[Azure Service Bus] JMS messages getting dead-lettered
The article discusses a problem where numerous messages end up in the dead letter queue (DLQ) when the JMS service bus consumer consumes message from the Azure Service Bus queues or topic/subscriptions. The reason for the messages being dead-lettered is that they have reached the maximum delivery count. The root cause stems from message prefetching. Prefetch is enabled by the Qpid lib by default. When it is turned on, Qpid utilizes a local buffer to prefetch messages from the Azure Service Bus, storing them prior to delivery to the consumer. The issue occurs when Qpid prefetches an excessive number of messages that the consumer is unable to process within the lock duration. Consequently, the consumer is unable to acknowledge or finalize the processing of these messages before the lock expires. Those messages will move to the DLQ when the maximum delivery count is exceeded. To address this problem, you can either turn off prefetching or modify the prefetch count. Disabling prefetching is achievable by setting jms.prefetchPolicy.all=0 in the JMS client. This configuration allows the JMS client to directly consume messages from the Azure Service Bus, circumventing Qpid's local buffer. Consequently, the consumer can process messages at a suitable pace, guaranteeing smooth processing and issue-free completion. Why is Prefetch not the default option in Microsoft .NET/Java/Python libs?
Records are not getting updated/deleted in Search Index despite enabling Track Deletions in SQL DB
Symptom: The count of records in the indexer and the index did not align even after activating the change detection policy. Even with record deletions, the entries persisted in the Index Search Explorer. To enable incremental indexing, configure the "dataChangeDetectionPolicy" property within your data source definition. This setting informs the indexer about the specific change tracking mechanism employed by your table or view. For Azure SQL indexers, you can choose the change detection policy below: "SqlIntegratedChangeTrackingPolicy" (applicable to tables exclusively) It is recommended using "SqlIntegratedChangeTrackingPolicy" for its efficiency and its ability to identify deleted rows. Database requirements: Prerequisites:- SQL Server 2012 SP3 and later, if you're using SQL Server on Azure VMs Azure SQL Database or SQL Managed Instance Tables only (no views) On the database, enable change tracking for the table. No composite primary key (a primary key containing more than one column) on the table. No clustered indexes on the table. As a workaround, any clustered index would have to be dropped and re-created as NonClustered index, however, performance may be affected in the source compared to having a clustered index. When using SQL integrated change tracking policy, don't specify a separate data deletion detection policy. The SQL integrated change tracking policy has built-in support for identifying deleted rows. However, for the deleted rows to be detected automatically, the document key in your search index must be the same as the primary key in the SQL table. Once you have done all the above steps, still you see the discrepancy in the count of Indexer and Index Count Approach: Enabling change tracking before or after inserting data can affect how the system tracks changes, and the order in which you enable it matters. It's important to understand how change tracking works in your specific context to resolve the issue. Check whether you have enabled Change tracking at the Table level as well along with Database level. Check whether you have enabled Change Tracking before or after Data Insertion. ALTER TABLE [TableName] ENABLE CHANGE_TRACKING Here are some general guidelines on how change tracking typically works: Enable Change Tracking Before Inserting Data: - If you enable change tracking before inserting data, the system will start tracking changes from the beginning. - This is the recommended approach if you want to track changes to existing data and any new data that will be added. Enable Change Tracking After Inserting Data: - If you enable change tracking after inserting data, the system might not have a baseline for the existing data. - You may encounter errors if you attempt to retrieve change information for data that was already in the system before change tracking was enabled. Solution : To ensure that the Indexer starts tracking deletions from the beginning, it is important to enable Change Tracking before inserting data. This approach also helps to match the count of the Indexer and Index without having to reset the Indexer repeatedly. Reference Links :– Enable and Disable Change Tracking - SQL Server | Microsoft Learn Azure SQL indexer - Azure AI Search | Microsoft LearnPowerShell Script to disable Public Network Access for Azure Relay
