Azure Serverless API Architecture Analysis, Network Mapping & Security Assessment

This project presents the current state of an Azure-based application environment following a comprehensive technical analysis, including architectural discovery, dependency mapping, network flow analysis, and evaluation of security posture across integrated PaaS services, along with recommendations for improvement.

Project Overview

The objective was to reverse engineer and document a multi-tier Azure application without prior documentation, replicating a real-world onboarding or incident-response scenario. This included identifying service dependencies, analyzing runtime behavior, and evaluating cloud design maturity.

  • Discovered application and data flow across Azure services
  • Mapped public and internal network paths
  • Analyzed API behavior and backend integrations
  • Evaluated security controls, identity, and access patterns
  • Assessed monitoring, deployment, and operational maturity

Architecture Diagram (Current State)

Public Internet Web Application (App Service) Frontend / API Gateway Layer Azure Function App (Serverless) HTTP-triggered APIs GET /entity — GET/POST /orders Azure SQL Database Stored Procedures (Business Logic) App Insights Storage Account

Architecture Analysis

  • Identified a multi-tier architecture using App Service (frontend/API layer) and Azure Functions (serverless backend)
  • Confirmed stateless API design using HTTP-triggered functions
  • Mapped direct database interaction via stored procedures (data-tier-driven logic model)
  • Observed separation of compute tiers (App Service vs serverless execution)
  • Validated Azure-native PaaS architecture without underlying VM dependencies
---

Network & Connectivity Analysis

  • All application tiers exposed via public Azure endpoints (azurewebsites.net, database.windows.net)
  • No Virtual Network (VNet) integration present across services
  • No private endpoints configured for SQL or Storage
  • Serverless backend connects to database via public TCP 1433 endpoint
  • Outbound connectivity uses Azure-managed SNAT IP ranges
  • No network segmentation, firewall scoping, or access restrictions enforced

This represents a flat network architecture model with direct internet exposure across application and data tiers.

---

Identity & Access Management

  • No authentication configured on App Service (public access allowed)
  • No authentication configured on API endpoints (Function App)
  • Application relies on static SQL credentials stored in environment variables
  • No use of Managed Identity for service-to-service authentication
  • No Azure AD integration for application access control
  • No Key Vault used for centralized secret management
---

Data Layer Observations

  • Azure SQL Database accessed via public endpoint
  • Business logic implemented through stored procedures
  • Application connects using SQL authentication instead of identity-based access
  • No private endpoint or service endpoint used for database isolation
---

Observability & Monitoring

  • Application Insights configured with instrumentation key
  • Telemetry enabled for request tracking and dependency analysis
  • Smart detection alert configured for anomaly detection
  • Limited runtime traffic observed (low or idle environment)
  • Monitoring exists but not actively leveraged for operational insights
---

Deployment & DevOps Maturity

  • No CI/CD pipelines configured (Deployment Center unset)
  • No Git-based integration (GitHub / Azure DevOps)
  • Deployment likely performed manually via portal or package upload
  • No staged environments or deployment slots used
  • No infrastructure-as-code detected
---

Storage & Platform Services

  • Storage account used for Function runtime state and configuration
  • System containers identified for WebJobs execution and secret management
  • Additional logging container indicates integration with external services
  • No network isolation configured for storage account
---

Security Risk Assessment

  • No authentication enforcement across application or API layers
  • All endpoints publicly accessible without identity validation
  • Database exposed via public endpoint with credential-based authentication
  • No network isolation between application and data layers
  • No centralized secret management platform (Key Vault)
  • No API gateway or WAF protection
---

Recommended Architecture Improvements

  • Introduce Azure API Management or Front Door for controlled ingress
  • Enable Azure AD authentication for both frontend and APIs
  • Replace SQL credentials with Managed Identity
  • Store secrets securely in Azure Key Vault
  • Implement private endpoints for SQL and Storage
  • Integrate all services into a Virtual Network (VNet)
  • Use Network Security Groups (NSGs) for segmentation
  • Establish CI/CD pipelines for automated deployments
  • Enable full observability using Log Analytics and alerting strategies

Target Architecture (Secure & Enterprise-Ready)

The following architecture represents a recommended secure redesign using Azure-native security controls, identity-based access, and network isolation to reduce attack surface and align with enterprise best practices.

Internet Users Front Door / API Management WAF + Routing + Authentication App Service Azure AD Auth Enabled Function App Managed Identity Virtual Network (VNet) Azure SQL (Private Endpoint) No Public Access Azure Key Vault Secrets + RBAC ---

Target Architecture Improvements

  • Introduced centralized ingress using Azure Front Door or API Management with WAF protection
  • Enabled Azure AD authentication for application and API access
  • Replaced static credentials with Managed Identity for service-to-service authentication
  • Integrated Azure Key Vault for centralized secret management
  • Implemented private endpoints for Azure SQL to eliminate public exposure
  • Placed application components within a Virtual Network for segmentation
  • Eliminated direct internet access to backend services
  • Strengthened zero-trust security posture across all layers
---

Skills Demonstrated

  • Azure architecture discovery and reverse engineering
  • Serverless application analysis (Azure Functions)
  • App Service and web application evaluation
  • Azure SQL connectivity and data flow mapping
  • Cloud networking and connectivity analysis
  • Identity and access management assessment
  • Security posture evaluation and risk identification
  • Application Insights telemetry interpretation
  • DevOps and deployment model analysis
  • Enterprise architecture improvement planning
---

Summary

This project demonstrates the ability to evaluate a cloud-hosted system beyond surface-level configuration, including deep analysis of architecture, networking, identity, security, and operational maturity. The findings highlight both functional design strengths and key areas for modernization, aligning with enterprise cloud architecture best practices.

Previous

Enterprise MFA Posture Assessment
Next

AWS Serverless Image Processing Pipeline (GUI + Terraform Implementation)