Azure Architecture Guidelines

Following are the Pillars of a Strong Azure Architecture.

Performance

Performance

Scalability

Scaling-Up vs Scaling-Out

Automatic Scaling

Security

Security at Rest

Security in Transit

Availability

Peak Load Scenarios

Failover

Recoverability

Recovery Point Objective

Recovery Time Objective

Efficiency

PaaS vs IaaS model

Over-allocated VM & Licenses

Enable Azure Active Directory for a .Net Core 2.2 Web Application

In this article we can see how to configure Azure Active Directory for a .Net Core 2.2 Web Application.

Step 1: Create new Web Application

Create new Web Application of .Net Core 2.2 version.

image

Add Nuget Package following:

  • Microsoft.IdentityModel.Clients.ActiveDirectory

image

Step 2: Run the Application

Run the application & Copy the URL of it.

Step 3: App Registration

You can Refer this application below.

https://jeanpaul.cloud/2019/12/13/how-to-do-app-registration-for-enterprise-application/

Step 4: App User

Add a new user to the Enterprise Application.

Step 5: Modify the Configuration File

Modify the Configuration File as following:

{
   “Authentication”: {
     “ClientId”: “CLIENT ID FROM APP REG”,
     “ClientSecret”: “CLIENT SECRET FROM APP REG”,
     “Authority”: https://login.microsoftonline.com/ACTIVE DIRECTORY GUID,
     “PostLogoutRedirectUri”: “https://localhost:44372/”,
     “CallbackPath”: “/signin-oidc”,
     “ResponseType”: “code id_token”
   }
}

Leave the last 2 parameters as it the default OIDC middleware parameters.

Step 6: Replace Startup.cs

Replace Startup.cs with the following code.

(mainly the changes are in ConfigureServices() and Configure() method)

using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Http.Extensions;
using Microsoft.AspNetCore.HttpsPolicy;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.IdentityModel.Clients.ActiveDirectory;

namespace AADenableBlog
{
     public class Startup
     {
         public Startup(IConfiguration configuration)
         {
             Configuration = configuration;
         }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
         public void ConfigureServices(IServiceCollection services)
         {
             services.AddAuthentication(auth =>
             {
                 auth.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                 auth.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
             })
               .AddCookie()
               .AddOpenIdConnect(opts =>
               {
                   Configuration.GetSection(“Authentication”).Bind(opts);

                  opts.Events = new OpenIdConnectEvents
                   {
                       OnAuthorizationCodeReceived = async ctx =>
                       {
                           HttpRequest request = ctx.HttpContext.Request;

                          string currentUri = UriHelper.BuildAbsolute(request.Scheme, request.Host, request.PathBase, request.Path);
                           var credential = new ClientCredential(ctx.Options.ClientId, ctx.Options.ClientSecret);

                          var authContext = new AuthenticationContext(ctx.Options.Authority);

                          string resource = “https://graph.microsoft.com”;
                           AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(
                               ctx.ProtocolMessage.Code, new Uri(currentUri), credential, resource);

                          ctx.HandleCodeRedemption(result.AccessToken, result.IdToken);
                       }
                   };
               });

            services.Configure<CookiePolicyOptions>(options =>
             {
                 options.CheckConsentNeeded = context => true;
                 options.MinimumSameSitePolicy = SameSiteMode.None;
             });

             services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
         }

        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
         {
             if (env.IsDevelopment())
             {
                 app.UseDeveloperExceptionPage();
             }
             else
             {
                 app.UseExceptionHandler(“/Home/Error”);
                 app.UseHsts();
             }

            app.UseHttpsRedirection();
             app.UseStaticFiles();
             app.UseAuthentication();
             app.UseCookiePolicy();

            app.UseMvc(routes =>
             {
                 routes.MapRoute(
                     name: “default”,
                     template: “{controller=Home}/{action=Index}/{id?}”);
             });
         }
     }
}

Step 7: Modify Controller

Modify the Home Controller as following:

[Microsoft.AspNetCore.Authorization.Authorize]

public class HomeController : Controller

// This will ensure Login prompt will prompt whenever the Controller method is accessed.

Step 8: Run the Application

Run the application & It should prompt you for the Login.  Enter the Credentials.

You can see the Login prompt.

image

Enter your New User credentials and you will be redirected to the Home Screen.

Download

The source can be downloaded here.

https://azuretrendz.files.wordpress.com/2019/12/aadenableblog.zip

Summary

In this article we have seen how to configure Azure Active Directory for a .Net Core 2.2 Web Application.

How to do App Registration for Enterprise Application?

In this post we can see how to do an App Registration for a Web application so that it will become Enterprise Application.

Step 1  Open Azure Portal > Active Directory

Open Azure Portal > Go to Active Directory from Resources.

image

Step 2  Open App Registrations

Open App Registrations blade as shown below.

image

Step 3 Create New App Service

Click on the New Registration button. 

  • Enter Name for the service
  • Leave the default options
  • Enter the Redirect URI as the URL of your web application / web api

Click the Register button

Copy the Client ID  as displayed over there.

image

Step 3 Create Credentials

Go to the Certificates & secrets blade. 

  • Click on New client secret
  • Save changes

Copy the Password generated

image

Now you have the Client ID and the Client Secret for the App Registration.  Now any application authenticated using these will be given privilege of this App Registration.

Step 4  Open Enterprise Applications

Open Enterprise Applications blade from Active Directory.  Search for the name.

image

If you can find your Application – Congratulations!

