You are the security architect for Contoso Ltd., a company that runs a critical e-commerce application on Azure Kubernetes Service (AKS). The application consists of multiple microservices that communicate over HTTP. The application uses Azure SQL Database for transactional data and Azure Redis Cache for session state. Recently, a security audit revealed that several microservices are vulnerable to SQL injection attacks because they construct SQL queries by concatenating user input. Additionally, the Redis cache is exposed to the internet with no firewall rules, and the connection string is stored in plain text in the application configuration file. The development team is concerned about performance and wants to minimize changes to the codebase. You need to design a strategy to mitigate these vulnerabilities with minimal code changes. Which of the following is the best course of action?
WAF blocks SQL injection without code changes, private endpoint secures Redis, Key Vault with managed identity protects secrets.
Why this answer
Option A is correct because it addresses all three vulnerabilities with minimal code changes: Azure WAF on Application Gateway provides network-layer SQL injection protection without modifying application code; configuring Azure Redis Cache with a private endpoint and disabling public network access secures the cache without code changes; and using Azure Key Vault with a managed identity injects the Redis connection string securely at runtime, eliminating plain-text storage without altering the application's configuration loading logic.
Exam trap
The trap here is that candidates often choose a technically correct but code-heavy solution (like parameterized queries) over a network-layer defense (WAF) that achieves the same goal with minimal code changes, failing to prioritize the 'minimal code changes' constraint in the question.
How to eliminate wrong answers
Option B is wrong because it suggests moving Redis to a private endpoint 'with a firewall rule' — private endpoints inherently disable public network access and do not use firewall rules; the phrase 'firewall rule' indicates a misunderstanding of private endpoint behavior. Option C is wrong because moving SQL queries to stored procedures requires significant codebase refactoring, contradicting the requirement for minimal code changes, and storing the connection string in a Kubernetes secret still stores it in plain text within the cluster's etcd, failing to address the plain-text vulnerability. Option D is wrong because refactoring microservices to use parameterized SQL queries requires extensive code changes, violating the minimal code changes constraint, and configuring Redis firewall to allow only AKS node IPs still leaves the cache exposed to the internet if the firewall is misconfigured or if node IPs change.