SSL/TLS connection issue troubleshooting guide
You may experience exceptions or errors when establishing TLS connections with Azure services. Exceptions are vary dramatically depending on the client and server types. A typical ones such as "Could not create SSL/TLS secure channel." "SSL Handshake Failed", etc. In this article we will discuss common causes of TLS related issue and troubleshooting steps.Azure Cloud Service OS Upgrade Introduction
Roughly Microsoft releases a new Guest OS version for azure cloud service monthly to make cloud service more secure and robust. This blog will introduce azure cloud service guest OS details, upgrade impact, procedures and detection ways. The following parts will be discussed in this blog: Cloud Service Guest OS Introduction Guest OS upgrades Impact How Cloud Service Upgrades Proceeds How To Track Guest OS Upgrade Via RHC
How to use Azure DevOps to publish cloud service extended support
Azure cloud service extended support(CSES) is a new Azure Resource Manager based deployment model for Azure Cloud Services product. Cloud Services (extended support) has the primary benefit of providing regional resiliency along with feature parity with Azure Cloud Services deployed using Azure Service Manager. It also offers some ARM capabilities such as role-based access and control (RBAC), tags, policy, and supports deployment templates. For the classic cloud service, we have Azure DevOps built-in pipeline task Azure Cloud Service Deployment task - Azure Pipelines | Microsoft Learn to help us manage the CI/CD progress easily and the task for CSES is not ready yet. In this blog, I have a brief guide on how to use the Azure ARM template to create or update the CSES deployment.How to manage the VIP swap in cloud service extended support via Powershell
You can swap between two independent cloud service deployments in Azure Cloud Services (extended support). Unlike in Azure Cloud Services (classic), the Azure Resource Manager model in Azure Cloud Services (extended support) doesn't use deployment slots. In Azure Cloud Services (extended support), when you deploy a new release of a cloud service, you can make the cloud service "swappable" with an existing cloud service in Azure Cloud Services (extended support). In this blog, we can see how to have a version update via Powershell and REST API.
How to update/change certificate used in Cloud Service Extended Support
It's a common scenario that the certificate used in Cloud Service Extended Support (CSES) is expired. To replace the original certificate, other than creating and uploading the new certificate into Key Vault, we still have multiple necessary steps to do. We can do them by multiple tools such as Azure Portal, PowerShell command and Visual Studio. In this blog, we’ll talk about how to update the necessary information by these three ways to update the certificate configuration and make it work. Pre-requirements: We must have a validated .pfx format certificate and upload it into a Key Vault, Certificate page. Follow https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-certs-create#powershell to self-sign the certificate or you already have a CA certificate. Follow step 1 to step 6 of https://docs.microsoft.com/en-us/azure/cloud-services-extended-support/certificates-and-key-vault#upload-a-certificate-to-key-vault to upload the certificate into Key Vault resource. Then let’s talk about what we need to do for this configuration change. By Portal: 1. In Portal, CSES page, we can find the Configuration page on the left side. And on the right side, modify the configuration file and add/modify the necessary lines (highlighted) for the certificate used. Please make sure the thumbprint here must match the real thumbprint of the certificate which we uploaded into Key Vault at first. 2. Once we click on Save button, there will be a new page on the right side. Select the Key Vault where we uploaded the certificate and wait for the validation turn to Found status, then click OK on the bottom side. By Visual Studio: 1. Modify the .cscfg file and add/modify the necessary lines for the certificate used. Please make sure the thumbprint here must match the real thumbprint of the certificate which we uploaded into Key Vault in pre-requirement part. (The code change is same as Portal configuration change part, point 1. Only difference is that it’s on local .cscfg file, not in Portal.) 2. Deploy the Visual Studio CSES project again. In the deployment window, second setting page, please kindly select the correct Key Vault where we uploaded the certificate. By PowerShell: 1. Same step as Visual Studio way. 2. Upload your .cspkg file into a storage account container, generate a SAS token and note it down. For detailed instruction, please kindly check step 7 to step 9 of https://techcommunity.microsoft.com/t5/azure-paas-blog/manual-migration-from-classic-cloud-service-to-cloud-service/ba-p/2263817. 3. Open PowerShell window and login with the account which has enough permission by command Connect-AzAccount. Then use following script to update the CSES. (Please remember to follow the table to replace the values before running the script.) Variable or command name The expected value Cspkgurl The SAS token URL of .cspkg file we get from step 2 cscfgFilePath The local path to your .cscfg file Get-AzKeyVault ResourceGroupName for the name of resource group where Key Vault is deployed and VaultName for the name of Key Vault resource Get-AzKeyVaultCertificate VaultName for the name of Key Vault resource and Name for the name of the certificate saved in KeyVault Get-AzCloudService Name for the name of CSES resource, SubscriptionId for the subscription ID and ResourceGroupName for the resource group where the CSES is deployed. $cspkgurl = "https://minalinsky.blob.core.windows.net/cses-https/CSESOneWebRoleHTTPS.cspkg?sp=r&st=2021-11-13T09:02:04Z&se=2021-11-13T17:02:04Z&spr=https&sv=2020-08-04&sr=b&sig=xxxxx%3D" $cscfgFilePath = "C:\Users\zhangjerry\Desktop\VisualStudioproject\CSESOneWebRoleHTTPS\bin\Release\app.publish\ServiceConfiguration.Cloud.cscfg" $keyVault = Get-AzKeyVault -ResourceGroupName CSES -VaultName CSESKVault $certificate = Get-AzKeyVaultCertificate -VaultName CSESKVault -Name csescert $secretGroup = New-AzCloudServiceVaultSecretGroupObject -Id $keyVault.ResourceId -CertificateUrl $certificate.SecretId $osProfile = @{secret = @($secretGroup)} $cses = Get-AzCloudService -Name jerrycsesps -SubscriptionId 5102f0a2-xxxx-xxxx-xxxx-2834a4473453 -ResourceGroupName CSESPS $cses.Configuration = Get-Content $cscfgFilePath | Out-String $cses.PackageUrl = $cspkgurl $cses.OSProfile = $osProfile $cses | Update-AzCloudService P.S. If we only update the .cscfg file of the CSES but don’t update the OSProfile of the CSES service, which means we missed the lines in red, this will cause CSES is unable to download the new cert from correct Key Vault and unable to install it into underlying instances. And it will return an error such as following:New Deployment Based On Existing Classic Cloud Service
For some scenarios, customer application source code / packages are not available anymore for some reason, but another deployment is needed. This is customer's responsibility to manage application source code and apply new deployment, but customers cannot apply new deployment without source code. For such a situation, we could try the below approach as additional help. This blog will wrap up all information needed for you to get the deployment package of an existing cloud service(classic) and then use the deployment package for another Cloud Service(classic) deployment.Instance level public ip address configuration in the cloud service.
An Instance-Level Public IP Address (PIP) unlike the Virtual IP Address (VIP) is not load balanced. While the virtual ip is assigned to the cloud service and shared by all virtual machines and role instances in it, the public ip is associated only with a single instance’s NIC. The public ip is particularly useful in multi-instance deployments where each instance can be reachable independently from the Internet. The picture below illustrates the value of PIP and differentiates it from the VIP.
