Documentation

Cloud Connector for Azure Security Guide

Security guidance for operating Cloud Connector for Azure with Key Vault, network controls, authentication, monitoring, and incident response.

  • Key Vault guidance
  • Network restrictions
  • Monitoring and incident response
Azure Connector Overview Deployment Guide Book Demo

Azure proof

Use Azure Functions and Blob workflows for fast integration with enterprise controls

The documented Azure pattern combines Azure Functions, direct and Blob Storage modes, and Microsoft-native security controls so teams can support application and Power Automate workflows inside their own subscription.

Trust & Standards

50 MB

speed path

Direct mode supports request-body PDF sealing for documents up to 50 MB when teams want a simple application call path.

Blob

scale model

Blob Storage mode supports larger files and reusable storage-based workflows, including Power Automate-driven handoff.

AAD

security controls

The docs cover Key Vault, Azure AD, API Management, IP restrictions, and network controls for production rollout.

Digest

data boundary

The Function computes the digest locally and only the signing digest leaves your Azure environment.

Security Guide

Overview

This guide covers security best practices for deploying and operating Cloud Connector for Azure in production environments.

API Key Management

Obtaining API Keys

  1. Visit https://secure.trusted-signatures.com
  2. Create an account or sign in
  3. Generate API keys with appropriate permissions
  4. Note the expiration date (maximum 1 year)

Storage and Rotation

Azure Key Vault (Recommended)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Store API key in Key Vault
az keyvault secret set \
  --vault-name "your-keyvault" \
  --name "trusted-signatures-api-key" \
  --value "your-hex-api-key"

# Configure Function App to use Key Vault
az functionapp config appsettings set \
  --name "your-function-app" \
  --resource-group "your-rg" \
  --settings "TS_API_KEY=@Microsoft.KeyVault(VaultName=your-keyvault;SecretName=trusted-signatures-api-key)"

Rotation Schedule

  • Set up automated rotation 30 days before expiration
  • Use Azure Logic Apps or Azure Automation for rotation workflows
  • Maintain two active keys during rotation periods
  • Test new keys before deactivating old ones

Least Privilege Access

Function App Permissions

1
2
3
4
5
6
7

{
  "permissions": [
    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
    "Microsoft.KeyVault/vaults/secrets/read"
  ]
}

Storage Account Access

  • Use managed identity for storage access
  • Limit blob permissions to specific containers
  • Enable soft delete for blob recovery
  • Configure firewall rules to restrict access

Network Security

Function App Security

IP Restrictions

1
2
3
4
5
6
7
8

# Restrict to specific IP ranges
az functionapp config access-restriction add \
  --name "your-function-app" \
  --resource-group "your-rg" \
  --rule-name "office-network" \
  --action Allow \
  --ip-address "203.0.113.0/24" \
  --priority 100

VNet Integration

1
2
3
4
5
6

# Enable VNet integration
az functionapp vnet-integration add \
  --name "your-function-app" \
  --resource-group "your-rg" \
  --vnet "your-vnet" \
  --subnet "function-subnet"

Private Endpoints

1
2
3
4
5
6
7
8
9

# Create private endpoint for storage
az network private-endpoint create \
  --name "storage-private-endpoint" \
  --resource-group "your-rg" \
  --vnet-name "your-vnet" \
  --subnet "private-endpoint-subnet" \
  --private-connection-resource-id "/subscriptions/.../storageAccounts/your-storage" \
  --connection-name "storage-connection" \
  --group-id "blob"

Authentication Options

Option 1: Function Keys (Basic)

1
2
3
4
5
6

# Generate function key
az functionapp keys set \
  --name "your-function-app" \
  --resource-group "your-rg" \
  --key-name "client-key" \
  --key-value "your-secure-key"

Usage:

1

curl -X POST "https://your-app.azurewebsites.net/api/seal-pdf?code=your-secure-key"

1
2
3
4
5
6
7
8
9

# Enable Azure AD authentication
az functionapp auth update \
  --name "your-function-app" \
  --resource-group "your-rg" \
  --enabled true \
  --action LoginWithAzureActiveDirectory \
  --aad-client-id "your-app-id" \
  --aad-client-secret "your-app-secret" \
  --aad-tenant-id "your-tenant-id"

