Saturday, June 5, 2021

Managed Identity

Managed Identity is an Azure feature, which allows Identity managed access to Azure resources. This improves security, by reducing the need for applications, to have credentials in code, configurations. It creates an identity, which is linked to an Azure resource. The identity can then be granted access to Azure resources.

A common challenge for developers is the management of secrets and credentials used to secure communication between different components making up a solution. Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications may use the managed identity to obtain Azure AD tokens. For example, an application may use a managed identity to access resources like Azure Key Vault where developers can store credentials in a secure manner or to access storage accounts.


In above diagram we are getting secret from key vault in Logic App with help of managed identity. I will explain all in detail.

We will do below things in this blog

1.       Create new secret inside key vault

2.       Create new Logic App and enable system assigned managed identity

3.       Add logic app inside key vault Access policies

4.       Make Http GET call from Logic App and get secret

Create new secret inside key vault

First, need to create new secret key inside key vault. In this example I am using my old key vault service djsecrets If you want to learn more about key vault. Please read my previous blog about key AzureKey Vault

Need follow below steps to add new secret key inside key vault

1.       Go to key vault 


2.       Create new secret key with “Name” with value “DJ Blogs

 


3.       Click on create then secret added in key vault. If we open the secret it will look like as below

Secret URL look like https://djsecrets.vault.azure.net/secrets/Name/version-number

If you want to get latest value every time, then we don’t need to add version number in URL then it will be  https://djsecrets.vault.azure.net/secrets/Name

This URL we will be used in our logic app to get the latest value of secret

Logic App and enable system assigned managed identity

Now we will create logic app which will get secret with help of HTTP Get request and managed identity authentication. If you want to learn more about logic app. Please read my previous blog Logic App.

Follow below steps to create logic app

1.       Go to your resource group where you want to create logic app and click on add button

 


2.       Creating logic app with name “djmanagedidentity” in Center US data center.

 

3.       Once Logic App created then enable system assigned managed identity in Logic App


4.       As above follow steps it will create Object ID now our resource ready for assign managed identity.

Add logic app inside key vault Access policies

Once in any resource system assigned managed identity enabled in azure then we can add that resource in Access policies of other resource to access it. Follow below steps to get key from key vault to logic app

1.       Go to your key vault and select access policies

 


2.       Click on Add Access Policy will add logic app object for access the secret


3.       Once logic app added in access policy. Now we will get the secret key value with help of HTTP GET request.

 

Http GET call from Logic App and get secret

Now managed identity setup between 2 resource (Key Vault and Logic App) within azure. To get secret in logic app need to add 2 steps inside logic app.

 


We need to add key vault secret URL and authentication details inside HTTP step like below

Method: GET

URL: https://djsecrets.vault.azure.net/secrets/Name?api-version=7.2

Audience: https://vault.azure.net

Once all this information filled as above now, we will run the logic app. It will show the input and output as below

Input

Output

 

Microsoft: What can a managed identity be used for?

Hope it will help you to understand managed identity in Azure and how you can use it.

Keep sharing keep learning 

Saturday, May 29, 2021

Migrating Window Authentication App into Azure

As you know Windows Authentication not supported in azure. When attempting to move legacy ASP.NET apps to Azure App Service, you might encounter a few challenges. However, Microsoft provide Azure App Service migration assistant which help you to migrate your on-premises application into Azure cloud. I have previously written blog about it. You can read more about in below link.

AppService Migration Assistant

We will walk through updating an ASP.NET application with Windows Integrated Authentication to use Azure Active Directory (AAD). It will help you to move your on-premises application into Azure PaaS (Web App). This post walks through some relatively minor tweaks that allow you to switch your site to use AAD for authentication and, if you want, AD group membership for authorization. These changes will enable deployment of those sites to Azure App Services.


To make the change we’re going to follow the below steps

1.       Ensure your site is setup to use SSL.

2.       Register your application in AAD.

3.       Get the necessary OWIN NuGet packages.

4.       Add in some startup code to use the OWIN authentication libraries.

 

Ensure your site is setup to use SSL

This demo I am using application which run with window authentication. First, we need ensure application use SSL (https) while running. You can enable by selecting project and set property SSL Enabled true


When you run application, it will run on port number 44362 as you can see in screenshot

URL: https://localhost: 44362/

Register your application in AAD

We need to register your application with your Azure Active Directory (AAD).

