Forum Widgets
Latest Discussions
How Do You Handle Multiple Server Certificate Thumbprints in Azure Service Fabric Managed Clusters?
Hi everyone, I wanted to share a common challenge we’ve encountered in DevOps pipelines when working with Azure Service Fabric Managed Clusters (SFMC) — and open it up for discussion to hear how others are handling it. 🔍 The Issue When retrieving the cluster certificate thumbprints using PowerShell: (Get-AzResource -ResourceId "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.ServiceFabric/managedclusters/<CLUSTER_NAME>").Properties.clusterCertificateThumbprints …it often returns multiple thumbprints. This typically happens due to certificate renewals or rollovers. Including all of them in your DevOps configuration isn’t practical. ✅ What Worked for Us We’ve had success using the last thumbprint in the list, assuming it’s the most recently active certificate: (Get-AzResource -ResourceId "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.ServiceFabric/managedclusters/<CLUSTER_NAME>").Properties.clusterCertificateThumbprints | Select-Object -Last 1 This approach has helped us maintain stable and secure connections in our pipelines. 🔍 Solution 2: Get current Server Certificate You can also verify the active certificate using OpenSSL: openssl s_client -connect <MyCluster>.<REGION>.cloudapp.azure.com:19080 -servername <MyCluster>.<REGION>.cloudapp.azure.com | openssl x509 -noout -fingerprint -sha1 🛠️ Tip for New Deployments If you're deploying a new SFMC, consider setting the following property in your ARM or Bicep template: "autoGeneratedDomainNameLabelScope": "ResourceGroupReuse" This ensures the domain name is reused within the resource group, which helps reduce certificate churn and keeps the thumbprint list clean and manageable. ⚠️ Note: This setting only applies during initial deployment and cannot be retroactively applied to existing clusters.Guidance for Certificate Use in CI/CD Pipelines for Service Fabric
In non-interactive CI/CD scenarios where certificates are used to authenticate with Azure Service Fabric, consider the following best practices: Use Admin Certificates Instead of Cluster Certificates Cluster certificates are used for node-to-node and cluster-level authentication and are highly privileged. For CI/CD pipelines, prefer using a dedicated Admin client certificate: Grants administrative access only at the client level. Limits the blast radius in case of exposure. Easier to rotate or revoke without impacting cluster internals. Best practices to protect your service fabric certificates: - Provision a dedicated Service Fabric Admin certificate specifically for the CI/CD pipeline instead of cluster certificate. This certificate should not be reused across other services or users. - Restrict access to this certificate strictly to the pipeline environment. It should never be distributed beyond what is necessary. - Secure the pipeline itself, as it is part of the cluster’s supply chain and a high-value target for attackers. - Implement telemetry and monitoring to detect potential exposure—such as unauthorized access to the CI/CD machine or unexpected distribution of the certificate. - Establish a revocation and rotation plan to quickly respond if the certificate is compromised.
How to Restrict Subscription in Azure Application Gateway Private Link Shared with Another tenant
Hello Team, We are currently facing a challenge with implementing cross-subscription private link connections in Azure, specifically subscription restriction and auto-approval features. We have a managed service running inside AKS and are utilizing an application gateway for it. Our goal is to leverage the private link feature available in the application gateway, allowing Azure customers from other tenants to securely connect to it as a private endpoint. However, we require to restrict access to only allowed subscriptions for this resource ID and enable auto-approval for private endpoint connections from those specified subscriptions. We have explored Azure Policy as a solution, but unfortunately, we have not been successful in finding a suitable policy definition that meets our needs. We attempted to utilize the policy definition available at http://prevent-cross-subscription-private-link-azurepolicy.json which aims to prevent cross-subscription private link connections. Despite our efforts, it appears that this policy did not effectively achieve the desired outcome. Currently, anyone can use the resource ID and establish a private endpoint connection, which is not aligned with our security requirements. Therefore, we kindly request your assistance in reviewing our current approach and providing guidance on how we can enforce subscription restrictions and enable auto-approval for private endpoint connections from specific subscriptions only. Any insights, recommendations, or alternative solutions you can offer would be greatly appreciated.
Azure SQL Database : Can I use same primary key column and foreign key column for multiple tables?
