Azure, Server administration

Automating your mundane Azure Virtual Machine Windows provisioning tasks with PowerShell DSC

I’ve been working in various projects and helping different people with their tasks when it comes to provisioning their Azure Windows Servers or Windows 10 virtual machines. One thing that I realized, is how much time is spent post provisioning for repetitive tasks that could be done through automation. I can say that I am proud of the fact that, after discussing with me, they all start embracing Infrastructure As Code (IaC) through ARM. Well most of them that is hahaha! Side note, if you are doing ARM, checkout Bicep; this will save you so much time in writing your ARM templates and there’s great linting and code completion when used in Visual Studio Code with the extension! But what…

Read more
Docker

How-to: Push an image from docker registry to Azure Container Registry

With the Docker registry download limits, one way to circumvent those limits is to use your own registry, such as Azure Container Registry or for short ACR. This post will show you how to save an image from a Docker registry to an Azure Container Registry. How-To 1. Login to Azure Container Registry Pre-requirements: have az cli installed To login to ACR, in a command shell, type az acr login 2. Pull the image from Docker registry In my case I wanted to push the image mcr.microsoft.com/azure-storage/azurite to my ACR.

3. Tag the image To upload to ACR, you need to tag the image with the proper tag: name.azurecr.io/repostority/imagename:tag

Latest can be daunting. So I also tagged the image…

Read more
Azure, C#, Microsoft365

Connecting to SharePoint Online using an Azure AD Service Principle (Application) and CSOM

Microsoft is giving us a push to use Microsoft Graph as an alternative to using SharePoint CSOM. Unfortunately, not everything is available in Microsoft Graph. When you are automating, you want to use a service account that has no user identity (delegation) in it and can be autonomous. However, the only way right now to get an application token that can be used to consume the SharePoint Online CSOM, is to authenticate your application using an authentication certificate. This post continues on the SPOAuthentication code, as discussed in my other post. We will make use of the KeyVault to store the authentication certificate and then add it to the application as a key credential used for authentication. KeyVault and Application…

Read more
Azure, C#, Microsoft365

Connecting to SharePoint Online CSOM using a non-interactive, headless application, through user delegation

It may happen to you that you need to run a process which has no user interaction for automation purposes. This may be a console application or an Azure Function that has a timer trigger. How is it possible to call the CSOM (client side object model) API of SharePoint online in such fashion? Usually people authenticate in other ways. Today, I want to show you how this can be done, using a .NET Core console application. Preface Before getting cracking with the code, I want to brush on the the On-Behalf-Flow, as it is important to understand it to understand why the code does certain things. The OAuth 2.0 On-Behalf-Of flow (OBO) serves the use case where an application…

Read more
Azure, C#

Migrating to the new C# Azure KeyVault SDK Libraries

You may be familiar with the Microsoft.Azure.KeyVault SDK. This SDK is being retired in favor of 3 new SDKs: Azure.Security.KeyVault.Keys Azure.Security.KeyVault.Secrets Azure.Security.KeyVault.Certificates As you can see, the Microsoft Azure SDK team split the KeyVault functionality in 3 distinct SDKs. All those SDKs are unified with the Azure.Identity SDK to manage authentication. Let’s deep dive a little bit into those SDKs. I wanted to brush up on those, as usually what people do, when they have the KeyVault setup in their application, they tend to forget about it. If you want to migrate to the new SDKs (or you’re looking to consume the KeyVault through code), this post can be of interest to you. Azure.Identity SDK The Azure Identity library is…

Read more
C#

C# ways of handling when being throttled by an API

I’ve been building a service application that is responsible to grab data from a REST API. The API has mechanisms in place to reduce abuse and make sure that everyone can consume its service in a fair way. That being said, this means that sometimes you may need to do a lot of requests to extract the data you need. If you get throttled, that is being told that you are sending too many requests and get served with a “temporary” ban, you will need to way and retry. You know it is a “temporary” ban so why would you send back an error (exception) to your client when it’s something you can possibly handle yourself. How can you deal…

Read more
Azure

Controlling the hostname with a WebApp when fronted by Application Gateway

I wanted to demystify the hostname that is used within an ASP.NET core application when the application is hosted in a WebApp and fronted by an Application Gateway. I have been getting a few questions about it and I believe it can help. It happens to many that when they configure such setup, and have redirects triggered within the application, they get presented with the application.azurewebsites.net hostname instead of the hostname by which they actually accessed the application. They then ask themselves: what happened? I accessed my application through application.mydomain.com. How come I am presented with the azurewebsites.net hostname? Let’s dissect 2 ways by which this can be mitigated and have, when the application triggers redirects within itself, the proper hostname that…

Read more
Development

Managing multiple SSH keys for authentication to GitHub on Windows 10

Where I currently work, we have the opportunity to use our own personal computers to work. This means I’m able to use my own super computer. The company hosts their code on GitHub. In order to not mix my personal GitHub account and my work account, I created a new GitHub account for my work. GitHub has a limitation that it cannot use the same public key for 2 different accounts. As such, I created a new pair of keys to authenticate

