Data Classification & Storage

Application Data can be classified into 3 ways:

  • Structured
  • Semi-Structured
  • Unstructured

Structured Data

Relational Data with Columns & Data Types.

Example: Financial Statements

Apt for SQL Server

Semi-Structured Data

Dynamic Columns with No pre-defined Data Types.

Example: Product Catalog

Apt for Cosmos DB

Unstructured Data

Files such as Images & Videos

Apt for BLOB Storage.

More Parameters

Following are more parameters which determine the storage of data.

Data Location

The location where data is stored like East-US, West-Europe etc..  In case of Data Compliance rules which demand Data should not cross country-boundaries more stringent location choice is required.

Data Redundancy

Data Redundancy ensures data will be copied to alternative location.  This is useful on disaster recovery scenarios.

VNETs

In case if the Data contains Proprietary Information – we can enforce restricted VNET (Virtual Network) Only access to the data.

Data Encryption

Data Encryption can be applied on Rest & Transit.  Encryption on Rest is supported by TDE (Transparent Data Encryption) of Azure SQL and Encryption by CosmosDB, Storage Accounts etc.  Encryption on Transit is provided by HTTPS enable.

Storage Accounts

Storage Accounts allows grouping of data management through blobs, files, tables & queues

Create VNET & VNET Peering in Azure using CLI

In this post we can learn how to create 2 VNET & enable VNET Peering between both.

Azure VNET

Azure VNET allows private network within Azure.  VNET should specify an Address Space.  VNET creates Subnets which are Segments within the Address Space.

VNET Peering

It is possible for 2 VNETs to communicate with each other using VNET Peering.  VNET Peering bypasses Internet, Public IP Addresses & Communicate with the Local Azure Network which is faster & higher bandwidth without any encryption.  Thus the VNET Peering is faster & safer too.

VNET allows Resources (eg: VMs) communicate with each other as if they are in the same network.

VNET can be configured across regions & subscriptions too.

image

Create VNET

Open Azure CLI command interface & Run the following commands.

az login

az network vnet create –resource-group “jp_azure” –name VNET1 –address-prefix 10.1.0.0/16 –subnet-name Apps –subnet-prefix 10.1.1.0/24 –location eastUS

az network vnet create –resource-group “jp_azure” –name VNET2 –address-prefix 10.1.0.0/16 –subnet-name Apps –subnet-prefix 10.1.1.0/24 –location eastUS

az network vnet list –output table

Create VMs

Now we can create VM in each of the VNETs.

az vm create \ –resource-group “jp_azure” \ –no-wait \ –name VM1 \ –location northeurope \ –vnet-name VNET1 \ –subnet Apps \ –image win2016datacenter \ –admin-username admin \ –admin-password administrator1!

az vm create \ –resource-group “jp_azure” \ –no-wait \ –name VM2 \ –location northeurope \ –vnet-name VNET2 \ –subnet Apps \ –image win2016datacenter \ –admin-username admin \ –admin-password administrator1!

Create VNET Peering

Now we can create VNET Peering using the following commands.

az network vnet peering create \ –name VNET1-TO-VNET2 \ –remote-vnet VNET1 \ –resource-group JP-Resource \ –vnet-name VNET2 \ –allow-vnet-access

Following is for reciprocal connection.

az network vnet peering create \ –name VNET2-TO-VNET1 \ –remote-vnet VNET2 \ –resource-group JP_azure \ –vnet-name VNET1 \ –allow-vnet-access

Testing

Login to the VM1 using Public IP and Ping to the VM2 using Private IP.  If the connection succeeded it means the VNET Peering was created successfully.

Summary

In this post we have explored how to create 2 VNET & enable VNET Peering between both.

Network Security Group (NSG)

NSG protects Azure resources from Unauthorized Access.  In this post we can see the Features of Azure NSGs.

Capabilities

You can restrict Database Servers are only accessed from Application Servers thus protecting Legacy business data.

Rules can be configured to Allow access.

Rules can be configured to Deny access.

