[Architecture Pattern] Scaling Sync-over-Async Edge Gateways by Bypassing Service Bus Sessions
Hi everyone, I wanted to share an architectural pattern and an open-source implementation we recently built to solve a major scaling bottleneck at the edge: bridging legacy synchronous HTTP clients to long-running asynchronous AI workers. The Problem: Stateful Bottlenecks at the Edge When dealing with slow AI generation tasks (e.g., 45+ seconds), standard REST APIs will drop the connection resulting in 504 Gateway Timeouts. The standard integration pattern here is Sync-over-Async. The Gateway accepts the HTTP request, drops a message onto Azure Service Bus, waits for the worker to reply, and maps the reply back to the open HTTP connection. However, the default approach is to use Service Bus Sessions for request-reply correlation. At scale, this introduces severe limitations: 1. Stateful Gateways: The Gateway pod must request an exclusive lock on the session. It becomes tightly coupled to that specific request. 2. Horizontal Elasticity is Broken: If a reply arrives, it must go to the specific pod holding the lock. Other idle pods cannot assist. 3. Hard Limits: A traffic spike easily exhausts the namespace concurrent session limits (especially on the Standard tier). The Solution: Stateless Filtered Topics To achieve true horizontal scale, the API Gateway layer must be 100% stateless. We bypassed Sessions entirely by pushing the routing logic down to the broker using a Filtered Topic Pattern. How it works: 1. The Gateway injects a CorrelationId property (e.g., Instance-A-Req-1) into the outbound request. 2. Instead of locking a session, the Gateway spins up a lightweight, dynamic subscription on a shared Reply Topic with a SQL Filter: CorrelationId = 'Instance-A-Req-1'. 3. The AI worker processes the task and drops the reply onto the shared topic with the same property. 4. The Azure Service Bus broker evaluates the SQL filter and pushes the message directly to the correct Gateway pod. No session locks. No implicit instance affinity. Complete horizontal scalability. If a pod crashes, its temporary subscription simply drops—preventing locked poison messages. Open Source Implementation Implementing dynamic Service Bus Administration clients and receiver lifecycles is complex, so I abstracted this pattern into a Spring Boot starter for the community. It handles all the dynamic subscription and routing logic under the hood, allowing developers to execute highly scalable Sync-over-Async flows with a single line of code returning a CompletableFuture. GitHub Repository: https://github.com/ShivamSaluja/sentinel-servicebus-starter Full Technical Write-up: https://dev.to/shivamsaluja/sync-over-async-bypassing-azure-service-bus-session-limits-for-ai-workloads-269d I would love to hear from other architects in this hub. Have you run into similar session exhaustion limits when building Edge API Gateways? Have you adopted similar stateless broker-side routing, or do you rely on sticky sessions at your load balancers?
Admin‑On‑Behalf‑Of issue when purchasing subscription
Hello everyone! I want to reach out to you on the internet and ask if anyone has the same issue as we do when creating PAYG Azure subscriptions in a customer's tenant, in which we have delegated access via GDAP through PartnerCenter. It is a bit AI formatted question. When an Azure NCE subscription is created for a customer via an Indirect Provider portal, the CSP Admin Agent (foreign principal) is not automatically assigned Owner on the subscription. As a result: AOBO (Admin‑On‑Behalf‑Of) does not activate The subscription is invisible to the partner when accessing Azure via Partner Center service links The partner cannot manage and deploy to a subscription they just provided This breaks the expected delegated administration flow. Expected Behavior For CSP‑created Azure subscriptions: The CSP Admin Agent group should automatically receive Owner (or equivalent) on the subscription AOBO should work immediately, without customer involvement The partner should be able to see the subscription in Azure Portal and deploy resources Actual Behavior Observed For Azure NCE subscriptions created via an Indirect Provider: No RBAC assignment is created for the foreign AdminAgent group The subscription is visible only to users inside the customer tenant Partner Center role (Admin Agent foreign group) is present, but without Azure RBAC. Required Customer Workaround For each new Azure NCE subscription, the customer must: Sign in as Global Admin Use “Elevate access to manage all Azure subscriptions and management groups” Assign themselves Owner on the subscription Manually assign Owner to the partner’s foreign AdminAgent group Only after this does AOBO start working. Example Partner tries to access the subscription: https://portal.azure.com/#@customer.onmicrosoft.com/resource/subscriptions/<subscription-id>/overview But there is no subscription visible "None of the entries matched the given filter" https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal%2Centra-audit-logs#step-1-elevate-access-for-a-global-administrator from the customer's global admin. and manual RBAC fix in Cloud console: az role assignment create \ --assignee-object-id "<AdminAgent-Foreign-Group-ObjectId>" \ --role "Owner" \ --scope "/subscriptions/<subscription-id>" \ --assignee-principal-type "ForeignGroup" After this, AOBO works as expected for delegated administrators (foreign user accounts). Why This Is a Problem Partners sell Azure subscriptions that they cannot access Forces resources from customers to involvement from customers Breaks delegated administration principles For Indirect CSPs managing many tenants, this is a decent operational blocker. Key Question to Microsoft / Community Does anyone else struggle with this? Is this behavior by design for Azure NCE + Indirect CSP? Am I missing some point of view on why not to do it in the suggested way?