Need follow steps to register App with help of azure portal.

1.       Go to azure portal https://portal.azure.com

2.       Once your login in then go to Azure Active Directory


3.       Then need to click on App registration 


4.      After that click on New registration. It will open form as below


5.       Once all information filled as above then need to click on Register button

6.       Now our app is registered successfully in AAD and we can use created App client id and tenant id in our Web application.


 

Get the necessary OWIN NuGet packages.

OWIN (Open Web Interface for .NET) will significantly simplify the migration process. OWIN defines a standard interface between .NET web servers and web applications. The goal of the OWIN interface is to decouple server and application.

The problem with System.Web is that it is way too bloated and coupled with IIS. You are forced to run it in IIS. The OWIN initiative is an attempt to modularize and decouple the Web Stack by adding abstraction.

OWIN is an open standard. http://owin.org/

Need to Install these OWIN (Open Web Interface for .NET) packages

1.       Microsoft.Owin.Host.SystemWeb

2.       Microsoft.Owin.Security.OpenIdConnect

3.       Microsoft.Owin.Security.Cookies


Microsoft.Owin.Host.SystemWeb

Middleware that enables OWIN-based applications to run on Internet Information Services (IIS) by using the ASP.NET request pipeline

 

Microsoft.Owin.Security.OpenIdConnect

Middleware that enables an application to use OpenIdConnect for authentication

 

Microsoft.Owin.Security.Cookies

Middleware that enables an application to maintain a user session by using cookies

  

Add in some startup code to use the OWIN authentication libraries

We need to add some code to the OWIN startup process and adjust the web.config.

Web.config


Once these 3 keys added in Web.config then need to create Startup.cs file inside App_Start Folder

Startup.cs


You can download code this code from GitHub

URL: https://github.com/deepakjoshiinfo/WindowsAuthToAzureAD 

Once we made changes in Startup.cs file then need to test the authencation working or not. I have just copied below code in About.aspx file

<div>

        <div>IsAuthenticated</div> <div><%= HttpContext.Current.User.Identity.IsAuthenticated %></div>

        <div>AuthenticationType</div> <div><%= HttpContext.Current.User.Identity.AuthenticationType %></div>

        <div>Name</div> <div><%= HttpContext.Current.User.Identity.Name %></div>

        <div>Is in "Group1"</div>

        <div><%= HttpContext.Current.User.IsInRole("Group1") %></div>

        <div>Is in "Group2"</div>

        <div><%= HttpContext.Current.User.IsInRole("Group2") %></div>

    </div>

When I run the application in my local machine it redirect me to Microsoft login page for Authentication 

Login with your domain UserId and Password then it will open our application


You can see user Authenticated from azure active directory. Now we can migrate this application in Azure Web App. If you want to learn more about web app read my previous post   Azure WebApps

Helpful links for more information

Convert ASP.NET Web Forms with Windows Authentication to use AAD

https://devblogs.microsoft.com/premier-developer/convert-asp-net-webforms-with-windows-authentication-to-use-aad/

QuickStart: Register an application with the Microsoft identity platform

https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

Hope it will help you to migrate window authentication to azure active directory authentication.

Keep sharing keep learning. Cheers

Saturday, May 15, 2021

App Service Migration Assistant

When attempting to move legacy ASP.NET apps to Azure App Service, you might encounter a few challenges which are documented here.

The App Service Migration Assistant is designed to simplify your journey to the cloud through a free, simple, and fast solution to migrate ASP.Net applications from on-premises to the cloud. You can quickly:

1.       Assess whether your app is a good candidate for migration by running a scan of its public URL.

2.       Download the Migration Assistant to begin your migration.

3.       Use the tool to run readiness checks and general assessment of your app’s configuration settings, then migrate your app or site to Azure App Service via the tool.

How the tool works

The Migration Assistant tool is a local agent that performs a detailed assessment and then walks you through the migration process. The tool performs readiness checks as well as a general assessment of the web app’s configuration settings.

You can download Azure App Service migration assistant from below URL

https://azure.microsoft.com/en-us/services/app-service/migration-assistant/

Once setup is downloaded then need to install on Web server and run the application. It will ask to choose the application from Web server.


Click on next button it will do all azure migration assessment for your web application


Once the application has received a successful assessment, the tool will walk you through the process of authenticating with your Azure subscription and then prompt you to provide details on the target account and App Service plan along with other configuration details for the newly migrated site.


The Migration Assistant tool will then move your site to the target App Service plan while also configuring Hybrid Connections, should that option be selected.

Database migration and Hybrid Connections

Azure App Service migration assistant is designed to migrate the web application and associated configurations, but it does not migrate the database. There are two options for your database:

1.       Use the SQL Migration Tool

2.       Leave your database on-premises and connect to it from the cloud using Hybrid Connections

SQL Migration Tool

If you want to migrate on-premises database on Azure, then you can migrate it with help of data migration assistant. I have previously written details blog on it.  You can read it in this link What is data migration assistant?

Leave your database on-premises

You can also leave your database in your on-premises database as well. Azure App Service with connect with SQL database with Hybrid Connections. Hybrid Connections allows you to securely access application resources in other networks – in this case an on-premises SQL database. The migration tool configures and sets up Hybrid Connections for you, allowing you to migrate your site while keeping your database on-premises to be migrated at your leisure.

Hope it will help you to understand Azure App Service migration assistant and how you can use this.

Keep sharing keep learning

Tuesday, April 6, 2021

What is Azure Content Delivery Network

A content delivery network (CDN) is a distributed network of servers that can efficiently deliver web content to users. CDNs store cached content on edge servers that are close to end users to minimize latency.


CDNs are typically used to deliver static content such as images, style sheets, documents, client-side scripts, and HTML pages. The major advantages of using a CDN are lower latency and faster delivery of content to users, regardless of their geographical location in relation to the datacenter where the application is hosted. CDNs can also help to reduce load on a web application, because the application does not have to service requests for the content that is hosted in the CDN.

Before CDN vs After CDN



We can add multiple endpoints inside one Azure content delivery networks service. In above image I have created new Static Web App in Blazor and hosted in azure storage account. If you want to learn more about this app. Please read my previous post. Howto host static website in azure storage?

In this blog I will add static web app into Azure CDN profile endpoint.

Static Web App URL: https://djblogs.z19.web.core.windows.net/

Azure CDN Endpoint: https://djblogs.azureedge.net

 

How to create Azure Content Delivery Network

We need to follow below steps to create Azure Content Delivery Network service.

1.       Go to azure portal https://portal.azure.com

2.       Once we login in portal then need to create new CDN profile.


3.       Once we fill all this information then click on create button it will create CDN profile as below


4.       We can add multiple endpoint in one CDN profile. Name enter a unique name for the new CDN endpoint. This name is used to access your cached resources at the domain <endpointname>. azureedge.net.

URL: https://djblogs.azureedge.net

5.       In above screen I am using my existing static web app (Blazor) which hosted in storage account. 

      Static web app (Blazor) hosted in storage account: https://djblogs.z19.web.core.windows.net

 


6.       Once all the information filled as above click on Add. It will create end point for CDN profile.

URL: https://djblogs.azureedge.net

Hope it will help you to understand Azure CDN and how you can use them.

Keep sharing keep learning. Cheers

Monday, March 29, 2021

How to host static website in azure storage

You can serve static content (HTML, CSS, JavaScript, and image files) directly from a storage container named $web. Hosting your content in Azure Storage enables you to use serverless architectures that include Azure Functions and other Platform as a service (PaaS) services. Azure Storage static website hosting is a great option in cases where you don't require a web server to render content.



How to host static web app in storage account

To host static web app in azure storage account, need to do

1.       Create Static Web App (Blazor App)

2.       Host Static Web App in Storage Account(djblogs)

Create Static Web App

Static web apps are commonly built using libraries and frameworks like Angular, React, Vue, or Blazor where server-side rendering is not required. If you want to learn more about static web app. Please read my previous post Whatis Azure Static Web Apps? In this demo I am creating Blazor App will host it in storage account.