Option 3: API Management (Enterprise)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

# Create API Management instance
az apim create \
  --name "your-apim" \
  --resource-group "your-rg" \
  --location "East US" \
  --publisher-email "admin@company.com" \
  --publisher-name "Your Company"

# Import Function App API
az apim api import \
  --resource-group "your-rg" \
  --service-name "your-apim" \
  --api-id "trusted-signatures-api" \
  --path "/seal" \
  --specification-format "OpenApi" \
  --specification-url "https://your-app.azurewebsites.net/api/swagger.json"

Monitoring and Auditing

Application Insights

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

# Enable Application Insights
az monitor app-insights component create \
  --app "your-function-app-insights" \
  --location "East US" \
  --resource-group "your-rg" \
  --application-type "web"

# Link to Function App
az functionapp config appsettings set \
  --name "your-function-app" \
  --resource-group "your-rg" \
  --settings "APPINSIGHTS_INSTRUMENTATIONKEY=your-instrumentation-key"

Security Monitoring Queries

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

// Failed authentication attempts
requests
| where success == false and resultCode in (401, 403)
| summarize count() by bin(timestamp, 1h), client_IP
| order by timestamp desc

// Large file processing
requests
| where name == "POST /api/seal-pdf"
| where customDimensions.useStorage == true
| summarize avg(duration), count() by bin(timestamp, 1h)

// API key usage patterns
requests
| extend apiKeyId = tostring(customDimensions.apiKeyId)
| summarize count() by apiKeyId, bin(timestamp, 1d)
| order by timestamp desc

Alerts

1
2
3
4
5
6
7
8
9

# Create alert for failed requests
az monitor metrics alert create \
  --name "high-error-rate" \
  --resource-group "your-rg" \
  --scopes "/subscriptions/.../resourceGroups/your-rg/providers/Microsoft.Web/sites/your-function-app" \
  --condition "count requests/failed > 10" \
  --window-size "5m" \
  --evaluation-frequency "1m" \
  --action-group "your-action-group"

Data Protection

Encryption

  • In Transit: HTTPS enforced (TLS 1.2+)
  • At Rest: Azure Storage encryption enabled by default
  • In Memory: PDFs processed in memory only, not persisted

Data Residency

1
2
3
4
5
6

# Deploy to specific region for compliance
az functionapp create \
  --name "your-function-app" \
  --resource-group "your-rg" \
  --location "West Europe" \
  --storage-account "your-storage"

Compliance

  • GDPR: No personal data stored; PDFs processed transiently
  • SOC 2: Azure compliance inherited
  • ISO 27001: Azure compliance inherited

Incident Response

Security Event Playbook

  1. Detect: Monitor alerts and logs
  2. Assess: Determine impact and scope
  3. Contain: Disable compromised keys/access
  4. Investigate: Review audit logs
  5. Recover: Rotate credentials, update access
  6. Learn: Update security measures

Emergency Procedures

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# Disable Function App immediately
az functionapp stop --name "your-function-app" --resource-group "your-rg"

# Rotate API keys
az keyvault secret set \
  --vault-name "your-keyvault" \
  --name "trusted-signatures-api-key" \
  --value "new-hex-api-key"

# Review access logs
az monitor activity-log list \
  --resource-group "your-rg" \
  --start-time "2024-01-01T00:00:00Z" \
  --end-time "2024-01-02T00:00:00Z"

Compliance Checklist

  • API keys stored in Azure Key Vault
  • Managed identity configured for storage access
  • Network access restrictions implemented
  • Application Insights monitoring enabled
  • Security alerts configured
  • API key rotation schedule established
  • Incident response plan documented
  • Regular security reviews scheduled
  • Backup and recovery procedures tested
  • Compliance requirements validated

Need architectural review?

Book a technical walkthrough

For enterprise rollout, we can review trust model, controls, and integration patterns with your team.

Book Demo See Pricing