Azure PaaS topics

Azure SRE Agent Demo - Incident Management v01

vyomnagrani — Thu, 31 Jul 2025 17:20:23 GMT

Check out this demo showcasing how Azure SRE Agent integrates with third-party incident management systems like Pager Duty to autonomously handle incidents. This video highlights the seamless integration and efficient incident resolution capabilities.

How Do You Handle Multiple Server Certificate Thumbprints in Azure Service Fabric Managed Clusters?

Srinivasu_Yalamati — Sat, 21 Jun 2025 21:12:36 GMT

Hi everyone,

I wanted to share a common challenge we’ve encountered in DevOps pipelines when working with Azure Service Fabric Managed Clusters (SFMC) — and open it up for discussion to hear how others are handling it.

🔍 The Issue

When retrieving the cluster certificate thumbprints using PowerShell:

(Get-AzResource -ResourceId "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.ServiceFabric/managedclusters/<CLUSTER_NAME>").Properties.clusterCertificateThumbprints

…it often returns multiple thumbprints. This typically happens due to certificate renewals or rollovers. Including all of them in your DevOps configuration isn’t practical.

✅ What Worked for Us

We’ve had success using the last thumbprint in the list, assuming it’s the most recently active certificate:

(Get-AzResource -ResourceId "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.ServiceFabric/managedclusters/<CLUSTER_NAME>").Properties.clusterCertificateThumbprints | Select-Object -Last 1

This approach has helped us maintain stable and secure connections in our pipelines.

🔍 Solution 2: Get current Server Certificate

You can also verify the active certificate using OpenSSL:

openssl s_client -connect <MyCluster>.<REGION>.cloudapp.azure.com:19080 -servername <MyCluster>.<REGION>.cloudapp.azure.com | openssl x509 -noout -fingerprint -sha1

🛠️ Tip for New Deployments

If you're deploying a new SFMC, consider setting the following property in your ARM or Bicep template:

"autoGeneratedDomainNameLabelScope": "ResourceGroupReuse"

This ensures the domain name is reused within the resource group, which helps reduce certificate churn and keeps the thumbprint list clean and manageable.

⚠️ Note: This setting only applies during initial deployment and cannot be retroactively applied to existing clusters.

Guidance for Certificate Use in CI/CD Pipelines for Service Fabric

Srinivasu_Yalamati — Sat, 31 May 2025 01:01:12 GMT

In non-interactive CI/CD scenarios where certificates are used to authenticate with Azure Service Fabric, consider the following best practices:

Use Admin Certificates Instead of Cluster Certificates
Cluster certificates are used for node-to-node and cluster-level authentication and are highly privileged.
For CI/CD pipelines, prefer using a dedicated Admin client certificate:

Grants administrative access only at the client level.
Limits the blast radius in case of exposure.
Easier to rotate or revoke without impacting cluster internals.

Best practices to protect your service fabric certificates:

- Provision a dedicated Service Fabric Admin certificate specifically for the CI/CD pipeline instead of cluster certificate. This certificate should not be reused across other services or users.
- Restrict access to this certificate strictly to the pipeline environment. It should never be distributed beyond what is necessary.
- Secure the pipeline itself, as it is part of the cluster’s supply chain and a high-value target for attackers.
- Implement telemetry and monitoring to detect potential exposure—such as unauthorized access to the CI/CD machine or unexpected distribution of the certificate.
- Establish a revocation and rotation plan to quickly respond if the certificate is compromised.

Error "RequestDisallowedByPolicy" received while deploying arm template

kirtidwivedi28 — Wed, 30 Oct 2024 12:59:15 GMT

I'm trying to deploy an ARM template, but facing error "Resource 'example' was disallowed by policy. (Code: Request Disallowed By Policy)". Can anyone help what changes i can make in my ARM template so that the resource gets deployed successfully.

