Azure VNET Connectivity Options

We can connect 2 VNET using following options:

  • VNET Peering
  • VPN Gateway

VNET Peering

VNET Peering is the best option as it gives fastest connectivity using the Microsoft backbone infrastructure using Private addresses.

There are 2 types of VNET Peering:

  • VNET Peering for same region connectivity
  • Global VNET Peering for different region connectivity

VPN Gateway

If you have one of the VNET in an On-Premise then you can choose the VPN Gateway option.  It also offers Encryption which could make a decision.

However VPN Gateway will be slower compared with Peering, More Configuration & More Setup Time overheads exists.

Comparison

Description VNET Peering VPN Gateway
Easy Setup Yes No
Encryption No Yes
Cross-Region Support Yes Yes
Pricing Less More
Speed High Low
Bandwidth Limit No Yes
Public IP No Yes
On-Premise Support Complicated Yes

References

https://azure.microsoft.com/en-us/blog/vnet-peering-and-vpn-gateways/

What are the Different Ways to connect from Azure to On-Premise SQL Server?

Here I would like to list down the different ways to connect from Azure to On-Premise SQL Server.

VPN

We can create a site-to-site VPN for connecting from Azure to On-Premise.  Here the VPN device on Azure takes care of transmitting the request to the On-Premise network.

https://docs.microsoft.com/en-us/office365/enterprise/connect-an-on-premises-network-to-a-microsoft-azure-virtual-network

Azure Data Factory

Azure Data Factory requires running an Integration Runtime service in the On-Premise machine to make the connectivity happen.  It also requires Outbound port opening from On-Premise machine if there is any Outbound connection required back to the Azure SQL.

https://azure.microsoft.com/en-us/services/data-factory/

Azure Hybrid Connections

Hybrid Connections are created within the App Service.

https://docs.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections

https://nishantrana.me/2018/02/19/using-azure-hybrid-connections-to-connect-to-sql-on-prem-database-from-azure-webjob/

Azure Service Bus Relays

Relays create endpoints on the On-Premise application which can be accessed by the Outside World.

Link: https://www.c-sharpcorner.com/article/overview-of-azure-service-bus-relay/

Express Route

Express Route is a highly secured option as it creates a new connectivity other than Public Internet.

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction

On-Premises Data Gateway

If you are using Logic Apps, Power BI then you can rely on On-Premise Data Gateway.  This involves installing the On-Premise Data Gateway on Azure & On-Premise too.

https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-install

https://www.codit.eu/blog/installing-and-configuring-on-premise-data-gateway-for-logic-apps/

Note

Depending on your Network Security guidelines choose the appropriate one.

Azure Certificate based Authentication from App Service to Access Key Vault

In this post I would like to demonstrate the usage of Certificate based Authentication from a deployed App Service in Azure & thereby accessing Azure Key Vault.

Control Flow

Following picture depicts the entire Control Flow.

image

Follow the steps for Certificate creation: LINK 1

  • Create Certificate
  • Export to .CER format
  • Export to .PFX format

Following are the App Service & App Registration activities LINK 2

  • Create App Service
  • Associate the .PFX Certificate
  • Create App Registration
  • Associate the .CER Certificate

Following are the Key Vault Activities LINK 3

  • Create Key Vault
  • Create Secret
  • Provide necessary permissions to the App Registration

Create the Code LINK 4

  • Create Web API Project
  • Load the certificate
  • Access the Key Vault
  • Deploy the Application

Test the application

image

Note This is a real-world scenario & hence steps & complexities are high.

Certificate vs Password

Certificate based Authentication is more secured than Password because:

  • Certificate is difficult to copy, re-generate & install – hence more security
    • Certificate based Authentication enforces that the Token is only provided to Certificate holder
  • Password can be copied easily & played back – hence less security

Common Errors

  • Forbidden – Add necessary permission for App Registration in the Key Vault
  • Not Found – This should be Key Vault Secret Name is invalid

Contact

For any information OR consulting please contact me through Linked-in.

References

https://docs.microsoft.com/en-us/azure/key-vault/key-vault-group-permissions-for-apps

Computer Vision API–Testing SRK Photo

Computer Vision API provides ready algorithms for processing images – It can classify a picture as object, animal etc.  It can also validate it with Celebrities – all through the machine learning infrastructure of Azure under the hood.

image

Azure Service

For testing this you need to create the Computer Vision service from Azure > Marketplace.

image

Choose the S1 tier as most of the capabilities are residing there.

image

Console Application in C#

Create a Console Application in C# and add the following Nuget package.

image

SRK

As a test I am going to upload above SRK picture & let the Computer Vision API identify him.

