Multithreading vs. Asynchronous

Multithreading & Asynchronous Programming are both Concurrent Programming.

Multithreading Asynchronous
CPU-concurrency I/O-concurrency
Thread class (old way) async.. await syntax
Task class (new way)

Task Parallel Library

Task Synchronous Programming Model

Task Parallel Library

Task Parallel Library is the preferred way of using Threads in C# for CPU concurrency.

image

var task = Task.Run((Action)DoProcess);
task.Wait();

Task Synchronous Programming Model

image

References

https://docs.microsoft.com/en-us/dotnet/csharp/programming-guide/concepts/async/

Azure VNET Connectivity Options

We can connect 2 VNET using following options:

  • VNET Peering
  • VPN Gateway

VNET Peering

VNET Peering is the best option as it gives fastest connectivity using the Microsoft backbone infrastructure using Private addresses.

There are 2 types of VNET Peering:

  • VNET Peering for same region connectivity
  • Global VNET Peering for different region connectivity

VPN Gateway

If you have one of the VNET in an On-Premise then you can choose the VPN Gateway option.  It also offers Encryption which could make a decision.

However VPN Gateway will be slower compared with Peering, More Configuration & More Setup Time overheads exists.

Comparison

Description VNET Peering VPN Gateway
Easy Setup Yes No
Encryption No Yes
Cross-Region Support Yes Yes
Pricing Less More
Speed High Low
Bandwidth Limit No Yes
Public IP No Yes
On-Premise Support Complicated Yes

References

https://azure.microsoft.com/en-us/blog/vnet-peering-and-vpn-gateways/

What are the Different Ways to connect from Azure to On-Premise SQL Server?

Here I would like to list down the different ways to connect from Azure to On-Premise SQL Server.

VPN

We can create a site-to-site VPN for connecting from Azure to On-Premise.  Here the VPN device on Azure takes care of transmitting the request to the On-Premise network.

https://docs.microsoft.com/en-us/office365/enterprise/connect-an-on-premises-network-to-a-microsoft-azure-virtual-network

Azure Data Factory

Azure Data Factory requires running an Integration Runtime service in the On-Premise machine to make the connectivity happen.  It also requires Outbound port opening from On-Premise machine if there is any Outbound connection required back to the Azure SQL.

https://azure.microsoft.com/en-us/services/data-factory/

Azure Hybrid Connections

Hybrid Connections are created within the App Service.

https://docs.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections

https://nishantrana.me/2018/02/19/using-azure-hybrid-connections-to-connect-to-sql-on-prem-database-from-azure-webjob/

Azure Service Bus Relays

Relays create endpoints on the On-Premise application which can be accessed by the Outside World.

Link: https://www.c-sharpcorner.com/article/overview-of-azure-service-bus-relay/

Express Route

Express Route is a highly secured option as it creates a new connectivity other than Public Internet.

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction

On-Premises Data Gateway

If you are using Logic Apps, Power BI then you can rely on On-Premise Data Gateway.  This involves installing the On-Premise Data Gateway on Azure & On-Premise too.

https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-install

https://www.codit.eu/blog/installing-and-configuring-on-premise-data-gateway-for-logic-apps/

Note

Depending on your Network Security guidelines choose the appropriate one.

How to Verify Custom Domain from GoDaddy.com in Azure Portal?

In this post we can see how to verify custom domain purchased from www.godaddy.com in Azure Portal.

Purchase Domain

You can visit www.godaddy.com to complete the domain purchase.

Azure Portal

You can open the Azure Portal > Azure Active Directory > Custom domain names blade as shown below.

image

Choose the Add custom domain option > Enter your name > Copy the following values.

image

Copy the values.

GoDaddy

Now go to the www.godaddy.com website

https://dcc.godaddy.com/domains/

Choose > Manage DNS from the Ellipssis

image

In the upcoming records page click the Add button.

image

In the appearing page choose TXT and enter the values from Azure Portal.

image

Now wait for 1 minute & Come back to Azure Portal & Click Verify

image

You will get it Verified!

Azure Certificate based Authentication from App Service to Access Key Vault

In this post I would like to demonstrate the usage of Certificate based Authentication from a deployed App Service in Azure & thereby accessing Azure Key Vault.

Control Flow

Following picture depicts the entire Control Flow.

image

Follow the steps for Certificate creation: LINK 1

  • Create Certificate
  • Export to .CER format
  • Export to .PFX format

Following are the App Service & App Registration activities LINK 2

  • Create App Service
  • Associate the .PFX Certificate
  • Create App Registration
  • Associate the .CER Certificate

Following are the Key Vault Activities LINK 3

  • Create Key Vault
  • Create Secret
  • Provide necessary permissions to the App Registration

Create the Code LINK 4

  • Create Web API Project
  • Load the certificate
  • Access the Key Vault
  • Deploy the Application

Test the application

image

Note This is a real-world scenario & hence steps & complexities are high.

Certificate vs Password

Certificate based Authentication is more secured than Password because:

  • Certificate is difficult to copy, re-generate & install – hence more security
    • Certificate based Authentication enforces that the Token is only provided to Certificate holder
  • Password can be copied easily & played back – hence less security

Common Errors

  • Forbidden – Add necessary permission for App Registration in the Key Vault
  • Not Found – This should be Key Vault Secret Name is invalid

Contact

For any information OR consulting please contact me through Linked-in.