Azure Web App Easy Auth using Reverse Proxy

jcloudtech — Wed, 07 Aug 2024 04:36:42 GMT

My organization manages one single endpoint which must be used to expose web application;

e.g.

https://contoso.com/app-one/

We deployed an app in az web apps with Azure AD Easy Auth. (not accesible from the internet and no custom domain).

https://app-one.azurewebsites.net

Our app registration has this callback:

https://contoso.com/app-one/.auth/login/aad/callback

When i try to open any the app using https://contoso.com/app-one/, the browser recirects to Azure Login page, but it redirects back to https://app-one.azurewebsites.net., instead of going to the public website https://contoso.com/app-one/.

Our reverse proxy user Azure APIM.

Question is: how can i make Azure Web App to redirect to public endpoint instead of the azurewebsite endpoint?

Thanks.

Does Azure provide DDoS protection for its PaaS services?

pradeepchouhan — Sat, 27 Jul 2024 04:16:23 GMT

Hi,
I am working on a project wherein we will deploy Storage Account, KeyVault, ServiceBus, CosmosDB, and SQL DB in our subscription. All these services will be deployed with public access enabled, and we will only add private endpoints for local VNet traffic.

From a security perspective, should I explicitly add DDoS protection to the above-mentioned services, or do they come with built-in DDoS protection?

Example: Would a DDoS attack be able to bring down a Storage Account Blob Service (test.blob.core.windows.net)?

Azure User Expresses Concern

v-jafigueroa — Fri, 26 Jul 2024 15:19:11 GMT

A customer opened ticket SR#2407190040010082 as their consumption sku APIM service was stuck updating:

Now that the service has exited that "updating" status I am able to resume working with it.

The concern I want to share with you is my concern with how the system responds to a certificate error and gets stuck in that "updating" state.

We know that network and login activities can fail on occasion. When APIM responds by getting stuck in that state it cannot be updated and it cannot be deleted and recreated. This issue lasted for a day before APIM eventually emerged from that state for reasons I am unaware. I was powerless and had to keep going back to check.

Yes, this case is resolved but I hope that this feedback can be shared with the team in the hopes that a fix or enhancement to better handle this situation can be implemented.

Azure Cache for Redis

kumarRithin — Tue, 25 Jun 2024 10:44:20 GMT

Hello,

I am trying to optimize the cost for Azure Cache for Redis. Right now i have an E100 sku deployed and checking if there is a possibility to right size the instance to a lower tier. I checked the utilization metrics and could find low CPU, memory and low server load. However i am struggling to understand the metrics for the connected clients as this is one of the important criteria for rightsizing.

Can someone please tell me if i need to look the MAX or SUM aggregation for connected clients? As per azure pricing E100 include upto 100,000 connection but i would like to understand if it is concurrent connection during a month or summation of all connection during a month.

Can someone please help me to understand this?

How to Restrict Subscription in Azure Application Gateway Private Link Shared with Another tenant

Rohangupta — Fri, 16 Feb 2024 11:11:22 GMT

Hello Team,

We are currently facing a challenge with implementing cross-subscription private link connections in Azure, specifically subscription restriction and auto-approval features. We have a managed service running inside AKS and are utilizing an application gateway for it. Our goal is to leverage the private link feature available in the application gateway, allowing Azure customers from other tenants to securely connect to it as a private endpoint.

However, we require to restrict access to only allowed subscriptions for this resource ID and enable auto-approval for private endpoint connections from those specified subscriptions. We have explored Azure Policy as a solution, but unfortunately, we have not been successful in finding a suitable policy definition that meets our needs.

We attempted to utilize the policy definition available at https://github.com/Azure/Community-Policy/blob/main/policyDefinitions/Network/prevent-cross-subscription-private-link/azurepolicy.json

which aims to prevent cross-subscription private link connections. Despite our efforts, it appears that this policy did not effectively achieve the desired outcome. Currently, anyone can use the resource ID and establish a private endpoint connection, which is not aligned with our security requirements.

Therefore, we kindly request your assistance in reviewing our current approach and providing guidance on how we can enforce subscription restrictions and enable auto-approval for private endpoint connections from specific subscriptions only. Any insights, recommendations, or alternative solutions you can offer would be greatly appreciated.

Azure Logic Apps : HTTP Request OR Custom Connector

DynamicsHulk — Sun, 04 Feb 2024 20:36:01 GMT

Hello,

As far as I know, We use HTTP requests while consuming the First-party/third-party API, then when should we use a custom connector?