Restrictions can be set based on VNET

Flexibility

NSG offers the following flexibilities:

  • Automatically created along with Azure Resources
    • Inbound & Outbound rules are automatically created
      • eg: Port 3359 Allow Rune for VM
  • Reusability possible with multiple Azure Resources
    • Create an NSG for VM and reuse across multiple VMs
  • Tagging based restriction possible
    • eg: VirtualMachine, AppService etc.

Example

Create a VM > Observe NSG automatically created.

image

Try accessing the VM from Windows RDP. You should be able to login.

image

Delete the rule 3359.  Wait for 1 minute for the NSG rule to be reflected. Try login again.  You should be denied.

image

Note

Inbound Rules restricts Incoming Traffic requests to the device.

Outbound Rules restricts Outgoing Traffic requests from the device.

Summary

In this post we have explored the features of NSGs and performed a Test experiment.

Azure App Identity & Service Principal

Azure Service Principal is a Security Identity used for Apps & Background Services.  It will accomplish the Role of a User Identity require by Applications.  It is similar to Service Accounts of Windows in the past.

Advantages

Advantages of App Identity are following:

  • Allow multiple Apps to use the Same Identity
  • Can use Certificate to Authenticate instead of Passwords
  • No Password expiry overheads
  • Can restrict read/write access

image On App Registration two objects are create – App object & Service Principal object.

Setting Access at Subscription Level

We can set Access to the Service Principal object at the Subscription level.  Go to Home > Subscriptions > Access Control (IAM)

image

In the appearing window choose the App Registration created jus now & Select the Role.

image

Save changes for completing the Role assignment.

Access Scope

Access Scope is set at the following levels.

  • Subscription Level
  • Resource Group Level
  • Resource Level

References

https://docs.microsoft.com/en-us/azure-stack/operator/azure-stack-create-service-principals?view=azs-1910

Azure CLI

Azure CLI (Command Line Interface) is a Tool to manage Azure resources.  You can download it from following location.

https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest

Once installed you can open command prompt > type command az

image

Commands

Few common commands are following:

help to get list of commands

eg: az help

image

login to login to azure portal

eg: az login

image

group to operate on resource groups. (Sub command required)

eg: az group list

image

az interactive you can use this command to have Interactive Commands which will help with Auto-complete & Colored interfaces.

image

Under the Hood

Azure CLI uses Azure REST API for performing the actions.

Azure CLI is open source

Azure CLI is more readable compared with PowerShell

How to Add User in an Azure Enterprise Application?

In the world of Azure, adding Users to an Application is a bit different – You don’t need to create User Creation & User Roles management creation screens.  Yes! everything can be managed through Azure Portal.

Enterprise Applications

Enterprise Applications are those Applications deployed to your Organization, each one would have an App Registration. 

Go to Azure > Active Directory > Enterprise Applications blade to view them.

image

Create User

Now we can add a new user to the Enterprise Application selected.

Go to Azure > Active Directory > Users

image

Click the New User button on the right.  Add the new user

image

Save changes.

Select User

Now you can select the newly created User from the Enterprise Applications > Users blade.

image

Leave the Role as blank.  Click Add to continue.

Now you can see the New User got added.

image

Create Role

For assigning a Role to the user – you need to create the Role first.

Go to Azure > Active Directory > App Services > Your App > Manifest blade

Modify the roles property as shown below.

“appRoles”: [
     {
       “allowedMemberTypes”: [
         “User”
       ],
       “displayName”: “Author”,
       “id”: “abc2ade8-98f8-45fd-aa4a-6d06b947c66f”,
       “isEnabled”: true,
       “description”: “Authors can write blogs.”,
       “value”: “Author”
     }
   ],

Save Changes & Go back to the User adding screen in Enterprise Applications.

You will be now able to select the New Role from the screen.

image
Note

Whenever user is authenticated, you will get the Role too in the authentication token.  (Enable ID Token in App Registration for same)

Summary

In this article you found how to Add User & Role for an Enterprise Application.  This is really advantageous & can save hundreds of productivity hours where the Application Administrator can manage the Azure Portal for adding/editing users.   (Relying on Company Support Ticket Team may delay the whole things)

Azure Architecture Guidelines

Following are the Pillars of a Strong Azure Architecture.

