SSL/TLS connection issue troubleshooting guide
You may experience exceptions or errors when establishing TLS connections with Azure services. Exceptions are vary dramatically depending on the client and server types. A typical ones such as "Could not create SSL/TLS secure channel." "SSL Handshake Failed", etc. In this article we will discuss common causes of TLS related issue and troubleshooting steps.How to enable SNI(Service Name Indication) for your Azure Cloud Service
In Azure Cloud Service, we can easily add our custom domain with a certificate. However, sometimes we might need to bind multiple domain names with different SSL certificates to the same IP address and port number. In this blog, we will be discussing how we can enable the SNI for the Cloud Service.
How to use the management certificate to manage the Azure cloud service by DevOps pipeline
Azure DevOps provides developer services to support teams to plan work, collaborate on code development, and build and deploy applications. Developers can work in the cloud using Azure DevOps Services or on-premises using Azure DevOps Server. Azure DevOps Server was formerly named Visual Studio Team Foundation Server (TFS). Azure cloud services can be managed in Azure DevOps by using the PowerShell cmdlets that are available in the Azure PowerShell tools, so that you can perform all of your cloud service management tasks within the service. Management certificates allow you to authenticate with the classic deployment model. Many programs and tools (such as Visual Studio or the Azure SDK) use these certificates to automate configuration and deployment of various Azure services.How to use Azure DevOps to publish cloud service extended support
Azure cloud service extended support(CSES) is a new Azure Resource Manager based deployment model for Azure Cloud Services product. Cloud Services (extended support) has the primary benefit of providing regional resiliency along with feature parity with Azure Cloud Services deployed using Azure Service Manager. It also offers some ARM capabilities such as role-based access and control (RBAC), tags, policy, and supports deployment templates. For the classic cloud service, we have Azure DevOps built-in pipeline task Azure Cloud Service Deployment task - Azure Pipelines | Microsoft Learn to help us manage the CI/CD progress easily and the task for CSES is not ready yet. In this blog, I have a brief guide on how to use the Azure ARM template to create or update the CSES deployment.Azure Cloud Service OS Upgrade Introduction
Roughly Microsoft releases a new Guest OS version for azure cloud service monthly to make cloud service more secure and robust. This blog will introduce azure cloud service guest OS details, upgrade impact, procedures and detection ways. The following parts will be discussed in this blog: Cloud Service Guest OS Introduction Guest OS upgrades Impact How Cloud Service Upgrades Proceeds How To Track Guest OS Upgrade Via RHC
How to update/change certificate used in Cloud Service Extended Support
It's a common scenario that the certificate used in Cloud Service Extended Support (CSES) is expired. To replace the original certificate, other than creating and uploading the new certificate into Key Vault, we still have multiple necessary steps to do. We can do them by multiple tools such as Azure Portal, PowerShell command and Visual Studio. In this blog, we’ll talk about how to update the necessary information by these three ways to update the certificate configuration and make it work. Pre-requirements: We must have a validated .pfx format certificate and upload it into a Key Vault, Certificate page. Follow https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-certs-create#powershell to self-sign the certificate or you already have a CA certificate. Follow step 1 to step 6 of https://docs.microsoft.com/en-us/azure/cloud-services-extended-support/certificates-and-key-vault#upload-a-certificate-to-key-vault to upload the certificate into Key Vault resource. Then let’s talk about what we need to do for this configuration change. By Portal: 1. In Portal, CSES page, we can find the Configuration page on the left side. And on the right side, modify the configuration file and add/modify the necessary lines (highlighted) for the certificate used. Please make sure the thumbprint here must match the real thumbprint of the certificate which we uploaded into Key Vault at first. 2. Once we click on Save button, there will be a new page on the right side. Select the Key Vault where we uploaded the certificate and wait for the validation turn to Found status, then click OK on the bottom side. By Visual Studio: 1. Modify the .cscfg file and add/modify the necessary lines for the certificate used. Please make sure the thumbprint here must match the real thumbprint of the certificate which we uploaded into Key Vault in pre-requirement part. (The code change is same as Portal configuration change part, point 1. Only difference is that it’s on local .cscfg file, not in Portal.) 2. Deploy the Visual Studio CSES project again. In the deployment window, second setting page, please kindly select the correct Key Vault where we uploaded the certificate. By PowerShell: 1. Same step as Visual Studio way. 2. Upload your .cspkg file into a storage account container, generate a SAS token and note it down. For detailed instruction, please kindly check step 7 to step 9 of https://techcommunity.microsoft.com/t5/azure-paas-blog/manual-migration-from-classic-cloud-service-to-cloud-service/ba-p/2263817. 3. Open PowerShell window and login with the account which has enough permission by command Connect-AzAccount. Then use following script to update the CSES. (Please remember to follow the table to replace the values before running the script.) Variable or command name The expected value Cspkgurl The SAS token URL of .cspkg file we get from step 2 cscfgFilePath The local path to your .cscfg file Get-AzKeyVault ResourceGroupName for the name of resource group where Key Vault is deployed and VaultName for the name of Key Vault resource Get-AzKeyVaultCertificate VaultName for the name of Key Vault resource and Name for the name of the certificate saved in KeyVault Get-AzCloudService Name for the name of CSES resource, SubscriptionId for the subscription ID and ResourceGroupName for the resource group where the CSES is deployed. $cspkgurl = "https://minalinsky.blob.core.windows.net/cses-https/CSESOneWebRoleHTTPS.cspkg?sp=r&st=2021-11-13T09:02:04Z&se=2021-11-13T17:02:04Z&spr=https&sv=2020-08-04&sr=b&sig=xxxxx%3D" $cscfgFilePath = "C:\Users\zhangjerry\Desktop\VisualStudioproject\CSESOneWebRoleHTTPS\bin\Release\app.publish\ServiceConfiguration.Cloud.cscfg" $keyVault = Get-AzKeyVault -ResourceGroupName CSES -VaultName CSESKVault $certificate = Get-AzKeyVaultCertificate -VaultName CSESKVault -Name csescert $secretGroup = New-AzCloudServiceVaultSecretGroupObject -Id $keyVault.ResourceId -CertificateUrl $certificate.SecretId $osProfile = @{secret = @($secretGroup)} $cses = Get-AzCloudService -Name jerrycsesps -SubscriptionId 5102f0a2-xxxx-xxxx-xxxx-2834a4473453 -ResourceGroupName CSESPS $cses.Configuration = Get-Content $cscfgFilePath | Out-String $cses.PackageUrl = $cspkgurl $cses.OSProfile = $osProfile $cses | Update-AzCloudService P.S. If we only update the .cscfg file of the CSES but don’t update the OSProfile of the CSES service, which means we missed the lines in red, this will cause CSES is unable to download the new cert from correct Key Vault and unable to install it into underlying instances. And it will return an error such as following:
