Forum Widgets
Latest Discussions
Azure Logic App workflow (Standard) Resubmit and Retry
Hello Experts, A workflow is scheduled to run daily at a specific time and retrieves data from different systems using REST API Calls (8-9). The data is then sent to another system through API calls using multiple child flows. We receive more than 1500 input data, and for each data, an API call needs to be made. During the API invocation process, there is a possibility of failure due to server errors (5xx) and client errors (4xx). To handle this, we have implemented a "Retry" mechanism with a fixed interval. However, there is still a chance of flow failure due to various reasons. Although there is a "Resubmit" feature available at the action level, I cannot apply it in this case because we are using multiple child workflows and the response is sent back from one flow to another. Is it necessary to utilize the "Resubmit" functionality? The Retry Functionality has been developed to handle any Server API errors (5xx) that may occur with Connectors (both Custom and Standard), including client API errors 408 and 429. In this specific scenario, it is reasonable to attempt retrying or resubmitting the API Call from the Azure Logic Apps workflow. Nevertheless, there are other situations where implementing the retry and resubmit logic would result in the same error outcome. Is it acceptable to proceed with the Retry functionality in this particular scenario? It would be highly appreciated if you could provide guidance on the appropriate methodology. Thanks -Sri
How to Restrict Subscription in Azure Application Gateway Private Link Shared with Another tenant
Hello Team, We are currently facing a challenge with implementing cross-subscription private link connections in Azure, specifically subscription restriction and auto-approval features. We have a managed service running inside AKS and are utilizing an application gateway for it. Our goal is to leverage the private link feature available in the application gateway, allowing Azure customers from other tenants to securely connect to it as a private endpoint. However, we require to restrict access to only allowed subscriptions for this resource ID and enable auto-approval for private endpoint connections from those specified subscriptions. We have explored Azure Policy as a solution, but unfortunately, we have not been successful in finding a suitable policy definition that meets our needs. We attempted to utilize the policy definition available at http://prevent-cross-subscription-private-link-azurepolicy.json which aims to prevent cross-subscription private link connections. Despite our efforts, it appears that this policy did not effectively achieve the desired outcome. Currently, anyone can use the resource ID and establish a private endpoint connection, which is not aligned with our security requirements. Therefore, we kindly request your assistance in reviewing our current approach and providing guidance on how we can enforce subscription restrictions and enable auto-approval for private endpoint connections from specific subscriptions only. Any insights, recommendations, or alternative solutions you can offer would be greatly appreciated.
Downtime of API Management during deployment
Which actions will cause a downtime of Azure API Management so APIs will not be able to consume (Premium Tier)? E.g. changing network would be obviously. But what about deployments of APIs, Products, Scaling up and down... How can I find out which actions will make the APIs unavailable? Or is there a mechanism which will keep them available in each scenario (Even if "Service is being updated")? Thanks!
Azure User Expresses Concern
A customer opened ticket SR#2407190040010082 as their consumption sku APIM service was stuck updating: Now that the service has exited that "updating" status I am able to resume working with it. The concern I want to share with you is my concern with how the system responds to a certificate error and gets stuck in that "updating" state. We know that network and login activities can fail on occasion. When APIM responds by getting stuck in that state it cannot be updated and it cannot be deleted and recreated. This issue lasted for a day before APIM eventually emerged from that state for reasons I am unaware. I was powerless and had to keep going back to check. Yes, this case is resolved but I hope that this feedback can be shared with the team in the hopes that a fix or enhancement to better handle this situation can be implemented.
How Do You Handle Multiple Server Certificate Thumbprints in Azure Service Fabric Managed Clusters?
