Security controls for Azure Spring Cloud Service

This article applies to: ✔️ Java ✔️ C#

Security controls are built in into Azure Spring Cloud Service.

A security control is a quality or feature of an Azure service that contributes to the service's ability to prevent, detect, and respond to security vulnerabilities. For each control, we use Yes or No to indicate whether it is currently in place for the service. We use N/A for a control that is not applicable to the service.

Data protection security controls

Security control Yes/No Notes Documentation
Server-side encryption at rest: Microsoft-managed keys Yes User uploaded source and artifacts, config server settings, app settings, and data in persistent storage are stored in Azure Storage, which automatically encrypts the content at rest.

Config server cache, runtime binaries built from uploaded source, and application logs during the application lifetime are saved to Azure managed disk, which automatically encrypts the content at rest.

Container images built from user uploaded source are saved in Azure Container Registry, which automatically encrypts the image content at rest.
Azure Storage encryption for data at rest

Server-side encryption of Azure managed disks

Container image storage in Azure Container Registry
Encryption in transient Yes User app public endpoints use HTTPS for inbound traffic by default.
API calls encrypted Yes Management calls to configure Azure Spring Cloud service occur via Azure Resource Manager calls over HTTPS. Azure Resource Manager

Network access security controls

Security control Yes/No Notes Documentation
Service Tag Yes Use AzureSpringCloud service tag to define outbound network access controls on network security groups or Azure Firewall, to allow traffic to Azure Spring Cloud applications.

Note: Currently only new Azure Spring Cloud service instance created after 2020/07/14 supports AzureSpringCloud service tag.
Service tags

Next steps