Azure Architecture Guidelines

Following are the Pillars of a Strong Azure Architecture.




Scaling-Up vs Scaling-Out

Automatic Scaling


Security at Rest

Security in Transit


Peak Load Scenarios



Recovery Point Objective

Recovery Time Objective


PaaS vs IaaS model

Over-allocated VM & Licenses

Enable Azure Active Directory for a .Net Core 2.2 Web Application

In this article we can see how to configure Azure Active Directory for a .Net Core 2.2 Web Application.

Step 1: Create new Web Application

Create new Web Application of .Net Core 2.2 version.


Add Nuget Package following:

  • Microsoft.IdentityModel.Clients.ActiveDirectory


Step 2: Run the Application

Run the application & Copy the URL of it.

Step 3: App Registration

You can Refer this application below.

Step 4: App User

Add a new user to the Enterprise Application.

Step 5: Modify the Configuration File

Modify the Configuration File as following:

   “Authentication”: {
     “ClientId”: “CLIENT ID FROM APP REG”,
     “ClientSecret”: “CLIENT SECRET FROM APP REG”,
     “Authority”: DIRECTORY GUID,
     “PostLogoutRedirectUri”: “https://localhost:44372/”,
     “CallbackPath”: “/signin-oidc”,
     “ResponseType”: “code id_token”

Leave the last 2 parameters as it the default OIDC middleware parameters.

Step 6: Replace Startup.cs

Replace Startup.cs with the following code.

(mainly the changes are in ConfigureServices() and Configure() method)

using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Http.Extensions;
using Microsoft.AspNetCore.HttpsPolicy;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.IdentityModel.Clients.ActiveDirectory;

namespace AADenableBlog
     public class Startup
         public Startup(IConfiguration configuration)
             Configuration = configuration;

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
         public void ConfigureServices(IServiceCollection services)
             services.AddAuthentication(auth =>
                 auth.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                 auth.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
               .AddOpenIdConnect(opts =>

                  opts.Events = new OpenIdConnectEvents
                       OnAuthorizationCodeReceived = async ctx =>
                           HttpRequest request = ctx.HttpContext.Request;

                          string currentUri = UriHelper.BuildAbsolute(request.Scheme, request.Host, request.PathBase, request.Path);
                           var credential = new ClientCredential(ctx.Options.ClientId, ctx.Options.ClientSecret);

                          var authContext = new AuthenticationContext(ctx.Options.Authority);

                          string resource = “”;
                           AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(
                               ctx.ProtocolMessage.Code, new Uri(currentUri), credential, resource);

                          ctx.HandleCodeRedemption(result.AccessToken, result.IdToken);

            services.Configure<CookiePolicyOptions>(options =>
                 options.CheckConsentNeeded = context => true;
                 options.MinimumSameSitePolicy = SameSiteMode.None;


        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
             if (env.IsDevelopment())


            app.UseMvc(routes =>
                     name: “default”,
                     template: “{controller=Home}/{action=Index}/{id?}”);

Step 7: Modify Controller

Modify the Home Controller as following:


public class HomeController : Controller

// This will ensure Login prompt will prompt whenever the Controller method is accessed.

Step 8: Run the Application

Run the application & It should prompt you for the Login.  Enter the Credentials.

You can see the Login prompt.


Enter your New User credentials and you will be redirected to the Home Screen.


The source can be downloaded here.


In this article we have seen how to configure Azure Active Directory for a .Net Core 2.2 Web Application.

How to do App Registration for Enterprise Application?

In this post we can see how to do an App Registration for a Web application so that it will become Enterprise Application.

Step 1  Open Azure Portal > Active Directory

Open Azure Portal > Go to Active Directory from Resources.


Step 2  Open App Registrations

Open App Registrations blade as shown below.


Step 3 Create New App Service

Click on the New Registration button. 

  • Enter Name for the service
  • Leave the default options
  • Enter the Redirect URI as the URL of your web application / web api

Click the Register button

Copy the Client ID  as displayed over there.


Step 3 Create Credentials

Go to the Certificates & secrets blade. 

  • Click on New client secret
  • Save changes

Copy the Password generated


Now you have the Client ID and the Client Secret for the App Registration.  Now any application authenticated using these will be given privilege of this App Registration.

Step 4  Open Enterprise Applications

Open Enterprise Applications blade from Active Directory.  Search for the name.


If you can find your Application – Congratulations!

You have just created an Enterprise Applications.  Now you can do the following & more with it.

  • Add Owners
  • Add Users
    • Internal & External
    • Enable Self-Servcie
  • Audit Logs
  • Troubleshoot



In this post we have seen how to perform an App Registration.