The idea now is that I want to be able to use both keys and both accounts simultaneously. I want to also not have to enter my ssh key pass every time I do an operation. You…

Read more
Azure

Automating Azure Site Recovery VMs with ARM and some magic

Actually, I got you there’s no magic, well, slightly. We will be using some intuitive way to wrap the whole thing. Now that I got your attention, let’s talk about Azure Site Recovery, or for short ASR. As you are building your solution, you will want to automate the recovery process of your Virtual Machines so you have some piece of mind when it comes to your Disaster Recovery process. In this post, I will talk about specifically about Azure Site Recovery for Azure to Azure recovery. Quick intro Azure Site Recovery is a product in the Azure family to help ensure one can attain his business continuity and disaster recovery (BCDR) strategy. Site Recovery works by replicating your disks…

Read more
ASP.NET Core, C#, WebApi

Securing ASP.NET Core WebApi with an API Key

I read the article from Aram Tchekrekjian, which he goes in great length about techniques to secure a Web API, that is, using a Middleware and using an attribute that uses the IAsyncActionFilter. I would like to add another technique to this list using also an attribute, but one that uses the IAsyncAuthorizationFilter instead. This filter is called earlier in the chain of filters and can stop early a bad request using an invalid API Key. To learn more about filters, check out the documentation. I will use the starter ASP.NET Core 3 API template that comes with dotnet. You can create it through Visual Studio or using the command line dotnet new webapi <ProjectName>. In my scenario, I will use a combination…

Read more
Kubernetes

Configuring X509 and Azure AD authentication in the Kubernetes cluster

I am continuing my quest to configure my homelab’s Kubernetes cluster. As for now I’ve done: Setup the cluster using vSphere/vCenter Configuring HAProxy as the load balancer for the masters Today, I want to configure authentication so that I can login to the cluster from my computer and not from one of the masters directly. There are plenty of authentication mechanisms in Kubernetes, but I want 2 focus on 2 techniques that are discussed in the documentation: x509 client certificates and OpenId Connect. For the OpenId Connect provider, I will use Azure Active Directory. Authentication using X509 client certificates The documentation describes pretty well how to create a certificate for a normal user. First, I need to generate a private/public…

Read more
Server administration

Adding HAProxy as load balancer to the Kubernetes cluster

As I mentioned in my Kubernetes homelab setup post, I initially setup Kemp Free load balancer as an easy quick solution.While Kemp did me good, I’ve had experience playing with HAProxy and figured it could be a good alternative to the extensive options Kemp offers. It could also be a good start if I wanted to have HAProxy as an ingress in my cluster at some point. There’s a few things here we need in order to make this work: 1 – Make HAProxy load balance on 6443 2- Make HAProxy health check our nodes on the /healthz path Configuring HAProxy Since I’m using debian 10 (buster), I will install HAProxy using apt install haproxy -y Next step is to configure HAProxy. Its…

Read more
Docker, Kubernetes, Server administration

Installing a Kubernetes cluster on VMware vSphere and what I’ve learned

The topic of containers has been a hot topic for some time now. As a developer and architect, I want to be able to include them in my development SDLC for the various reasons you guys know. I won’t go in detail about them in this article, because after all you came to see how it was done right? :-). After having some container images waiting in a registry and awaiting to be used, I asked myself, how do I manage the deployment, management, scaling, and networking of these images when they will be spanned in containers? Using an orchestrator of course! Kubernetes (k8s) has become one of the widely used orchestrator for the management of the lifecycle of containers….

Read more
Azure

Path based routing in Azure Application Gateway with Azure WebApps

So it may occur to you that you may want to do path based routing so that you can reach multiple applications under 1 hostname. To represent this, I’ve drawn an example of what we are trying to accomplish In this post, I’ll show you how I can use the hostname dev.domstamand.com to respond to different backends when hit on 3 paths: /identity : redirects to the identity web app /authorization : redirects to the authorization web app / : redirects all other requests to the default web app As a side note, I’m using the v2 of the Application Gateway. Setup To understand better how all the components are layed out, I made a diagram. For the sake of…

Read more
Azure

Azure AD Linux Login Extension – sudo fails with PAM account management error: System error

As you all know, I’ve been playing around with the Azure Active Directory login extensions for both Linux and Windows. I came across a problem where the first sudo worked (after re-authenticating) and the second, with the same command, failed with sudo: PAM account management error: System error Trying to debug this was tricky. Along with a support engineer we were able to enable enough log to get to the bottom of the problem. First, edit /etc/pam.d/system-auth-aad and add the debug keyword whenever you see pam_aad.so. Adding “debug” will switch to verbose logging. For example:

Once that is done, execute in one terminal the following command tail -f /var/log/secure. Execute the sudo that you know will fail (that is the…

Read more