Forum Widgets
Latest Discussions
How Do You Handle Multiple Server Certificate Thumbprints in Azure Service Fabric Managed Clusters?
Hi everyone, I wanted to share a common challenge we’ve encountered in DevOps pipelines when working with Azure Service Fabric Managed Clusters (SFMC) — and open it up for discussion to hear how others are handling it. 🔍 The Issue When retrieving the cluster certificate thumbprints using PowerShell: (Get-AzResource -ResourceId "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.ServiceFabric/managedclusters/<CLUSTER_NAME>").Properties.clusterCertificateThumbprints …it often returns multiple thumbprints. This typically happens due to certificate renewals or rollovers. Including all of them in your DevOps configuration isn’t practical. ✅ What Worked for Us We’ve had success using the last thumbprint in the list, assuming it’s the most recently active certificate: (Get-AzResource -ResourceId "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.ServiceFabric/managedclusters/<CLUSTER_NAME>").Properties.clusterCertificateThumbprints | Select-Object -Last 1 This approach has helped us maintain stable and secure connections in our pipelines. 🔍 Solution 2: Get current Server Certificate You can also verify the active certificate using OpenSSL: openssl s_client -connect <MyCluster>.<REGION>.cloudapp.azure.com:19080 -servername <MyCluster>.<REGION>.cloudapp.azure.com | openssl x509 -noout -fingerprint -sha1 🛠️ Tip for New Deployments If you're deploying a new SFMC, consider setting the following property in your ARM or Bicep template: "autoGeneratedDomainNameLabelScope": "ResourceGroupReuse" This ensures the domain name is reused within the resource group, which helps reduce certificate churn and keeps the thumbprint list clean and manageable. ⚠️ Note: This setting only applies during initial deployment and cannot be retroactively applied to existing clusters.Guidance for Certificate Use in CI/CD Pipelines for Service Fabric
In non-interactive CI/CD scenarios where certificates are used to authenticate with Azure Service Fabric, consider the following best practices: Use Admin Certificates Instead of Cluster Certificates Cluster certificates are used for node-to-node and cluster-level authentication and are highly privileged. For CI/CD pipelines, prefer using a dedicated Admin client certificate: Grants administrative access only at the client level. Limits the blast radius in case of exposure. Easier to rotate or revoke without impacting cluster internals. Best practices to protect your service fabric certificates: - Provision a dedicated Service Fabric Admin certificate specifically for the CI/CD pipeline instead of cluster certificate. This certificate should not be reused across other services or users. - Restrict access to this certificate strictly to the pipeline environment. It should never be distributed beyond what is necessary. - Secure the pipeline itself, as it is part of the cluster’s supply chain and a high-value target for attackers. - Implement telemetry and monitoring to detect potential exposure—such as unauthorized access to the CI/CD machine or unexpected distribution of the certificate. - Establish a revocation and rotation plan to quickly respond if the certificate is compromised.
Step-by-Step Guide to Creating a Cosmos DB with Private DNS in Azure
Introduction: In this blog post, we will walk through the process of creating a Cosmos DB instance with Private DNS in the Azure cloud environment. Private DNS allows you to resolve the Cosmos DB endpoint using a custom domain name within your virtual network, enhancing security and network management. Follow these steps with accompanying screenshots to set up your Cosmos DB with Private DNS. Prerequisites: Azure subscription Virtual network created Custom domain name Step 1: Create a Cosmos DB Instance: 1.1. Log in to the Azure portal (https://portal.azure.com/). 1.2. Click on "Create a resource" and search for "Azure Cosmos DB." 1.3. Click "Create" to start the Cosmos DB creation process. Step 2: Configure Basics: 2.1. Choose the appropriate subscription and resource group. 2.2. Enter a unique name for your Cosmos DB instance. 2.3. Choose the desired API (e.g., Core SQL for SQL API). 2.4. Select the desired location for your Cosmos DB. Step 3: Networking: 3.1. Under the "Networking" section, select "Enable virtual network." 3.2. Choose the virtual network and subnet where you want to enable Private DNS. 3.3. Click "Next: Advanced" to proceed. Step 4: Advanced: 4.1. Under the "Advanced" section, select "Enable automatic failover" if needed. 4.2. Enter a unique DNS prefix for your Cosmos DB. 4.3. Configure other advanced settings as necessary. 4.4. Click "Review + Create." Step 5: Review and Create: 5.1. Review your configuration settings. 5.2. Click "Create" to start the deployment of your Cosmos DB instance. Step 6: Create Private DNS Zone: 6.1. In the Azure portal, navigate to "Create a resource" and search for "Private DNS Zone." 6.2. Select "Private DNS Zone" and click "Create." 6.3. Choose the subscription and resource group. 6.4. Enter the name of your custom domain (e.g., cosmosprivatedns.local). 6.5. Associate the private DNS zone with the virtual network where your Cosmos DB resides. Step 7: Add Virtual Network Link: 7.1. Inside the Private DNS Zone you created, go to "Virtual network links" and click "+ Add." 7.2. Select the virtual network where your Cosmos DB is located. 7.3. Choose the subnet associated with your Cosmos DB. Step 8: Update DNS Configuration in Cosmos DB: 8.1. Go back to your Cosmos DB instance's settings. 8.2. Under "Connection strings," update the "Hostname" with the custom domain name you created in the Private DNS Zone (e.g., mycosmosdb.cosmosprivatedns.local). Step 9: Test Private DNS Resolution: 9.1. Set up a test application within the same virtual network. 9.2. Use the custom domain name when connecting to the Cosmos DB instance. 9.3. Verify that the connection is successful, indicating the Private DNS resolution is workingApplication Insights PHP SDK or Opentelemetry support
Hi everyone, We are using Symfony framework which is built based on PHP. Our application is hosted on App Service and so far we have been using the https://github.com/microsoft/ApplicationInsights-PHP, which is actually not maintained anymore. I have seen since a couple of months some updates regarding usage of OpenTelemetry to send data to Application Insights as another possibility than using SDK for a given stack. Is there any update on when OpenTelemetry with PHP is supported with Application Insights if this is not the case yet? Any example of implementation people could share? Thank you in advance for your help on this! Valentin.
poweshell script to create app service plan for P1mv3
Hi team, we are trying to create an Azure app service plan using Power shell script with pricing tier Premium p1mV3, but always creating as Premium P1 and the same issue happens while we creating Premium P0V3 PS script - New-AzAppServicePlan -Name "app-service-plan-name" -ResourceGroupName "rg-name" -Location "East US" -Tier P1mv3 -WorkerSize Small Note= We could able to create an app service plan with Premium v3 P1mv3 manually from the Azure portal in the new RG. Please help on creating an exact script to create Premium P1mv3 and Premium P0V3 using Powershell Actual result: actual.img Expected Result: expected1.img, expected2.img
Azure Service Bus: Log all activities to the messages in a queue?
Hi, I am looking into a way to monitor all activities in a message queue such as sending to and picking up messages from a queue. I look at the logs in the admin portal but it does not seem to provide specifics. I tried to run in the service bus: AzureDiagnostics | where ResourceProvider == "MICROSOFT.SERVICEBUS" | where Category == "OperationalLogs" Is there a way to log details such as source/action/queue? Thanks.
Hyperscale Page Servers
According to the docs and the image below there are "covering SSD caches" and "non-covering SSD caches". I can't seem to understand the difference between "covering" and "non-covering". Can someone explain this to me please? https://learn.microsoft.com/en-us/azure/azure-sql/database/media/service-tier-hyperscale/hyperscale-architecture.png?view=azuresql#lightbox This is the link to the image, as I cannot insert the image directly.