You have just created an Enterprise Applications.  Now you can do the following & more with it.

  • Add Owners
  • Add Users
    • Internal & External
    • Enable Self-Servcie
  • Audit Logs
  • Troubleshoot

References

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-application-management

Summary

In this post we have seen how to perform an App Registration.

OAuth2 vs OpenID Connect & Azure AD Seamless SSO

OAuth 2 is an Authorization Framework.  It allows 3rd party application to get access to an HTTP Service.  It is primarily used as Token for API Access.

OpenID Connect is an Authentication Framework.  It is primarily used as ID Token for SSO.

Azure AD Seamless SSO automatically signs in users from their corporate devices to Azure Active Directory.

References.

Internet Engineering Task Force https://tools.ietf.org/html/rfc6749

CosmosDB vs. Azure SQL–Performance Benchmark

I was doing Benchmarking on CosmosDB vs Azure SQL for a Performance Critical application.  Our needs was fulfillable through Azure SQL but there was some CosmosDB use cases like Schemaless, Geo-replication etc.

So let us see the Performance Benchmark

Configurations

CosmosDB

  • Default Configuration
  • East US
  • SQL API

Azure SQL

  • Standard S1
  • East US

Test 1 : Accessing from Laptop

The Test 1 was conducted from a Laptop within US region.  The test was conducted with 100 continuous Inserts of 10KB data on each.

The observations are below.


100 Count 1 Count (Average)
CosmosDB 3 second 30 millisecond
Azure SQL 3 second 30 millisecond

Test 2  : Accessing from Azure VM

The Test 2 was conducted from an Azure VM within East US region to ensure minimum latency.  The test was conducted with 100 continuous Inserts of 10KB data on each.



100 Count 1 Count (Average)
CosmosDB 2 second 20 millisecond
Azure SQL 1 second 10 millisecond

Inference

Cannot find much speed advantage on Cosmos DB

SLA

As per the SLA on CosmosDB there need to be following criterias to get the 1 digit millisecond response:

  • Within same Region
  • TCP configuration
  • High Speed Internet

Summary

Azure SQL on Standard Configuration is providing better Speed than Cosmos DB.   Choose Cosmos DB based on the right use case.

I can publish the Database Benchmark Application on demand.

Azure Key Vault & Access from C#

Azure Key Vault & Access from C#

In this article we can explore how to create an Azure Key Vault & Access from C#.

Azure Key Vault

Azure Key Vault allows to keep encrypted secured strings. Eg: Connection Strings, Passwords etc.

Create Azure Key Vault

Open Azure Portal & Create a new Key Vault as shown below.

image

Go the Secrets blade and create a new Secret with name as key1 and value as value1

image

Create App Registration

We need to create an App Registration for our Console Application. This will enable to Authenticate our Console Application using the Credentials.

Go to Azure Portal > Azure Active Directory > App Registrations. Create new App Registration as below.

image

Create new client secret too.

image

Now copy the Client ID and Client Secret which you need in the next steps.

Authorize Console Application

We need to Authorize the Console Application to the Key Vault. Without this step you will get Forbidden error.

Go to Key Vault > Access Policies blade

image

Click Add Access Policy and select our Console Application as Principal.

image

image

Now onwards any application authenticated through Client Credentials of the Console App Registration will be considered as Principal – which is the Security Identity for the application.

Create Project

Create a new console application in Visual Studio. Add references to following:

· Microsoft.Azure.KeyVault

· Microsoft.IdentityModel.Clients.ActiveDirectory

Replace the code with following.

using Microsoft.Azure.KeyVault;

using Microsoft.IdentityModel.Clients.ActiveDirectory;

using System;

using System.Threading.Tasks;

namespace KeyVault

{

class Program

{

static void Main(string[] args)

{

Console.WriteLine($”Secret Value from Vault is: {GetVaultValue()}”);

Console.ReadKey(false);

}

static string GetVaultValue()

{

KeyVaultClient client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetToken));

var vaultAddress = “https://your-key-vault.vault.azure.net&#8221;;

var secretName = “key1”;

var secret = client.GetSecretAsync(vaultAddress, secretName).GetAwaiter().GetResult();

return secret.Value;

}

static async Task<string> GetToken(string authority, string resource, string scope)

{

var clientId = “YOUR CLIENT ID”;

var clientSecret = “YOUR CLIENT SECRET”;

ClientCredential credential = new ClientCredential(clientId, clientSecret);

var context = new AuthenticationContext(authority, TokenCache.DefaultShared);

var result = await context.AcquireTokenAsync(resource, credential);

return result.AccessToken;

}

}

}

On running the application, you will get the following output.

image

Summary

In this article we have explored how to create an Azure Key Vault & Access from C#.

3 Types of Azure Load Balancers

Load Balancers helps to distribute the Network Traffic across different servers or applications.  Thus high response systems are maintained.

In Azure there are 3 types of Load Balancers.

Azure Traffic Manager

This is an External Global Load Balancer which determines the User’s Location and Redirect to the Closest Region of Deployment.

Azure Application Gateway

This is Layer 7 load balancing.  Here the incoming traffic is distributed using the cookie, url-routing rules etc.  There will be backend pool websites behind a single application gateway.

Azure Load Balancer

This is Layer 4 load balancing.  There are 2 types under this category:

  • External Load Balancer for routing requests to Frontend Public IP Addresses
  • Internal Load Balancer for routing request to Backend Private IP Addresses

Summary

image

References

https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-load-balancing-azure