Azure key vault is a service to store and manage keys, secrects and certificates that you can use for your applications. In this blog post I want to quickly show how to create a key vault and how to use it.
Key vault is a secure key management service that allows to manage keys, application secrets and certificates. The keys are stored in hardware security modules (FIPS 140-2 Level 2) and even Microsoft does not see them. Pretty cool stuff, so why should someone use Azure Key Vault?
A common problem is how to manage keys and secrets for your applications? Where to store them? And how to ensure that they have a defined lifetime? Azure key vault allows to achieve all these things. A few features are:
- Save keys in Azure in a safe place
- Keep encryption keys in hardware security modules (FIPS140-2 Level 2+)
- Control keys from a single place
- Control lifetime and renewal of keys
- Let other AD users/groups manage access to secrets
- Access keys from your applications
- Automatically rotate keys
It especially helps you to solve the issue of storing keys/secrets for your applications. If you develop an application – where do you put e.g. storage keys or other secrets? Sometimes developers hardcode them into the code. Other developers store them in the configuration (e.g. app.config) and just a few use something like azure key vault.
Ok, but what is a key vault? A key vault is a container for keys and secrets that are managed together. If you develop an application, then it makes sense to create one key vault per application because the access control and also the billing is per key vault. If you have all keys/secrets stored in one key vault, then each user that has access to that key vault can read all keys/secrets that in the key vault. So you should definitely create one key vault per application. As a key vault itself is for free, this shouldn’t be a problem and helps you to secure your stuff. The pricing for key vault is pay per usage of keys (see: Key Vault Pricing Details).
The key vault allows you store:
- Key: A cryptographic key (RSA 2048) that you can use to decrypt/sign with the key
- Secret: A secret is a sequence of bytes unter 25KB – for example a connection string, PFX file, AES encryption key.
This blog post is a quick walk-through and will show how to use let’s encrypt certificates with Azure WebApps. As prerequisites I assume that the following things are done:
- App Service and WebApp is already up and running
- App Service is at least B1 (pricing tier Basic 1)
- A custom domain is already configured
There are 3 main steps that I will describe in this post:
- Add service account and application to Active Directory
- Add the let’s encrypt site extension
- Force https (optional)
I already blogged about Azure functions, the billing API and a few other things. In this blog post, I’ll combine some of my previous blog posts to build an Azure function that creates a weekly billing report of an Azure subscription. To build this solution, the following steps are required:
- Create an Azure function
- Configure the CRON schedule for the Azure function
- Read data from the Azure Billing API
- Create a HTML page with the billing data
- Send the report via email
To implement it, I’ll use Visual Studio 2017, C# and the AzureBillingAPI NuGet package that I created.
The final solution can be found on GitHub: https://github.com/codehollow/AzureBillingFunction
Last month I wrote a blog post with a short introduction to Microsofts Recommendation API (Introduction to Microsofts Recommendation API). I wrote about the basics, how to start and how to work with this nice API which is part of the Microsoft Cognitive Services.
When I started to work with the recommendation API, I soon realized that the most important thing is – Data! Okay – no surprise – but how to get the data? Or how to create some test data if you just want to try it?
In my previous blog post, I mentioned that I used a tool to create my (test) recommendation data. The tool was a quick and dirty, self-hacked WCF application, but it worked and I had some data to start.
Today I spent some time to explore the Microsoft Recommendations API. This API is part of the Microsoft Cognitive Services and it allows to show related articles – something like “people who are interested in A are also interested in X,Y and Z”. This can be useful for web shops or blogs but also to see related items/interests.
In this blog post, I’ll:
- Create the cognitive service and the recommendations API
- Create and upload some test data
- Build a model
- Use that model
Create the recommendations service
The recommendations service is part of the cognitive services and can therefore be found as cognitive service in the Azure portal. Just create it with your preferred pricing tier.
This post is a short note on how to use SSH with Windows Powershell. I will quickly describe three ways: OpenSSH, Posh-SSH and Putty. I found a few blog posts about how to use SSH with Powershell and most of them are referring Posh-SSH. Posh-SSH is nice, but I think OpenSSH is much easier to use because it works the same way as the ssh command in linux.
Open SSH for Powershell
If chocolatey is not yet installed, you must at first install it. Run the Powershell as administrator and execute:
iwr https://chocolatey.org/install.ps1 -UseBasicParsing | iex
If chocolatey is already installed, run the Powershell as administrator and execute the following command to install OpenSSH, to reload the environment variables and to connect to a client:
choco install openssh # installs open ssh
refreshenv # reloads the environment variables
ssh remoteClient -i "MyKeyPair.pem" # connects to remoteClient via ssh
I this post, I’ll describe how to create a point-to-site VPN connection to Azure. I’ll create the virtual network, the virtual network gateway and configure the point-to-site connection using the Azure portal. I’ll also create a self-signed certificate for the VPN gateway and the Windows 10 client.
Connecting your client via VPN to Azure is by sure useful, if you want to access your Azure resources that are not public available (e.g. virtual machines). Another use case that I had several times was to test the connection of an AppService or Azure function to my on-premise resources. When I was able to access my local client, it also meant that the connection from the app service to the virtual network works and that the basic network configuration of the VPN gateway was okay (without the need to create a virtual machine).
The required steps to connect your client via VPN to Azure are:
- Create Virtual network
- Create VPN gateway
- Configure Point-to-Site VPN
- Create certificate for VPN gateway
- Create certificate for Client
- Connect & Test
The last days I spent some time to port my NuGet packages (AzureBillingApi and FeedReader) to .net standard. As it was not so straight forward, I want to share what I did. The migration is certainly more complicated the larger the project is, but this post will hopefully give you some basic insights on how to migrate. The most time-consuming part will be to change the existing code so that it works with .net standard. In this blog post, I’ll focus on how to change the project to use .net standard and .net framework. In this case, I’ll port the AzureBillingApi to .net standard 1.4, but it will still support .net framework 4.5.2.
Before migrating the project, you should at first check if the NuGet packages that you use in your project are already compatible to .net standard. There are different ways how to check it. You can create a new .net standard project and manually add all NuGet packages to it – then try to build it. This will immediately show you if these packages support .net standard or not.
Another way is to go to nuget.org or use the NuGet Package Explorer and check the dependencies (Dependencies section) for all your packages.
In this blog post I’ll build a simple C# Azure function that returns an object as JSON. That’s useful if you want to build a simple “API” or if you just want to return some information in a structured format. Such a function could read data from an on-premise environment and provide this data to a logic app, because it’s much easier to connect an Azure function to on-premise than a logic app.
Create a C# Azure Function
First step is to create a new C# function. I’ll use the HttpTriggerWithParameters-CSharp template and I’ll use the authorization level ‘Anonymous’ (that’s okay for this demo):
Since end of April 2017, there is the new Azure Invoice API available. This API allows to download the Azure invoices for a subscription as PDF file. This does currently not work for Enterprise Agreements, but according to the blog post (https://azure.microsoft.com/en-us/blog/azure-billing-reader-role-and-preview-of-invoice-api/) it is planned.
The downloaded PDF is the invoice itself. The API does currently only support to create and download invoice pdfs. It does not support to access specific costs (e.g. per resources), because this is part of the billing API. I already blogged about the billing API here: Use the Azure Billing API and calculate the costs