What are those business cases where one should use an HTTP request in PowerAutomate and use in PowerApps Or use a custom connector and use in PowerApps and Power Automate?

What are the pros and cons of HTTP Request OR Custom Connector?

Thanks and Regards,

-Sri

Azure SQL Database : Can I use same primary key column and foreign key column for multiple tables?

DynamicsHulk — Sun, 04 Feb 2024 01:48:31 GMT

CREATE TABLE Table1(

PRIMARY KEY (Table1ID),
Column2 int
);

CREATE TABLE Table2(

PRIMARY KEY (Table1ID),
Column2 int,

FOREIGN KEY (Table1ID) REFERENCES Table1(Table1ID)
);

CREATE TABLE Table3(

PRIMARY KEY (Table1ID),
Column2 int,

FOREIGN KEY (Table1ID) REFERENCES Table1(Table1ID)
);

Azure Logic App workflow (Standard) Resubmit and Retry

DynamicsHulk — Sat, 03 Feb 2024 23:46:56 GMT

Hello Experts,

A workflow is scheduled to run daily at a specific time and retrieves data from different systems using REST API Calls (8-9). The data is then sent to another system through API calls using multiple child flows. We receive more than 1500 input data, and for each data, an API call needs to be made.

During the API invocation process, there is a possibility of failure due to server errors (5xx) and client errors (4xx). To handle this, we have implemented a "Retry" mechanism with a fixed interval. However, there is still a chance of flow failure due to various reasons. Although there is a "Resubmit" feature available at the action level, I cannot apply it in this case because we are using multiple child workflows and the response is sent back from one flow to another.

Is it necessary to utilize the "Resubmit" functionality? The Retry Functionality has been developed to handle any Server API errors (5xx) that may occur with Connectors (both Custom and Standard), including client API errors 408 and 429. In this specific scenario, it is reasonable to attempt retrying or resubmitting the API Call from the Azure Logic Apps workflow. Nevertheless, there are other situations where implementing the retry and resubmit logic would result in the same error outcome.

Is it acceptable to proceed with the Retry functionality in this particular scenario?

It would be highly appreciated if you could provide guidance on the appropriate methodology.

Thanks

-Sri

Anyone Else Having issues with Azure SQL Database in North Central US as of Thursday?

MasonHuemmerRollKall — Sat, 13 Jan 2024 23:36:40 GMT

On Thursday at 3:30 PM CST, our Azure SQL Database hosted in the North Central US region maxed out its DTU to 100% taking down our site. The issue had continued all Thursday and Friday. Eventually, to circumvent the issue, we failed over to a hosted secondary (still in North Central US) and upgraded from DTU to vCORE General. We ran our application with no issues for years at 800 DTU. Since Friday night, we had to upgrade to vCore General and run on 24 vCORES to just keep our site running and maintain breathing room to ensure there is no additional disaster come Monday or Tuesday.

Microsoft support has stated it is not there issue. But based on historical data and current trends we are reviewing, nothing is telling us that this is our issue.

I was hoping to ask the community if they experienced something similar since then.

Azure Logic Apps vs Power Automate

DynamicsHulk — Mon, 18 Dec 2023 00:37:46 GMT

Hello Experts,

Please guide me in selecting the more suitable option between Azure Logic Apps and Power Automate for developing an Enterprise application that operates on a scheduled basis. This application must interact with multiple on-premises and SaaS systems by making several REST API calls (approximately 8 - 10 calls) and storing the retrieved data (structural and unstructured).

Thanks

-Sri

Reservations with Azure Container Apps

JacobDK — Sat, 14 Oct 2023 08:51:27 GMT

I want to purchase reservations that will reduce the cost of running Azure Container Apps. Which reservations should that be?

Windows Hybrid Azure AD to auto enable Bitlocker

shotime — Thu, 07 Sep 2023 14:39:32 GMT

Hi All,

I have set up autopilot join hybrid AD, as well as bitlocker for configuration profiles, as shown in the picture. The test results show that if it is an AD Joined computer, bitlocker will be enabled after the user login, but bitlocker will not be enabled after the hybrid computer login. The account we are using is domain user. Is it related to account permissions?