Performance

Performance

Scalability

Scaling-Up vs Scaling-Out

Automatic Scaling

Security

Security at Rest

Security in Transit

Availability

Peak Load Scenarios

Failover

Recoverability

Recovery Point Objective

Recovery Time Objective

Efficiency

PaaS vs IaaS model

Over-allocated VM & Licenses

Enable Azure Active Directory for a .Net Core 2.2 Web Application

In this article we can see how to configure Azure Active Directory for a .Net Core 2.2 Web Application.

Step 1: Create new Web Application

Create new Web Application of .Net Core 2.2 version.

image

Add Nuget Package following:

  • Microsoft.IdentityModel.Clients.ActiveDirectory

image

Step 2: Run the Application

Run the application & Copy the URL of it.

Step 3: App Registration

You can Refer this application below.

https://jeanpaul.cloud/2019/12/13/how-to-do-app-registration-for-enterprise-application/

Step 4: App User

Add a new user to the Enterprise Application.

Step 5: Modify the Configuration File

Modify the Configuration File as following:

{
   “Authentication”: {
     “ClientId”: “CLIENT ID FROM APP REG”,
     “ClientSecret”: “CLIENT SECRET FROM APP REG”,
     “Authority”: https://login.microsoftonline.com/ACTIVE DIRECTORY GUID,
     “PostLogoutRedirectUri”: “https://localhost:44372/”,
     “CallbackPath”: “/signin-oidc”,
     “ResponseType”: “code id_token”
   }
}

Leave the last 2 parameters as it the default OIDC middleware parameters.

Step 6: Replace Startup.cs

Replace Startup.cs with the following code.

(mainly the changes are in ConfigureServices() and Configure() method)

using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Http.Extensions;
using Microsoft.AspNetCore.HttpsPolicy;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.IdentityModel.Clients.ActiveDirectory;

namespace AADenableBlog
{
     public class Startup
     {
         public Startup(IConfiguration configuration)
         {
             Configuration = configuration;
         }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
         public void ConfigureServices(IServiceCollection services)
         {
             services.AddAuthentication(auth =>
             {
                 auth.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                 auth.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
             })
               .AddCookie()
               .AddOpenIdConnect(opts =>
               {
                   Configuration.GetSection(“Authentication”).Bind(opts);

                  opts.Events = new OpenIdConnectEvents
                   {
                       OnAuthorizationCodeReceived = async ctx =>
                       {
                           HttpRequest request = ctx.HttpContext.Request;

                          string currentUri = UriHelper.BuildAbsolute(request.Scheme, request.Host, request.PathBase, request.Path);
                           var credential = new ClientCredential(ctx.Options.ClientId, ctx.Options.ClientSecret);

                          var authContext = new AuthenticationContext(ctx.Options.Authority);

                          string resource = “https://graph.microsoft.com”;
                           AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(
                               ctx.ProtocolMessage.Code, new Uri(currentUri), credential, resource);

                          ctx.HandleCodeRedemption(result.AccessToken, result.IdToken);
                       }
                   };
               });

            services.Configure<CookiePolicyOptions>(options =>
             {
                 options.CheckConsentNeeded = context => true;
                 options.MinimumSameSitePolicy = SameSiteMode.None;
             });

             services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
         }

        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
         {
             if (env.IsDevelopment())
             {
                 app.UseDeveloperExceptionPage();
             }
             else
             {
                 app.UseExceptionHandler(“/Home/Error”);
                 app.UseHsts();
             }

            app.UseHttpsRedirection();
             app.UseStaticFiles();
             app.UseAuthentication();
             app.UseCookiePolicy();

            app.UseMvc(routes =>
             {
                 routes.MapRoute(
                     name: “default”,
                     template: “{controller=Home}/{action=Index}/{id?}”);
             });
         }
     }
}

Step 7: Modify Controller

Modify the Home Controller as following:

[Microsoft.AspNetCore.Authorization.Authorize]

public class HomeController : Controller

// This will ensure Login prompt will prompt whenever the Controller method is accessed.

Step 8: Run the Application

Run the application & It should prompt you for the Login.  Enter the Credentials.

You can see the Login prompt.

image

Enter your New User credentials and you will be redirected to the Home Screen.