Output

The API is successfully identifying SRK! Smile

image

The Code

using Microsoft.Azure.CognitiveServices.Vision.ComputerVision;
using Microsoft.Azure.CognitiveServices.Vision.ComputerVision.Models;
using Microsoft.Rest;
using System;
using System.IO;
using System.Net.Http;

namespace ComputerVisionAPI
{
     class Program
     {
         static void Main(string[] args)
         {
             var features = new VisualFeatureTypes[] { VisualFeatureTypes.Tags, VisualFeatureTypes.Description };

            ComputerVisionClient computerVisionClient = new ComputerVisionClient(
                 new ApiKeyServiceClientCredentials(“YOUR KEY”),
                 new DelegatingHandler[] { }
                 )
             {
                 Endpoint = https://URL.cognitiveservices.azure.com/
             };

            using (var fs = new FileStream(@”C:\temp\ShahrukhKhan.png”, FileMode.Open))
             {
                 ImageAnalysis result = computerVisionClient.AnalyzeImageInStreamAsync(fs, features).Result;

                Console.WriteLine(“TAGS >> “);
                 foreach (string tag in result.Description.Tags)
                     Console.Write($” {tag} “);

                Console.WriteLine(Environment.NewLine + Environment.NewLine + “CAPTION >>”);
                 foreach (ImageCaption caption in result.Description.Captions)
                     Console.WriteLine($”{caption.Text} – Confidence: {caption.Confidence} “);

            }
         }
     }
}

References

https://azure.microsoft.com/en-us/services/cognitive-services/computer-vision/#product-overview

NCRONTAB Expression in Web Jobs

NCRONTAB is the library used in Web Jobs & Azure Functions to prepare Scheduled Execution.  Using the library we can schedule jobs like:

  • Every day
  • Every day at 10 AM
  • Every Monday
  • Every Monday at 10AM
  • Every Year
  • Every Year December 31st at 12 PM

NCRONTAB Format

{second} {minute} {hour} {day} {month} {day-of-week}

Please note that the last parameter is NOT year

Asterisk

Use * to denote repeat

Examples

0 5 * * * * Every 5th minute
0 */5 * * * * Every 5 minutes
0 0 * * * * Every hour
0 0 */2 * * * Every 2 hour
0 0 9-17 * * * Every hour from 9AM to 5PM
0 30 9 * * * At 9:30 AM everyday
0 30 9 * * 1-5 At 9:30 AM every weekday
0 30 9 * Jan Mon At 9:30 AM every January Monday

More

https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-timer?tabs=csharp#ncrontab-expressions

Create Web API Project to Access Certificate & Key Vault Secret

Create a new Web API project.image

Add package: Microsoft.Azure.KeyVault

Create a new Controller.  Add the following code.

public class KeyVaultController : Controller
{
     public IActionResult Index()
     {
         string result = string.Empty;

        try
         {
             result = new KeyVaultSecretProvider().GetKeyVaultSecret(“MySecret”);
         }
         catch (Exception ex)
         {
             result = ex.ToString();
         }

        return Content(result);
     }
}

Create a new class.  Add the following code.

using Microsoft.Azure.KeyVault;
using Microsoft.IdentityModel.Clients.ActiveDirectory;
using System;
using System.Collections.Generic;
using System.Configuration;
using System.Linq;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Threading.Tasks;

namespace KeyVault_Cert_WebAPI.Controllers
{
     public class KeyVaultSecretProvider
     {
         public const string ClientID = “YOUR-CLIENT-ID”;
         public static string Thumbprint = “YOUR-THUMBPRINT”;
         public const string VaultURL = “https://YOUR-KEY-VAULT.vault.azure.net/”;
         public ClientAssertionCertificate Certificate { get; set; }

        public X509Certificate2 FindCertificateByThumbprint()
         {
             X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
             store.Open(OpenFlags.ReadOnly);
             X509Certificate2Collection col = store.Certificates.Find(X509FindType.FindByThumbprint, Thumbprint, false);
             store.Close();

            if (col == null || col.Count == 0)
                 throw new Exception(“ERROR: Certificate not found with thumbprint”);

            return col[0];
         }

        public void GetCertificate()
         {
             var clientAssertionCertPfx = FindCertificateByThumbprint();
             Certificate = new ClientAssertionCertificate(ClientID, clientAssertionCertPfx);
         }
         public async Task<string> GetAccessToken(string authority, string resource, string scope)
         {
             var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
             var result = await context.AcquireTokenAsync(resource, Certificate);

            return result.AccessToken;
         }

        public string GetKeyVaultSecret(string secretNode)
         {
             var secretUri = string.Format(“{0}{1}”, VaultURL + “secrets/”, secretNode);
             GetCertificate();
             var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessToken));

            return keyVaultClient.GetSecretAsync(secretUri).Result.Value;
         }
     }
}

Deploy the Application

Publish the application to the same App Service we created in previous step.

Article Series

This post is part of an Article Series:

Azure Certificate based Authentication from App Service to Access Key Vault