My computer is Win 11 Pro 22H2, and both TPM and Security Boot are turned on.

Step-by-Step Guide to Creating a Cosmos DB with Private DNS in Azure

Yuvaraj_Madheswaran — Thu, 31 Aug 2023 14:17:05 GMT

Introduction: In this blog post, we will walk through the process of creating a Cosmos DB instance with Private DNS in the Azure cloud environment. Private DNS allows you to resolve the Cosmos DB endpoint using a custom domain name within your virtual network, enhancing security and network management. Follow these steps with accompanying screenshots to set up your Cosmos DB with Private DNS.

Prerequisites:

Azure subscription
Virtual network created
Custom domain name

Step 1: Create a Cosmos DB Instance:

1.1. Log in to the Azure portal (https://portal.azure.com/).

1.2. Click on "Create a resource" and search for "Azure Cosmos DB."

1.3. Click "Create" to start the Cosmos DB creation process.

Step 2: Configure Basics:

2.1. Choose the appropriate subscription and resource group.

2.2. Enter a unique name for your Cosmos DB instance.

2.3. Choose the desired API (e.g., Core SQL for SQL API).

2.4. Select the desired location for your Cosmos DB.

Step 3: Networking:

3.1. Under the "Networking" section, select "Enable virtual network."

3.2. Choose the virtual network and subnet where you want to enable Private DNS.

3.3. Click "Next: Advanced" to proceed.

Step 4: Advanced:

4.1. Under the "Advanced" section, select "Enable automatic failover" if needed.

4.2. Enter a unique DNS prefix for your Cosmos DB.

4.3. Configure other advanced settings as necessary.

4.4. Click "Review + Create."

Step 5: Review and Create:

5.1. Review your configuration settings.

5.2. Click "Create" to start the deployment of your Cosmos DB instance.

Step 6: Create Private DNS Zone:

6.1. In the Azure portal, navigate to "Create a resource" and search for "Private DNS Zone."

6.2. Select "Private DNS Zone" and click "Create."

6.3. Choose the subscription and resource group.

6.4. Enter the name of your custom domain (e.g., cosmosprivatedns.local).

6.5. Associate the private DNS zone with the virtual network where your Cosmos DB resides.

Step 7: Add Virtual Network Link:

7.1. Inside the Private DNS Zone you created, go to "Virtual network links" and click "+ Add."

7.2. Select the virtual network where your Cosmos DB is located.

7.3. Choose the subnet associated with your Cosmos DB.

Step 8: Update DNS Configuration in Cosmos DB:

8.1. Go back to your Cosmos DB instance's settings.

8.2. Under "Connection strings," update the "Hostname" with the custom domain name you created in the Private DNS Zone (e.g., mycosmosdb.cosmosprivatedns.local).

Step 9: Test Private DNS Resolution:

9.1. Set up a test application within the same virtual network.

9.2. Use the custom domain name when connecting to the Cosmos DB instance.

9.3. Verify that the connection is successful, indicating the Private DNS resolution is working

CMK and Customer Certificate support for TDE - Azure SQL PAAS

xxxxxxxx900 — Fri, 04 Aug 2023 06:44:01 GMT

hi experts,

I need bit of clarity as both CMK is supported for Azure SQL TDE ( Server and DB ) and also Certificate for protecting the DEK.

How these 2 concepts are different in protecting the DEK in Azure SQL PaaS.

CMK - https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql-mi

Certificate -

https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver16

Does it mean I can protect the DEK with both Custom Customer Certificate as well as CMKs ?

Thank you

Cosmos DB Rest API reference

Vinoth_Azure — Thu, 27 Jul 2023 06:02:49 GMT

Is there any rest api reference to get the status of the cosmos DB account?

Connect to cosmosdb read-only database

micmic430 — Wed, 05 Jul 2023 14:25:41 GMT

I have a cosmosdb and it has a read-only replica in another region .

how to connect to it using RBAC authentication ( or using service principal)

Can I limit the RU base on this service principal ?

Is the RU used on this replica is shared with the primary read-write replica ?

I am going to use python script from databricks to do so . thanks