Hi everyone, I wanted to share a common challenge we’ve encountered in DevOps pipelines when working with Azure Service Fabric Managed Clusters (SFMC) — and open it up for discussion to hear how others are handling it. 🔍 The Issue When retrieving the cluster certificate thumbprints using PowerShell: (Get-AzResource -ResourceId "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.ServiceFabric/managedclusters/<CLUSTER_NAME>").Properties.clusterCertificateThumbprints …it often returns multiple thumbprints. This typically happens due to certificate renewals or rollovers. Including all of them in your DevOps configuration isn’t practical. ✅ What Worked for Us We’ve had success using the last thumbprint in the list, assuming it’s the most recently active certificate: (Get-AzResource -ResourceId "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.ServiceFabric/managedclusters/<CLUSTER_NAME>").Properties.clusterCertificateThumbprints | Select-Object -Last 1 This approach has helped us maintain stable and secure connections in our pipelines. 🔍 Solution 2: Get current Server Certificate You can also verify the active certificate using OpenSSL: openssl s_client -connect <MyCluster>.<REGION>.cloudapp.azure.com:19080 -servername <MyCluster>.<REGION>.cloudapp.azure.com | openssl x509 -noout -fingerprint -sha1 🛠️ Tip for New Deployments If you're deploying a new SFMC, consider setting the following property in your ARM or Bicep template: "autoGeneratedDomainNameLabelScope": "ResourceGroupReuse" This ensures the domain name is reused within the resource group, which helps reduce certificate churn and keeps the thumbprint list clean and manageable. ⚠️ Note: This setting only applies during initial deployment and cannot be retroactively applied to existing clusters.Guidance for Certificate Use in CI/CD Pipelines for Service Fabric
In non-interactive CI/CD scenarios where certificates are used to authenticate with Azure Service Fabric, consider the following best practices: Use Admin Certificates Instead of Cluster Certificates Cluster certificates are used for node-to-node and cluster-level authentication and are highly privileged. For CI/CD pipelines, prefer using a dedicated Admin client certificate: Grants administrative access only at the client level. Limits the blast radius in case of exposure. Easier to rotate or revoke without impacting cluster internals. Best practices to protect your service fabric certificates: - Provision a dedicated Service Fabric Admin certificate specifically for the CI/CD pipeline instead of cluster certificate. This certificate should not be reused across other services or users. - Restrict access to this certificate strictly to the pipeline environment. It should never be distributed beyond what is necessary. - Secure the pipeline itself, as it is part of the cluster’s supply chain and a high-value target for attackers. - Implement telemetry and monitoring to detect potential exposure—such as unauthorized access to the CI/CD machine or unexpected distribution of the certificate. - Establish a revocation and rotation plan to quickly respond if the certificate is compromised.Azure Web App Easy Auth using Reverse Proxy
My organization manages one single endpoint which must be used to expose web application; e.g. https://contoso.com/app_one/ We deployed an app in az web apps with Azure AD Easy Auth. (not accesible from the internet and no custom domain). https://app-one.azurewebsites.net Our app registration has this callback: https://contoso.com/app_one/https://uat.p.api.ey.com/eyvirtual/services/api/webhook/wc/v1/login/aad/callback,https://ussxnxt1676913262azf03-webhook.azurewebsites.net/.auth/login/aad/callback When i try to open any the app using https://contoso.com/app_one/, the browser recirects to Azure Login page, but it redirects back to https://app-one.azurewebsites.net instead of going to the public website https://contoso.com/app_one/ Our reverse proxy user Azure APIM. Question is: how can i make Azure Web App to redirect to public endpoint instead of the azurewebsite endpoint? Thanks.Error "RequestDisallowedByPolicy" received while deploying arm template
I'm trying to deploy an ARM template, but facing error "Resource 'example' was disallowed by policy. (Code: Request Disallowed By Policy)". Can anyone help what changes i can make in my ARM template so that the resource gets deployed successfully.
Does Azure provide DDoS protection for its PaaS services?
Hi, I am working on a project wherein we will deploy Storage Account, KeyVault, ServiceBus, CosmosDB, and SQL DB in our subscription. All these services will be deployed with public access enabled, and we will only add private endpoints for local VNet traffic. From a security perspective, should I explicitly add DDoS protection to the above-mentioned services, or do they come with built-in DDoS protection? Example: Would a DDoS attack be able to bring down a Storage Account Blob Service (test.blob.core.windows.net)?
