AWS/Azure/OpenShift Web Server Windows

How to Secure a Web Server on a Windows Virtual Machine in Azure using TLS/SSL Certificates Saved in Azure Kay Vault

Secure-Web-Server

Web traffic to web servers can be easily encrypted using Transport Layer Security (TLS), formerly known as the Secure Sockets Layer (SSL) certificates. These TLS/SSL certificates are deployable to Windows virtual machines (VMs) on Azure securely and can be saved in the Azure Key Vault. A web server is software and hardware that responds to client requests sent over the World Wide Web using HTTP (Hypertext Transfer Protocol) and other protocols. A web server’s primary responsibility is to display website content by storing, processing, and sending web pages to users. You can encrypt web servers such as Nginx, Apache, and Internet Information Service (IIS) hosted on Azure Windows Virtual Machines the same way you would encrypt the ones installed on any of the Linux Distros such as Debian, Ubuntu, or CentOS. You should take a look at the following related articles: how to Create a Linux Virtual Machine Via Azure CLI, Install an Nginx Web-Server and Configure TCP Port, how to Configure Virtual Host for Apache HTTP Web Server to Host Several Domains on Ubuntu 20.04 LTS, how to Install Web Server IIS in Windows Server 2019, how to Install “Lets Encrypt” on Apache HTTP Web Server and how to add and remove IIS Web Server on Windows Server 2019 via the Server Manager and PowerShell. In this guide, I show you how to create an Azure Key Vault, generate or upload a certificate to the Key Vault, create a VM and install the IIS web server, add the certificate into the VM, and configure IIS with a TLS binding.

Create Azure Key Vault

You can get started with creating Azure Key Vault by launching the free interactive cloud shell window directly on the Azure Portal or running the commands using PowerShell on our local PC. Here, I’m will create everything from the in-built PowerShell on the local PC because I have installed the Azure CLI .

Note the reason why you need to store the SSL certificate in Azure Key Vault is because Azure Key Vault helps protect cryptographic secrets and keys, including passwords or certificates. Key Vault makes managing certificates easier and lets you keep control of the keys used to access those certificates.

To create Azure Kay Vault, follow the steps below:

  1. Run the command below in the cloud shell or the in-built PowerShell on your PC.
Note every resource created in Azure is held in a logical folder called the Resource Group. So you must create a Resource Group first before creating Key Vault. Review this article to learn how to create a resource group with Azure CLI. 

Proceed to create Azure Key Vault using the PowerShell cmdlets below:

$az keyvault create --name <keyvaultname> --resource-group <resourcegroupname> --location <yourlocation>
Create-Keyvault
Creating Azure Key Vault

Generate a certificate and store it in Key Vault

The next step is to generate a certificate and store it in Key Vault. Let’s do this through the Azure Portal. You also generate a certificate using the PowerShell command below:

Set-AzureKeyVaultCertificatePolicy -VaultName "techdirectvault" -Name "techdacerts" -SecretContentType "application/x-pkcs12" -SubjectName "CN=techda.com" -IssuerName "Self" 
-ValidityInMonths 6 -ReuseKeyOnRenewal $True -PassThru

The Key Vault I created is already there on the Azure Portal as shown in the screenshot below:

Key-vault-created
Key Vault Created

To generate the certificate, do the following:

  1. Double-click to open the Key Vault you created. Locate “Certificate” within the Key Vault blade and click on Generate/Import tab
Generating-Azure-Key-Vault-Certificate
Generating a Certificate

2. In the method of certificate, select “generate” you can also import the certificate. In the case select, “import”. Here we’re generating it. After specifying the method of certificate creation, go ahead and specify other details as shown in the screenshot below and click on “Create”. Note, generating a self-signed certificate

Supply-the-details
Specifying Certificate Details

Now the certificate has been generated and enabled.

Cert-Generated
Certificate Generated and Enabled

Creating a Virtual Machine

Next step in the article is to create a Windows virtual machine. The first thing we need to do is to Set an administrator username and password for the VM with Get-Credential PowerShell Cmdlet:

Get-Credential -Credential <Username>
Get-Credentials
Get Credentials

You will be prompted to provide the user’s password. Go ahead and type the password. The credentials will be set as shown below:

User-Password-set
Username and Password Set

Now let’s create the Windows VM with the following PowerShell Cmdlet: (Note, to allow secure web traffic, you must keep port 443 open)

New-AzVm `
    -ResourceGroupName techdirectarchiveRG `
    -Name techdavm `
    -Location eastus `
    -VirtualNetworkName "techdaVnet" `
    -SubnetName "techdaSubnet" `
    -SecurityGroupName "techdaNetworkSecurityGroup" `
    -PublicIpAddressName "techdaPublicIpAddress" `
    -OpenPorts 443

When you execute the code above, it will take a few minutes for the VM to be created.

Created-Windows-VM
Creating a Windows VM

Now, step use the Azure Custom Script Extension to install the IIS web server with Set-AzVmExtension.

Now let’s install the IIS with the below command:

$Set-AzVMExtension -ResourceGroupName techdirectarchiveRG`
    -ExtensionName "IIS" `
    -VMName <YourVMName> `
    -Location <YourPreferredLocation> `
    -Publisher "Microsoft.Compute" `
    -ExtensionType "CustomScriptExtension" `
    -TypeHandlerVersion 1.8 `
    -SettingString '{"commandToExecute":"powershell Add-WindowsFeature Web-Server 
-IncludeManagementTools"}'
Installed-IIS-Web-Server
Installing IIS Web Server

The following sub-sections of the articles will be updated later.

  1. Adding the certificate into the VM
  2. Configuring IIS with a TLS binding

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x