CREATE TABLE Table1( PRIMARY KEY (Table1ID), Column2 int ); CREATE TABLE Table2( PRIMARY KEY (Table1ID), Column2 int, FOREIGN KEY (Table1ID) REFERENCES Table1(Table1ID) ); CREATE TABLE Table3( PRIMARY KEY (Table1ID), Column2 int, FOREIGN KEY (Table1ID) REFERENCES Table1(Table1ID) );Azure Logic App workflow (Standard) Resubmit and Retry
Hello Experts, A workflow is scheduled to run daily at a specific time and retrieves data from different systems using REST API Calls (8-9). The data is then sent to another system through API calls using multiple child flows. We receive more than 1500 input data, and for each data, an API call needs to be made. During the API invocation process, there is a possibility of failure due to server errors (5xx) and client errors (4xx). To handle this, we have implemented a "Retry" mechanism with a fixed interval. However, there is still a chance of flow failure due to various reasons. Although there is a "Resubmit" feature available at the action level, I cannot apply it in this case because we are using multiple child workflows and the response is sent back from one flow to another. Is it necessary to utilize the "Resubmit" functionality? The Retry Functionality has been developed to handle any Server API errors (5xx) that may occur with Connectors (both Custom and Standard), including client API errors 408 and 429. In this specific scenario, it is reasonable to attempt retrying or resubmitting the API Call from the Azure Logic Apps workflow. Nevertheless, there are other situations where implementing the retry and resubmit logic would result in the same error outcome. Is it acceptable to proceed with the Retry functionality in this particular scenario? It would be highly appreciated if you could provide guidance on the appropriate methodology. Thanks -SriStep-by-Step Guide to Creating a Cosmos DB with Private DNS in Azure
Introduction: In this blog post, we will walk through the process of creating a Cosmos DB instance with Private DNS in the Azure cloud environment. Private DNS allows you to resolve the Cosmos DB endpoint using a custom domain name within your virtual network, enhancing security and network management. Follow these steps with accompanying screenshots to set up your Cosmos DB with Private DNS. Prerequisites: Azure subscription Virtual network created Custom domain name Step 1: Create a Cosmos DB Instance: 1.1. Log in to the Azure portal (https://portal.azure.com/). 1.2. Click on "Create a resource" and search for "Azure Cosmos DB." 1.3. Click "Create" to start the Cosmos DB creation process. Step 2: Configure Basics: 2.1. Choose the appropriate subscription and resource group. 2.2. Enter a unique name for your Cosmos DB instance. 2.3. Choose the desired API (e.g., Core SQL for SQL API). 2.4. Select the desired location for your Cosmos DB. Step 3: Networking: 3.1. Under the "Networking" section, select "Enable virtual network." 3.2. Choose the virtual network and subnet where you want to enable Private DNS. 3.3. Click "Next: Advanced" to proceed. Step 4: Advanced: 4.1. Under the "Advanced" section, select "Enable automatic failover" if needed. 4.2. Enter a unique DNS prefix for your Cosmos DB. 4.3. Configure other advanced settings as necessary. 4.4. Click "Review + Create." Step 5: Review and Create: 5.1. Review your configuration settings. 5.2. Click "Create" to start the deployment of your Cosmos DB instance. Step 6: Create Private DNS Zone: 6.1. In the Azure portal, navigate to "Create a resource" and search for "Private DNS Zone." 6.2. Select "Private DNS Zone" and click "Create." 6.3. Choose the subscription and resource group. 6.4. Enter the name of your custom domain (e.g., cosmosprivatedns.local). 6.5. Associate the private DNS zone with the virtual network where your Cosmos DB resides. Step 7: Add Virtual Network Link: 7.1. Inside the Private DNS Zone you created, go to "Virtual network links" and click "+ Add." 7.2. Select the virtual network where your Cosmos DB is located. 7.3. Choose the subnet associated with your Cosmos DB. Step 8: Update DNS Configuration in Cosmos DB: 8.1. Go back to your Cosmos DB instance's settings. 8.2. Under "Connection strings," update the "Hostname" with the custom domain name you created in the Private DNS Zone (e.g., mycosmosdb.cosmosprivatedns.local). Step 9: Test Private DNS Resolution: 9.1. Set up a test application within the same virtual network. 9.2. Use the custom domain name when connecting to the Cosmos DB instance. 9.3. Verify that the connection is successful, indicating the Private DNS resolution is workingCMK and Customer Certificate support for TDE - Azure SQL PAAS
hi experts, I need bit of clarity as both CMK is supported for Azure SQL TDE ( Server and DB ) and also Certificate for protecting the DEK. How these 2 concepts are different in protecting the DEK in Azure SQL PaaS. CMK - https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql-mi Certificate - https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver16 Does it mean I can protect the DEK with both Custom Customer Certificate as well as CMKs ? Thank you
Azure SQL DTU or vCore
Hello everyone, I have a windows server with SQL Server 2016 standard edition which contains 11 databases of various sizes (some of a few gigabytes and others reaching 150Gbytes), the windows server has 4vCore + 16Gbytes of ram and being a test environment we don't have big problems use it with those resources. Taking into account that on that server: 1) few users are connected and only for some days of the week 2) we use SQL Agent service, DB Mail, linked server and integrated authentication in AD (synchronized with AAD) I have looked at the Azure cost calculator but I have doubts (and above all a little confusion!) regarding the type of PaaS service that would be better to use, I would certainly choose serverless but there are two types: SQL Database and SQL Managed instances For Azure SQL Database there is the "Single Database" or "Elastic Pool" typology and for both the purchase model is for DTU or vCore. I would therefore like to have your opinion to understand the best solution to adopt while keeping the costs as low as possible being a test environment. Thank you!Application Insights PHP SDK or Opentelemetry support
Hi everyone, We are using Symfony framework which is built based on PHP. Our application is hosted on App Service and so far we have been using the https://github.com/microsoft/ApplicationInsights-PHP, which is actually not maintained anymore. I have seen since a couple of months some updates regarding usage of OpenTelemetry to send data to Application Insights as another possibility than using SDK for a given stack. Is there any update on when OpenTelemetry with PHP is supported with Application Insights if this is not the case yet? Any example of implementation people could share? Thank you in advance for your help on this! Valentin.poweshell script to create app service plan for P1mv3
Hi team, we are trying to create an Azure app service plan using Power shell script with pricing tier Premium p1mV3, but always creating as Premium P1 and the same issue happens while we creating Premium P0V3 PS script - New-AzAppServicePlan -Name "app-service-plan-name" -ResourceGroupName "rg-name" -Location "East US" -Tier P1mv3 -WorkerSize Small Note= We could able to create an app service plan with Premium v3 P1mv3 manually from the Azure portal in the new RG. Please help on creating an exact script to create Premium P1mv3 and Premium P0V3 using Powershell Actual result: actual.img Expected Result: expected1.img, expected2.img