OAuth2 vs OpenID Connect & Azure AD Seamless SSO

OAuth 2 is an Authorization Framework.  It allows 3rd party application to get access to an HTTP Service.  It is primarily used as Token for API Access.

OpenID Connect is an Authentication Framework.  It is primarily used as ID Token for SSO.

Azure AD Seamless SSO automatically signs in users from their corporate devices to Azure Active Directory.


Internet Engineering Task Force

CosmosDB vs. Azure SQL–Performance Benchmark

I was doing Benchmarking on CosmosDB vs Azure SQL for a Performance Critical application.  Our needs was fulfillable through Azure SQL but there was some CosmosDB use cases like Schemaless, Geo-replication etc.

So let us see the Performance Benchmark



  • Default Configuration
  • East US

Azure SQL

  • Standard S1
  • East US

Test 1 : Accessing from Laptop

The Test 1 was conducted from a Laptop within US region.  The test was conducted with 100 continuous Inserts of 10KB data on each.

The observations are below.

100 Count 1 Count (Average)
CosmosDB 3 second 30 millisecond
Azure SQL 3 second 30 millisecond

Test 2  : Accessing from Azure VM

The Test 2 was conducted from an Azure VM within East US region to ensure minimum latency.  The test was conducted with 100 continuous Inserts of 10KB data on each.

100 Count 1 Count (Average)
CosmosDB 2 second 20 millisecond
Azure SQL 1 second 10 millisecond


Cannot find much speed advantage on Cosmos DB


As per the SLA on CosmosDB there need to be following criterias to get the 1 digit millisecond response:

  • Within same Region
  • TCP configuration
  • High Speed Internet


Azure SQL on Standard Configuration is providing better Speed than Cosmos DB.   Choose Cosmos DB based on the right use case.

I can publish the Database Benchmark Application on demand.

Azure Key Vault & Access from C#

Azure Key Vault & Access from C#

In this article we can explore how to create an Azure Key Vault & Access from C#.

Azure Key Vault

Azure Key Vault allows to keep encrypted secured strings. Eg: Connection Strings, Passwords etc.

Create Azure Key Vault

Open Azure Portal & Create a new Key Vault as shown below.


Go the Secrets blade and create a new Secret with name as key1 and value as value1


Create App Registration

We need to create an App Registration for our Console Application. This will enable to Authenticate our Console Application using the Credentials.

Go to Azure Portal > Azure Active Directory > App Registrations. Create new App Registration as below.


Create new client secret too.


Now copy the Client ID and Client Secret which you need in the next steps.

Authorize Console Application

We need to Authorize the Console Application to the Key Vault. Without this step you will get Forbidden error.

Go to Key Vault > Access Policies blade


Click Add Access Policy and select our Console Application as Principal.



Now onwards any application authenticated through Client Credentials of the Console App Registration will be considered as Principal – which is the Security Identity for the application.

Create Project

Create a new console application in Visual Studio. Add references to following:

· Microsoft.Azure.KeyVault

· Microsoft.IdentityModel.Clients.ActiveDirectory

Replace the code with following.

using Microsoft.Azure.KeyVault;

using Microsoft.IdentityModel.Clients.ActiveDirectory;

using System;

using System.Threading.Tasks;

namespace KeyVault


class Program


static void Main(string[] args)


Console.WriteLine($”Secret Value from Vault is: {GetVaultValue()}”);



static string GetVaultValue()


KeyVaultClient client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetToken));

var vaultAddress = “;;

var secretName = “key1”;

var secret = client.GetSecretAsync(vaultAddress, secretName).GetAwaiter().GetResult();

return secret.Value;


static async Task<string> GetToken(string authority, string resource, string scope)


var clientId = “YOUR CLIENT ID”;

var clientSecret = “YOUR CLIENT SECRET”;

ClientCredential credential = new ClientCredential(clientId, clientSecret);

var context = new AuthenticationContext(authority, TokenCache.DefaultShared);

var result = await context.AcquireTokenAsync(resource, credential);

return result.AccessToken;




On running the application, you will get the following output.



In this article we have explored how to create an Azure Key Vault & Access from C#.

3 Types of Azure Load Balancers

Load Balancers helps to distribute the Network Traffic across different servers or applications.  Thus high response systems are maintained.

In Azure there are 3 types of Load Balancers.

Azure Traffic Manager

This is an External Global Load Balancer which determines the User’s Location and Redirect to the Closest Region of Deployment.

Azure Application Gateway

This is Layer 7 load balancing.  Here the incoming traffic is distributed using the cookie, url-routing rules etc.  There will be backend pool websites behind a single application gateway.

Azure Load Balancer

This is Layer 4 load balancing.  There are 2 types under this category:

  • External Load Balancer for routing requests to Frontend Public IP Addresses
  • Internal Load Balancer for routing request to Backend Private IP Addresses