Scenario: PowerShell script to disable Public Network access for Azure Relay In today’s azure world, it is always better to do automations rather than do a Manual work. It becomes a headache for all of us to navigate to Azure Portal Here is the simple way to disable Public Network access by using PowerShell script. Solution: Connect-AzAccount Set-AzContext -SubscriptionId "<Sub ID>" $accessToken = $(Get-AzAccessToken).Token $body = '{"location": "xxxxxx","properties": {"publicNetworkAccess": "Disabled","defaultAction": "Deny","virtualNetworkRules": [],"ipRules": []}}' | ConvertTo-Json $obj = ConvertFrom-Json -InputObject $body $uri = 'https://management.azure.com/subscriptions/<Sub ID>/resourceGroups/<RG>/providers/Microsoft.Relay/namespaces/<NS>/networkrulesets/default?api-version=2021-11-01' Invoke-RestMethod -Method PUT -Uri $uri -Headers @{ "Authorization" = "Bearer $accessToken" } -Body $obj -ContentType "application/json" Please find below steps on how to run the PowerShell script to disable Public Network access for Azure Relay. Step 1: Login to Azure portal Step 2: Open Azure PowerShell terminal and connect to your Azure account using any of options mentioned in Authentication Methods Step 3: Just add the Resource Group name and Subscription Id and Relay namespace. Step 4: Run the above commands to enable Public Network access for Azure Relay Reference Links: - Network security for Azure Relay - Azure Relay | Microsoft Learn Happy Learning
SSL/TLS connection issue troubleshooting guide
You may experience exceptions or errors when establishing TLS connections with Azure services. Exceptions are vary dramatically depending on the client and server types. A typical ones such as "Could not create SSL/TLS secure channel." "SSL Handshake Failed", etc. In this article we will discuss common causes of TLS related issue and troubleshooting steps.
Purge Deferred Messages in Service Bus
What are Deferred messages: Deferred messages refer to messages that a queue or subscription client is unable to process at the moment due to certain circumstances. Instead of processing it immediately, the client can defer the retrieval of the message to a later time, while the message remains in the queue or subscription. Message Deferral | Azure Service Bus Unlike dead-letter messages that are stored in a subqueue, deferred messages are kept in the main queue along with other active messages. However, these messages cannot be received using regular receive operations. If an application loses track of a deferred message, it can be discovered by browsing through the messages. The responsibility of retrieving a deferred message lies with its owner, who must remember the sequence number as it is deferred. A receiver can later retrieve the deferred message by using receive methods that require the sequence number as a parameter. For further details about sequence numbers, please refer to Message sequencing and timestamps. However, it can be very difficult or even unfeasible to get each sequence number from the queue/subscription when the entity contains thousands of messages. Here is an example of how you can receive or purge all the deferred messages in the entity. Pre-requisites: Service Bus namespace Already created queue/subscription Service Bus Explorer Using Service Bus Explorer: Download the “Service Bus Explorer” from: https://github.com/paolosalvatori/ServiceBusExplorer Open service bus explorer and click File and connect it. 3. From the drop down, select connection string and provide the connection string of the namespace level. 4. Once it is successfully connected, you will see Service Bus Explorer shows the count of Active messages as shown below. 5. When we peek through the messages using Service bus explorer we can see the status of the messages as Deferred. 6. When you click on Purge messages, you will notice that the application keeps loading and the messages are not purged. Receive/Delete messages using C# Code: Run the below code which will receive and complete all the messages from the mentioned queue/subscription after changing the status of deferred to active. using Azure.Messaging.ServiceBus; using Microsoft.Azure.Amqp; class Program { static void Main(string[] args) { receiveDeferredMessages(); } public static async Task receiveDeferredMessages() { List<long> sequencenumbers; string connectionString = "SAS Key"; string queueName = "QueueName"; try { bool condition = true; sequencenumbers = new List<long>(); await using var client = new ServiceBusClient(connectionString); ServiceBusReceiver receiver = client.CreateReceiver(queueName); while (condition) { ServiceBusReceivedMessage peekedMessage = await receiver.PeekMessageAsync(); if (peekedMessage != null && peekedMessage.State.ToString() == "Deferred") { sequencenumbers.Add(peekedMessage.SequenceNumber); } else { condition = false; } } var deferredMessage = await receiver.ReceiveDeferredMessagesAsync(sequencenumbers); foreach (var message in deferredMessage) { await receiver.CompleteMessageAsync(message); } } catch (Exception ex) { Console.WriteLine(ex.ToString()); } } }Service Bus Python SDK Common exceptions Sharing
Introduction This blog is introducing past changes of Service Bus SDK for python and several common exception scenarios as well as troubleshooting suggestions. As more and more developers choose Python when developing Azure Service Bus application, it is necessary to have a clear awareness about the different versions change and current version. The attractiveness and painfulness of coding is to deal with the exceptions and gain a sense of achievement. Here we would like to have an introduction about the different versions of Python for Service Bus with common exceptions and sample scenarios to help us understand troubleshooting steps more. SDK Version Changes There are three main branches for different versions. With the development of features of Service bus, we rich the python library accordingly. The latest version (as of Jan 2023) of the Azure Service Bus library is version 7. x.x . Please see tables below: [Pre-release] [Release] End Release Latest Release Maintained Status 0.2x 0.20.0rc1 (Aug 25, 2015) 0.20.0 (Jun 16, 2015) 0.21.1 (Apr 28, 2017) 0.21.1 (Apr 28, 2017) no longer maintained. 0.50.x None 0.50.0 (Jan 18, 2019) 0.50.3 (May 21,2020) 0.50.3 (May 21, 2020) no longer maintained. 7.x.x 7.0.0b1 (Apr 7, 2020) 7.0.0 (Nov 24, 2020) None 7.8.2 (Jan 13, 2023) Under maintaining. As for the first period of this version 0.2x, this package is initial release of this, it is release as a part of azure python SDK. See the azure package release note for 1.0.0 for details and previous history on Service Bus. This version supports below features: Queues: create, list and delete queues; create, list, and delete subscriptions; send, receive, unlock and delete messages Topics: create, list, and delete topics; create, list, and delete rules Event Hubs: create and delete event hubs; send events. Several months later the release of 0.2x, we enrich some features and add more advanced interfaces to strength its robustness. As of version 0.50.0 a new AMQP-based API is available for sending and receiving messages. This update involves breaking changes. Please read Migration from 0.21.1 to 0.50.0 . Breaking changes Introducing new AMQP-based API. Original HTTP-based API still available under new namespace: azure.servicebus.control_client For full API changes, please see updated reference documentation. Features The new API supports message send and receive via AMQP with improved performance and stability. New asynchronous APIs (using asyncio) for send, receive and message handling. Support for message and session auto lock renewal via background thread or async operation. Now supports scheduled message cancellation. As there came to the next release version (7.x.x), it implemented features and mechanisms for asynchronous highly reliable communication, such as structured first-in-first-out messaging, publish/subscribe capabilities, and the ability to easily scale as your needs grow. Compared to the previous version (0.50.x), We have a variety of new features in the version 7.x.x of the Service Bus library. Ability to create a batch of messages with the smarter ServiceBusSender.create_message_batch() and ServiceBusMessageBatch.add_message() APIs. This will help you manage the messages to be sent in the most optimal way. Ability to configure the retry policy used by the operations on the client. Ability to connect to the service through http proxy. Authentication with AAD credentials using azure-identity. Please refer to link: azure-sdk-for-python/migration_guide.md at main · Azure/azure-sdk-for-python · GitHub azure-servicebus · PyPI In a word, our Service Bus product group continues empower each developer and user to have a better experience and stable usage to interact with service bus. As everything grows and agile mind goes, our service bus developer raised the latest version python library with implementing the features steps by steps with thinking of all suggestions and feedbacks. Considering the various users who might use the different versions in different periods, we highly recommend using version 7.x.x for new applications. As for migrating azure-servicebus to v7 from v0.50, please see guidance: azure-sdk-for-python/migration_guide.md at main · Azure/azure-sdk-for-python · GitHub Third Part——Common Exceptions After having a basic awareness about the Service Bus Python library’s history, I guess you might be eager to try. However, as you could image that there is no perfect world, so same as usage of this library. You might get a kind of exception sometimes. There is a Chinese slang that “好记性不如烂笔头”, have something written down for past problems and some troubleshooting would benefits us for learning something well in practice. Please let me have a summary of the common client error exceptions when using this library. ServiceBusConnectionError ServiceBusAuthorizationError MessageSizeExceededError MessageAlreadySettled MessageLockLostError MessagingEntityNotFoundError MessagingEntityDisabledError ServiceBusQuotaExceededError ServiceBusConnectionError Definition: An error occurred in the connection to the service. Scenario: If I try to send/receive message from a certain queue while connecting to service bus via connection string, and the network is aborted suddenly at my client side. Error in client side: I could see the traceback error messages that it has retry to send this message and it raise the last retry’s exception error message. azure.servicebus.exceptions.ServiceBusConnectionError: Unable to open authentication session on connection xxx. (Default retry count is 3 times, you could check the default value in initialization method.) If you also open the queue in Azure Poral meanwhile, you could also have received such an error below: RCA & Suggestions: This may have been caused by a transient network issue or service problem. It is recommended to check your client network status and customize retry mechanism when facing an instable network. ServiceBusAuthorizationError Definition: An error occurred when authorizing the connection to the service. Scenario: If I am a QA for test sending message to queue, but I am assigned a connection string only with listen permission. Then we I try to send message, and I receive the error exception. Error in client side: azure.servicebus.exceptions.ServiceBusAuthorizationError: Unauthorized access. 'Send' claim(s) are required to perform this operation. Resource: 'sb://testforcommonexceptions.servicebus.windows.net/testforexceptions'. TrackingId:9f5326494f78471d99222599e97f4b37_G2, SystemTracker:gateway7, Timestamp:2023-01-15T09:30:25 Error condition: ErrorCodes.UnauthorizedAccess. RCA & Suggestions: This may have been caused by the credentials not having the right permission to perform the operation. It is recommended to check the permission of the credentials. MessageSizeExceededError Definition: This indicates that the message content is larger than the service bus frame size. Scenario: I try to read all data in a .txt file (800 KB) and send the data to queue under a basic service bus (256 KB). Error in client side: azure.servicebus.exceptions.MessageSizeExceededError: The received message (delivery-id:1126, size:327545 bytes) exceeds the limit (262144 bytes) currently allowed on the link. TrackingId:d693052b-8712-4795-bb0b-492dc16b9c3c_B15, SystemTracker:NoSystemTracker, Timestamp:2023-01-15T10:31:13 Error condition: ErrorCodes.LinkMessageSizeExceeded. RCA & Suggestions: This could happen when too many service bus messages are sent in a batch or the content passed into the body of a Message is too large. It is recommended to reduce the count of messages being sent in a batch or the size of content being passed into a single ServiceBusMessage. MessageAlreadySettled Definition: This indicates failure to settle the message, when you receive message with operations like : complete(), abandon(), deadletter(), defer(). Scenario: During the receiving process, I add more operations when settling a message, which is duplicated and invalid for settling one message data. Error in client side: azure.servicebus.exceptions.MessageAlreadySettled: Unable to complete message; The message has either been deleted or already settled. RCA & Suggestions: This could happen when trying to settle an already-settled message. Please check how you achieve the logic for settling a message. Refer more details to link: [Service Bus] Uncaught exception `This message has already been settled` · Issue #1509 · Azure/azure-sdk-for-js · GitHub MessageLockLostError Definition: The lock on the message has expired and it has been released back to the queue. Scenario: I try to pause for 15s when settling the message, but its Message lock duration is 10 s. Code part: Error in client side: azure.servicebus.exceptions.ServiceBusError: The lock on the message lock has expired. RCA & Suggestions: You should be aware of the lock duration of a message and keep renewing the lock before expiration in case of long processing time. AutoLockRenewer could help with keeping the lock of the message automatically renewed. MessagingEntityNotFoundError Definition: The target service bus entity was not been found when sending message. Scenario: My team member deleted our test queue and I have not got this information in time. When I tried to send messages to this deleted queue, I received this kind of exception. Error in client side: azure.servicebus.exceptions.ServiceBusAuthenticationError: CBS Token authentication failed. Status code: 404 Description: The messaging entity 'sb://testforcommonexceptions.servicebus.windows.net/testfordeletedqueue' could not be found. To know more visit https://aka.ms/sbResourceMgrExceptions. TrackingId:624e8fb1-a308-48a7-949d-65fb399376c9_G9, SystemTracker:testforcommonexceptions.servicebus.windows.net:testfordeletedqueue, Timestamp:xxxx RCA & Suggestions: Entity associated with the operation doesn't exist or it has been deleted. Please make sure the entity exists. MessagingEntityDisabledError Definition: The queue of service bus is in disabled status, so it does not allow to send message to it. Scenario: For some reason, I set the queue send disabled temporarily for test receiving process but have not set it active back. When I try to send a message to this queue, I receive an exception. Error in client side: RCA & Suggestions: Please Activate the entity. ServiceBusQuotaExceededError: Definition: Service bus quota is exceeded when sending messages to service bus entity. Scenario: There are messages with 1GB size to max queue quota for basic service bus. And I have not consumed the message to make room and continue send message to this queue. Error in client side: azure.servicebus.exceptions.ServiceBusQuotaExceededError: The maximum entity size has been reached or exceeded for Queue: 'TESTFORCOMMONEXCEPTIONS:QUEUE:TESTFORMAXQUEUEQUATOIZE'. Size of entity in bytes:1073801667, Max entity size in bytes: 1073741824. For more information please see https://aka.ms/ServiceBusExceptions . QuotaType: EntitySize Reference:d2b3bc9b-af61-4c0a-bab2-3c90771f9eba, TrackingId:b7c7650000002e8b001263e563c426ff_G13_B28, SystemTracker:testforcommonexceptions:Queue:testformaxqueuequatoize, Timestamp:xxxx Error condition: ErrorCodes.ResourceLimitExceeded. RCA & Suggestions: The messaging entity has reached its maximum allowable size, or the maximum number of connections to a namespace has been exceeded. Create space in the entity by receiving messages from the entity or its subqueues. Summary Here we list some common exceptions’ root cause, scenarios and troubleshot suggestions. And there are other kinds of exceptions when using this python library, we just raise a mind to look into problems and hope it could help analyze and resolve the issues efficiently when facing the issue at your side. Referring to link for get awareness about the other rest common exceptions: azure-sdk-for-python/README.md at main · Azure/azure-sdk-for-python (github.com) Thanks for reading. Please leave your comments if you have any questions, we will treat it seriously and return you an answer. Hope everything goes well during your usage and debugging.Common causes of SSL/TLS connection issues and solutions
In the TLS connection common causes and troubleshooting guide (microsoft.com) and TLS connection common causes and troubleshooting guide (microsoft.com), the mechanism of establishing SSL/TLS and tools to troubleshoot SSL/TLS connection were introduced. In this article, I would like to introduce 3 common issues that may occur when establishing SSL/TLS connection and corresponding solutions for windows, Linux, .NET and Java. TLS version mismatch Cipher suite mismatch TLS certificate is not trusted TLS version mismatch Before we jump into solutions, let me introduce how TLS version is determined. As the dataflow introduced in the first session(https://techcommunity.microsoft.com/t5/azure-paas-blog/ssl-tls-connection-issue-troubleshooting-guide/ba-p/2108065), TLS connection is always started from client end, so it is client proposes a TLS version and server only finds out if server itself supports the client's TLS version. If the server supports the TLS version, then they can continue the conversation, if server does not support, the conversation is ended. Detection You may test with the tools introduced in this blog(TLS connection common causes and troubleshooting guide (microsoft.com)) to verify if TLS connection issue was caused by TLS version mismatch. If capturing network packet, you can also view TLS version specified in Client Hello. If connection terminated without Server Hello, it could be either TLS version mismatch or Ciphersuite mismatch. Solution Different types of clients have their own mechanism to determine TLS version. For example, Web browsers - IE, Edge, Chrome, Firefox have their own set of TLS versions. Applications have their own library to define TLS version. Operating system level like windows also supports to define TLS version. Web browser In the latest Edge and Chrome, TLS 1.0 and TLS 1.1 are deprecated. TLS 1.2 is the default TLS version for these 2 browsers. Below are the steps of setting TLS version in Internet Explorer and Firefox and are working in Window 10. Internet Explorer Search Internet Options Find the setting in the Advanced tab. Firefox Open Firefox, type about:config in the address bar. Type tls in the search bar, find the setting of security.tls.version.min and security.tls.version.max. The value is the range of supported tls version. 1 is for tls 1.0, 2 is for tls 1.1, 3 is for tls 1.2, 4 is for tls 1.3. Windows System Different windows OS versions have different default TLS versions. The default TLS version can be override by adding/editing DWORD registry values ‘Enabled’ and ‘DisabledByDefault’. These registry values are configured separately for the protocol client and server roles under the registry subkeys named using the following format: <SSL/TLS/DTLS> <major version number>.<minor version number><Client\Server> For example, below is the registry paths with version-specific subkeys: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client For the details, please refer to Transport Layer Security (TLS) registry settings | Microsoft Learn. Application that running with .NET framework The application uses OS level configuration by default. For a quick test for http requests, you can add the below line to specify the TLS version in your application before TLS connection is established. To be on a safer end, you may define it in the beginning of the project. ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 Above can be used as a quick test to verify the problem, it is always recommended to follow below document for best practices. https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls Java Application For the Java application which uses Apache HttpClient to communicate with HTTP server, you may check link How to Set TLS Version in Apache HttpClient | Baeldung about how to set TLS version in code. Cipher suite mismatch Like TLS version mismatch, CipherSuite mismatch can also be tested with the tools that introduced in previous article. Detection In the network packet, the connection is terminated after Client Hello, so if you do not see a Server Hello packet, that indicates either TLS version mismatch or ciphersuite mismatch. If server is supported public access, you can also test using SSLLab(https://www.ssllabs.com/ssltest/analyze.html) to detect all supported CipherSuite. Solution From the process of establishing SSL/TLS connections, the server has final decision of choosing which CipherSuite in the communication. Different Windows OS versions support different TLS CipherSuite and priority order. For the supported CipherSuite, please refer to Cipher Suites in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn for details. If a service is hosted in Windows OS. the default order could be override by below group policy to affect the logic of choosing CipherSuite to communicate. The steps are working in the Windows Server 2019. Edit group policy -> Computer Configuration > Administrative Templates > Network > SSL Configuration Settings -> SSL Cipher Suite Order. Enable the configured with the priority list for all cipher suites you want. The CipherSuites can be manipulated by command as well. Please refer to TLS Module | Microsoft Learn for details. TLS certificate is not trusted Detection Access the url from web browser. It does not matter if the page can be loaded or not. Before loading anything from the remote server, web browser tries to establish TLS connection. If you see the error below returned, it means certificate is not trusted on current machine. Solution To resolve this issue, we need to add the CA certificate into client trusted root store. The CA certificate can be got from web browser. Click warning icon -> the warning of ‘isn’t secure’ in the browser. Click ‘show certificate’ button. Export the certificate. Import the exported crt file into client system. Windows Manage computer certificates. Trusted Root Certification Authorities -> Certificates -> All Tasks -> Import. Select the exported crt file with other default setting. Ubuntu Below command is used to check current trust CA information in the system. awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt If you did not see desired CA in the result, the commands below are used to add new CA certificates. $ sudo cp <exported crt file> /usr/local/share/ca-certificates $ sudo update-ca-certificates RedHat/CentOS Below command is used to check current trust CA information in the system. awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem If you did not see desired CA in the result, the commands below are used to add new CA certificates. sudo cp <exported crt file> /etc/pki/ca-trust/source/anchors/ sudo update-ca-trust Java The JVM uses a trust store which contains certificates of well-known certification authorities. The trust store on the machine may not contain the new certificates that we recently started using. If this is the case, then the Java application would receive SSL failures when trying to access the storage endpoint. The errors would look like the following: Exception in thread "main" java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at org.example.App.main(App.java:54) Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:371) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309) Run the below command to import the crt file to JVM cert store. The command is working in the JDK 19.0.2. keytool -importcert -alias <alias> -keystore "<JAVA_HOME>/lib/security/cacerts" -storepass changeit -file <crt_file> Below command is used to export current certificates information in the JVM cert store. keytool -keystore " <JAVA_HOME>\lib\security\cacerts" -list -storepass changeit > cert.txt The certificate will be displayed in the cert.txt file if it was imported successfully.[ServiceBus] Using Azure Managed Grafana for Azure Service Bus
In this article, it will guide you on how to setup Azure Managed Grafana for Azure Service Bus metrics. This article is more of a 'how to' rather than an introduction to Azure Managed Grafana. Please check aka.ms/azuremanagedgrafana for introduction of Azured Managed Grafana.Service Bus -- .Net AttachmentPlugin to send and receive messages about 1MB
You may understand how to set up a .Net project to send and receive service Bus messages. However, it has limitation for the size of message, Standard pricing tier 256 KB and premium pricing tier 1MB. Then how about the message above 1MB? You may receive an error message about “QuotaExceededException” when your message above the limit. So how to resolve this issue when you need to send message above 1MB? We plan to release a preview function that allow users send and receive messages up to 100 MB. But currently we don’t have an estimated time. This blog is to explain how to use an AttachmentPlugin in .Net program to send and receive message above 1MB. This is a work around only implement in .Net program. If your system is using other languages like Python, Java and so on, we suggest you separating the messages and change the size of the messages. Now, let’s talk about how to use this AttachmentPlugin.
How to connect to Service Bus with network security enabled through public APIM
In some certain circumstances, we may require service bus namespace to be accessed securely. Generally, we have two options below in the azure portal if we want to restrict publicly access to service bus namespace. Disabled: This option disables any public access to the namespace. The namespace will be accessible only through private endpoints. Enable network security: We could add at least one IP firewall rule or a virtual network that will have access to the namespace. In this blog, let’s say the workflow is like [Client side ----> APIM(publicly accessible) ---- > Service Bus(enables network security settings)] Considering that the APIM is hosted in the public network within above workflow, we have two following ways to restrict the access instead of disabling all public access. OPTION1: Put APIM into internal VNET and allow the traffic from same VNET to access service bus namespace. OPTION2: Whitelist the public IP address of APIM service in the IP firewall setting. Detailed steps: 1.Developer, Basic, Standard and Premium Tiers If you choose to integrate APIM into internal VNET, you could refer to documents below: https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet?tabs=stv2 https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet?tabs=stv2 Then you could configure the same VNET into Service Bus networking setting. If you choose to whitelist the IP address, we shall have dedicated public IP address for these Tiers’ APIM services. It can be easily found in the azure portal. After enabling the network security setting in the service bus, all external traffic would fail into following error while accessing service bus namespace. Consumption Tier As we known, Consumption Tier APIM is based on different infrastructure with other Tiers. It’s not supported to be integrated into VNET based on Pricing Tier document. Hence, we need to use OPTION 2 above to allow the access from APIM service through IP firewall. We have 2 solutions for this configuration: A. Whitelist IP address of APIM Unfortunately, Consumption Tier APIM service doesn’t have dedicated IP address from official link. For traffic restriction purposes, we need to set the range of IP addresses of Azure data centers. You could refer to the multiple IP ranges from this JSON file by specific region and add all of them into above Address range setting. B. Allow trusted MS services to bypass firewall APIM is contained by trusted MS service list from this link. You could follow steps below to enable this feature. a. Enable system-assigned identity on the APIM instance. b. Create Azure Service Bus Data Sender or Receiver role assignment either or both of them on the Service Bus namespace for APIM MSI. c. Enable MSI in the APIM inbound policy for authentication below.