We need to below steps to create Blazor App.

1.       Need to create Blazor App with help of Visual Studio 2019 by choosing option Blazor Web Assembly like below

 


2.       Create project with name DJBlogs.AzureCDN. It will create default template  project for Blazor app.  

3.       In this default template demo I had written code to get client machine details with help of browser and HTTP request. Like below

IP: xxx. xxx. xxx. xxx

City: Airoli

Region: State of Mahārāshtra

Country: IN


4.       If I run the above code it will display like


Download code from GitHub: https://github.com/deepakjoshiinfo/DJBlog.AzureCDN

Host Static Web App in Storage Account

We need to follow below steps to host static web app in storage account.

1.       Go to azure portal https://portal.azure.com

2.       Once we login in portal then create new StorageV2 (general purpose v2) type storage account. Which had option to host static web app. 

3.       In this demo I am using already created storage account djblogs. If you want to learn more about storage account(djblogs) in details please read my  previous blogs on AzureStorage Account


4.       Once Storage account created with name djblogs then need to enabled static website option. It will automatically create Primary endpoint which will be the URL for our static web app.

URL: https://djblogs.z19.web.core.windows.net

5.       Now we will publish the code in development machine folder

Path: C:\Temp\AzureCDN


6.       Once our code is published in development folder then we will copy all files and folder inside “wwwroot” folder with help for Azure Storage Explorer like below

7.       Once our published code copied inside $web blob container folder. Our static site URL will start working

URL: https://djblogs.z19.web.core.windows.net

Hope it will help you to host static web app in storage account which is cheap service provided by azure.

Keep sharing keep learning.  Cheers

Saturday, March 13, 2021

What is Azure Key Vault

Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords(secrets) and certificates.

Azure key vault service helps to centralization and protection of

1.       Encryption keys

2.       Application secrets

3.       Certificates

4.       Secrets backed by HSM (Hardware Security Modules)



Copied image from Adam Marczak Website: https://marczak.io/

How to create azure key vault

We need follow below steps to create Key Vault in azure.  

1.       Go to azure portal https://portal.azure.com

2.       Click on add button and Create Azure Key Vault with djsecrets name inside DJBlogs resource group.

 


3.       Once basic information filled for key vault then we can set Access Policy to access the Key Vault. This demo I am leaving it as default 

 


4.       Then click on Networking button for network setting. It gives you to choose and allow network based on your requirement. I am leaving this as default.

 


5.       Click on Tags and set then same as we do for all azure resources. Tags options come every time you create any new resource in azure. I am leaving tag as blank for now.

You apply tags to your Azure resources, resource groups, and subscriptions to logically organize them into a taxonomy.

6.       Once all setting is configurated for key vault then it will validate all information and create button will be enabled in screen as below. 


7.       When we click in create button it will create Azure Key Vault for us.


8.       Now our Azure Key vault ready for use.

Use azure key vault for connection string

We will add our connection string as Secrets in key vault. Our secret name will be SchoolDB. To add secret, need to follow below steps.

1.       Click on key vault setting section Secrets link

 


2.       Click on Generate/Import link in top and add our secret SchoolDB as connection string value for Web app.


3.       Click on create button then we will use this in our .net core MVC application.

4.       If we want to change the secret value in future azure key vault create new version for every change.

 


 
5.  Once we created  secret then need to give permissions to user or app who will use this secret. I will use this secret in VS 2019 then need to give the user access from Access policies like below

 


  if you want to learn more about Access policies. please read Managed Identity blog 

6.       I have create new application DJBlogs.Azure.KeyVault .net core application to consume the secret key as connection string.

Download code from GitHub: https://github.com/deepakjoshiinfo/DJBlogs.Azure.KeyVault

Start-up CS Page: Startup.cs

 

7.      If we run the .net core MVC application it will pull data from database which mentioned in key vault secret. 

Hope it will help you to understand little bit about Azure Key Vault and how you can use them.

Keep sharing keep learning. Cheers