Azure key vault is a service to store and manage keys, secrects and certificates that you can use for your applications. In this blog post I want to quickly show how to create a key vault and how to use it.
Key vault is a secure key management service that allows to manage keys, application secrets and certificates. The keys are stored in hardware security modules (FIPS 140-2 Level 2) and even Microsoft does not see them. Pretty cool stuff, so why should someone use Azure Key Vault?
A common problem is how to manage keys and secrets for your applications? Where to store them? And how to ensure that they have a defined lifetime? Azure key vault allows to achieve all these things. A few features are:
- Save keys in Azure in a safe place
- Keep encryption keys in hardware security modules (FIPS140-2 Level 2+)
- Control keys from a single place
- Control lifetime and renewal of keys
- Let other AD users/groups manage access to secrets
- Access keys from your applications
- Automatically rotate keys
It especially helps you to solve the issue of storing keys/secrets for your applications. If you develop an application – where do you put e.g. storage keys or other secrets? Sometimes developers hardcode them into the code. Other developers store them in the configuration (e.g. app.config) and just a few use something like azure key vault.
Ok, but what is a key vault? A key vault is a container for keys and secrets that are managed together. If you develop an application, then it makes sense to create one key vault per application because the access control and also the billing is per key vault. If you have all keys/secrets stored in one key vault, then each user that has access to that key vault can read all keys/secrets that in the key vault. So you should definitely create one key vault per application. As a key vault itself is for free, this shouldn’t be a problem and helps you to secure your stuff. The pricing for key vault is pay per usage of keys (see: Key Vault Pricing Details).
The key vault allows you store:
- Key: A cryptographic key (RSA 2048) that you can use to decrypt/sign with the key
- Secret: A secret is a sequence of bytes unter 25KB – for example a connection string, PFX file, AES encryption key.
This blog post is a quick walk-through and will show how to use let’s encrypt certificates with Azure WebApps. As prerequisites I assume that the following things are done:
- App Service and WebApp is already up and running
- App Service is at least B1 (pricing tier Basic 1)
- A custom domain is already configured
There are 3 main steps that I will describe in this post:
- Add service account and application to Active Directory
- Add the let’s encrypt site extension
- Force https (optional)
I already blogged about Azure functions, the billing API and a few other things. In this blog post, I’ll combine some of my previous blog posts to build an Azure function that creates a weekly billing report of an Azure subscription. To build this solution, the following steps are required:
- Create an Azure function
- Configure the CRON schedule for the Azure function
- Read data from the Azure Billing API
- Create a HTML page with the billing data
- Send the report via email
To implement it, I’ll use Visual Studio 2017, C# and the AzureBillingAPI NuGet package that I created.
The final solution can be found on GitHub: https://github.com/codehollow/AzureBillingFunction
Last month I wrote a blog post with a short introduction to Microsofts Recommendation API (Introduction to Microsofts Recommendation API). I wrote about the basics, how to start and how to work with this nice API which is part of the Microsoft Cognitive Services.
When I started to work with the recommendation API, I soon realized that the most important thing is – Data! Okay – no surprise – but how to get the data? Or how to create some test data if you just want to try it?
In my previous blog post, I mentioned that I used a tool to create my (test) recommendation data. The tool was a quick and dirty, self-hacked WCF application, but it worked and I had some data to start.
Today I spent some time to explore the Microsoft Recommendations API. This API is part of the Microsoft Cognitive Services and it allows to show related articles – something like “people who are interested in A are also interested in X,Y and Z”. This can be useful for web shops or blogs but also to see related items/interests.
In this blog post, I’ll:
- Create the cognitive service and the recommendations API
- Create and upload some test data
- Build a model
- Use that model
Create the recommendations service
The recommendations service is part of the cognitive services and can therefore be found as cognitive service in the Azure portal. Just create it with your preferred pricing tier.
I this post, I’ll describe how to create a point-to-site VPN connection to Azure. I’ll create the virtual network, the virtual network gateway and configure the point-to-site connection using the Azure portal. I’ll also create a self-signed certificate for the VPN gateway and the Windows 10 client.
Connecting your client via VPN to Azure is by sure useful, if you want to access your Azure resources that are not public available (e.g. virtual machines). Another use case that I had several times was to test the connection of an AppService or Azure function to my on-premise resources. When I was able to access my local client, it also meant that the connection from the app service to the virtual network works and that the basic network configuration of the VPN gateway was okay (without the need to create a virtual machine).
The required steps to connect your client via VPN to Azure are:
- Create Virtual network
- Create VPN gateway
- Configure Point-to-Site VPN
- Create certificate for VPN gateway
- Create certificate for Client
- Connect & Test
In this blog post I’ll build a simple C# Azure function that returns an object as JSON. That’s useful if you want to build a simple “API” or if you just want to return some information in a structured format. Such a function could read data from an on-premise environment and provide this data to a logic app, because it’s much easier to connect an Azure function to on-premise than a logic app.
Create a C# Azure Function
First step is to create a new C# function. I’ll use the HttpTriggerWithParameters-CSharp template and I’ll use the authorization level ‘Anonymous’ (that’s okay for this demo):
Since end of April 2017, there is the new Azure Invoice API available. This API allows to download the Azure invoices for a subscription as PDF file. This does currently not work for Enterprise Agreements, but according to the blog post (https://azure.microsoft.com/en-us/blog/azure-billing-reader-role-and-preview-of-invoice-api/) it is planned.
The downloaded PDF is the invoice itself. The API does currently only support to create and download invoice pdfs. It does not support to access specific costs (e.g. per resources), because this is part of the billing API. I already blogged about the billing API here: Use the Azure Billing API and calculate the costs
If you want to programmatically translate text from one language to another, then the Translation service (translation api) is the right one for you. The Microsoft Translation Service just requires an authentication and then you can easily translate text from one language to another. It sounds simple…and it is simple! In this blog post, I’ll quickly describe how to create the translation service and how to use it with C#, Powershell and Node.js.
Create the translation service in Azure
The translation service is part of the cognitive services and can therefore be found as cognitive service in the Azure portal:
The Face API which is part of the Microsoft Cognitive Services helps to identify and detect faces. It can also be used to find similar faces, to verify if two images contain the same person and you can also train the service to improve the identification of people. In this blog post, I’ll just use the detect service which detects faces and shows the age, gender, emotions and other data of the detected face.
Prerequisites: Create the Face API Service in Azure
As all Microsoft cognitive services, you can also create the face API service in Azure via the portal. It is part of the “Cognitive Services APIs”, so just search for it and create it. Select the Face API as the type of the cognitive service and check the pricing options: