory database.
Role:
db_owner
on the SQL Database.
Function Apps
Purpose: To handle serverless computing tasks like updating book inventory based on sales data.
Example:
Inventory Update Function App:
BookStoreInventoryUpdater
Details:
BookStoreInventoryUpdater:
Trigger: Timer Trigger to run every hour.
Function Code: Fetch sales data, calculate inventory changes, and update the database.
Binding: Azure SQL Database to update the inventory.
Full Scenario Flow
The User Authentication and Access:
A user navigates to
https://www.bookstore.com
.They are redirected to Azure AD for authentication.
After successful login, they are redirected back to the web app (using the App Registration details).
Web App Functionality:
The user browses books, which calls the
BookStoreAPIService
athttps://api.bookstore.com
to fetch data.The web app uses its Service Principal
BookStoreWebAppSP
to read user data from the Azure SQL Database.
Admin Portal:
An admin navigates to
https://admin.bookstore.com
and logs in via Azure AD.The portal uses
BookStoreAdminPortalSP
to manage book inventory with full database access.
Automated Inventory Updates:
The
BookStoreInventoryUpdater
function runs every hour.It uses its Service Principal to access sales data and update the inventory in the SQL Database.
Summary
App Registration secures and integrates apps with Azure AD.
App Services hosts the web application, API, and admin portal.
Service Principals grant applications secure access to Azure resources.
Function Apps handle serverless tasks like periodic inventory updates.
This setup ensures that BookStore.com operates securely, scales automatically, and maintains an up-to-date inventory with minimal manual intervention.
Thanks for your time ,and keep in touch
Last updated