Download

The source can be downloaded here.

https://azuretrendz.files.wordpress.com/2019/12/aadenableblog.zip

Summary

In this article we have seen how to configure Azure Active Directory for a .Net Core 2.2 Web Application.

CosmosDB vs. Azure SQL–Performance Benchmark

I was doing Benchmarking on CosmosDB vs Azure SQL for a Performance Critical application.  Our needs was fulfillable through Azure SQL but there was some CosmosDB use cases like Schemaless, Geo-replication etc.

So let us see the Performance Benchmark

Configurations

CosmosDB

  • Default Configuration
  • East US
  • SQL API

Azure SQL

  • Standard S1
  • East US

Test 1 : Accessing from Laptop

The Test 1 was conducted from a Laptop within US region.  The test was conducted with 100 continuous Inserts of 10KB data on each.

The observations are below.


100 Count 1 Count (Average)
CosmosDB 3 second 30 millisecond
Azure SQL 3 second 30 millisecond

Test 2  : Accessing from Azure VM

The Test 2 was conducted from an Azure VM within East US region to ensure minimum latency.  The test was conducted with 100 continuous Inserts of 10KB data on each.



100 Count 1 Count (Average)
CosmosDB 2 second 20 millisecond
Azure SQL 1 second 10 millisecond

Inference

Cannot find much speed advantage on Cosmos DB

SLA

As per the SLA on CosmosDB there need to be following criterias to get the 1 digit millisecond response:

  • Within same Region
  • TCP configuration
  • High Speed Internet

Summary

Azure SQL on Standard Configuration is providing better Speed than Cosmos DB.   Choose Cosmos DB based on the right use case.

I can publish the Database Benchmark Application on demand.

Azure Key Vault & Access from C#

Azure Key Vault & Access from C#

In this article we can explore how to create an Azure Key Vault & Access from C#.

Azure Key Vault

Azure Key Vault allows to keep encrypted secured strings. Eg: Connection Strings, Passwords etc.

Create Azure Key Vault

Open Azure Portal & Create a new Key Vault as shown below.

image

Go the Secrets blade and create a new Secret with name as key1 and value as value1

image

Create App Registration

We need to create an App Registration for our Console Application. This will enable to Authenticate our Console Application using the Credentials.

Go to Azure Portal > Azure Active Directory > App Registrations. Create new App Registration as below.

image

Create new client secret too.

image

Now copy the Client ID and Client Secret which you need in the next steps.

Authorize Console Application

We need to Authorize the Console Application to the Key Vault. Without this step you will get Forbidden error.

Go to Key Vault > Access Policies blade

image

Click Add Access Policy and select our Console Application as Principal.

image

image

Now onwards any application authenticated through Client Credentials of the Console App Registration will be considered as Principal – which is the Security Identity for the application.

Create Project

Create a new console application in Visual Studio. Add references to following:

· Microsoft.Azure.KeyVault

· Microsoft.IdentityModel.Clients.ActiveDirectory

Replace the code with following.

using Microsoft.Azure.KeyVault;

using Microsoft.IdentityModel.Clients.ActiveDirectory;

using System;

using System.Threading.Tasks;

namespace KeyVault

{

class Program

{

static void Main(string[] args)

{

Console.WriteLine($”Secret Value from Vault is: {GetVaultValue()}”);

Console.ReadKey(false);

}

static string GetVaultValue()

{

KeyVaultClient client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetToken));

var vaultAddress = “https://your-key-vault.vault.azure.net&#8221;;

var secretName = “key1”;

var secret = client.GetSecretAsync(vaultAddress, secretName).GetAwaiter().GetResult();

return secret.Value;

}

static async Task GetToken(string authority, string resource, string scope)

{

var clientId = “YOUR CLIENT ID”;

var clientSecret = “YOUR CLIENT SECRET”;

ClientCredential credential = new ClientCredential(clientId, clientSecret);

var context = new AuthenticationContext(authority, TokenCache.DefaultShared);

var result = await context.AcquireTokenAsync(resource, credential);

return result.AccessToken;

}

}

}

On running the application, you will get the following output.

image

References

Create Key Vault & Secret

Summary

In this article we have explored how to create an Azure Key Vault & Access from C#.