References

https://docs.microsoft.com/en-us/azure/key-vault/key-vault-group-permissions-for-apps

NCRONTAB Expression in Web Jobs

NCRONTAB is the library used in Web Jobs & Azure Functions to prepare Scheduled Execution.  Using the library we can schedule jobs like:

  • Every day
  • Every day at 10 AM
  • Every Monday
  • Every Monday at 10AM
  • Every Year
  • Every Year December 31st at 12 PM

NCRONTAB Format

{second} {minute} {hour} {day} {month} {day-of-week}

Please note that the last parameter is NOT year

Asterisk

Use * to denote repeat

Examples

0 5 * * * * Every 5th minute
0 */5 * * * * Every 5 minutes
0 0 * * * * Every hour
0 0 */2 * * * Every 2 hour
0 0 9-17 * * * Every hour from 9AM to 5PM
0 30 9 * * * At 9:30 AM everyday
0 30 9 * * 1-5 At 9:30 AM every weekday
0 30 9 * Jan Mon At 9:30 AM every January Monday

More

https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-timer?tabs=csharp#ncrontab-expressions

Create Web API Project to Access Certificate & Key Vault Secret

Create a new Web API project.image

Add package: Microsoft.Azure.KeyVault

Create a new Controller.  Add the following code.

public class KeyVaultController : Controller
{
     public IActionResult Index()
     {
         string result = string.Empty;

        try
         {
             result = new KeyVaultSecretProvider().GetKeyVaultSecret(“MySecret”);
         }
         catch (Exception ex)
         {
             result = ex.ToString();
         }

        return Content(result);
     }
}

Create a new class.  Add the following code.

using Microsoft.Azure.KeyVault;
using Microsoft.IdentityModel.Clients.ActiveDirectory;
using System;
using System.Collections.Generic;
using System.Configuration;
using System.Linq;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Threading.Tasks;

namespace KeyVault_Cert_WebAPI.Controllers
{
     public class KeyVaultSecretProvider
     {
         public const string ClientID = “YOUR-CLIENT-ID”;
         public static string Thumbprint = “YOUR-THUMBPRINT”;
         public const string VaultURL = “https://YOUR-KEY-VAULT.vault.azure.net/”;
         public ClientAssertionCertificate Certificate { get; set; }

        public X509Certificate2 FindCertificateByThumbprint()
         {
             X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
             store.Open(OpenFlags.ReadOnly);
             X509Certificate2Collection col = store.Certificates.Find(X509FindType.FindByThumbprint, Thumbprint, false);
             store.Close();

            if (col == null || col.Count == 0)
                 throw new Exception(“ERROR: Certificate not found with thumbprint”);

            return col[0];
         }

        public void GetCertificate()
         {
             var clientAssertionCertPfx = FindCertificateByThumbprint();
             Certificate = new ClientAssertionCertificate(ClientID, clientAssertionCertPfx);
         }
         public async Task<string> GetAccessToken(string authority, string resource, string scope)
         {
             var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
             var result = await context.AcquireTokenAsync(resource, Certificate);

            return result.AccessToken;
         }

        public string GetKeyVaultSecret(string secretNode)
         {
             var secretUri = string.Format(“{0}{1}”, VaultURL + “secrets/”, secretNode);
             GetCertificate();
             var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessToken));

            return keyVaultClient.GetSecretAsync(secretUri).Result.Value;
         }
     }
}

Deploy the Application

Publish the application to the same App Service we created in previous step.

Article Series

This post is part of an Article Series:

Azure Certificate based Authentication from App Service to Access Key Vault

Create Key Vault & Secret

In this post we can create a Key Vault & Secret.

Create Key Vault

Go to Azure > Key Vaults > Create new Key Vault

image

Copy the Key Vault URL.  You will need it in the upcoming step.

Create Secret

Go to the Secrets blade & Create a new secret.

image

Set Permissions

Go to Key Vault > Access Policies > Add Access Policy > Select App Registration

image

Congratulations!

Now we are ready to proceed with next step.

Article Series

This post is part of an Article Series:

Azure Certificate based Authentication from App Service to Access Key Vault

Azure Locks

Azure allows Locking the resource, resource group from accidental modifications OR deletions.

Types of Locks

There are 2 types of locks:

  • DELETE LOCK prevents deletion of resource
  • READONLY LOCK prevents modifications Or deletion of resource

LOCK Blade

The Lock Blade is available for all the resources:

  • App Service
  • Virtual Machines
  • Data Factory
  • etc.

image

Now let us create a Delete Lock.

image

Testing Lock

Now go to the App Service & Try deleting it.

You will get the following Message preventing it from deletion.

image

Note

This is a wonderful feature for Administrators & Prevents accidental deletion & modifications of the Azure Resource OR Resource Groups.

Create App Service, App Registration & Associate Certificates

In this post we can do the following:

  • Create App Service
  • Associate .PFX Certificate
  • Create App Registration
  • Associate .CER Certificate

Create App Service

Go to Azure > App Service > Create New App Service (At least B1 Plan required to have TLS settings)

image

Associate .PFX Certificate

Go to App Service > TLS Settings blade > Private key certificates tab > Upload our .PFX certificate

image

Note the Thumbprint of the certificate.  You will need it in the upcoming steps of the article-series.

Create App Registration

Go to Azure > Active Directory > App Registrations > Create New App Registration

image

Noe the Client ID & Tenant ID.  You will need it in the upcoming steps of the article-series.

Associate .CER Certificate

Now go to the Certificates & secrets blade and upload the .CER certificate.

image

Congratulations!

You are now ready with your App Service & App Registration along with the Certificates.

Note

Few notes on Certificates:

  • Issuer Information – owner information
  • Private Key – for encryption using one secret – faster
  • Public Key – for decryption using another secret  – slower & better reliable
  • Thumbprint – for identification
  • Password – for installation

References

https://www.geeksforgeeks.org/difference-between-private-key-and-public-key

Article Series

This post is part of an Article Series:

Azure Certificate based Authentication from App Service to Access Key Vault