Network Design Ideas for VMs in Azure
Hello, I am analyzing the current Azure environment at my new job and trying to figure out the architectural choices mostly networking wise. Currently, we have 10 VMs and each VM has its own VNet and they are all in the same region. In my experience so far, I have never seen such network design in Azure before. If all VMs are in the same region, we could have one Vnet and utilize subnets and NSGs to segment the VMs and control the traffic. Having so many different VNets makes it very complex to manage. Looking for opinions what other people think. Is this just a bad design or just to keep the VMs separate from each other.Best Practices for Designing a Hub-and-Spoke Architecture in Azure
A Hub-and-Spoke architecture is a widely used networking topology in Azure that helps organizations centralize network management, enhance security, and optimize connectivity. However, designing an efficient Hub-and-Spoke model requires careful planning regarding network security, scalability, and cost optimization. What are the core components of a Hub-and-Spoke architecture in Azure? What factors should be considered when designing the hub (e.g., Virtual Network Gateway, Firewall, Security controls)? What are the key challenges you've encountered while implementing a Hub-and-Spoke architecture in Azure, and how have you addressed them?Managing Multiple VMs on Azure Similar to Workspace One
Hello, I currently manage an infrastructure of approximately 100 VMs. I would like to perform activities on Azure such as: Installing/removing apps Viewing all installed apps on the VMs Adding shortcuts to the desktop Adjusting timezone/date and time I am looking for a solution that can handle these tasks, similar to what Workspace One does, but for Windows Servers. How do you currently manage these tasks? Thank you! Feel free to post this on the Microsoft forum. If you need any further assistance, let me know!
Limits with my on prem AD DS domain wit "_" 😑
Hello every body, Here is my situation. I have a domain name : "domain_contoso.com" that all my servers were joined to it, and i don't have a synchronisation with MS Entra ID. My project now, is to migrate my servers to azure and i'm confused. In fact, i want to extend my active directory with this domain on a vm azure and configure trust and replication but the problem that i can't create a verified domain with the "_" and MS Entra Id doesn't accept that also. So, my questions are : - If i purchase a new verified domain "domaincontoso.com" where is without the "_" and i added it to MS Entra ID, then, i synchronise all my users from "domain_contoso.com" to MS Entra ID and i extend the same active directory on prem to a vm on azure with a config for the replication. That's work ? There's no risks ? - if i purchase a new verified domain "contoso.com" and create a new active directory on a vm azure witb this domain then , i configure the synchronisation to MS Entra ID. Also, i configure the trust with the on prem "domain_contoso.com" to ensure that all users on prem AD can access to the server with the new domain in Azure after migration. What is the best solution ? And what are the + and - ? Thank you very muchStore a file in Azure and make it accessible over the Internet
I wish to store a txt file in Azure and make it so that the file is accessible when someone goes to it's corresponding URL. No need for access control or authentication The file contain a filter list that the ABP extension will access via URL and this txt file will be stored somewhere in Azure. What Azure solution can I use for this which keeps the price down for us?Video Recording: Azure Architecture Best Practices
The video recording from the free online event where I was presenting together with Microsoft Cloud Solution Architect, Dominik Zemp, about Azure Architecture Best Practices is now available. In this session, you will learn about proven guidance that’s designed to help you, architect, create and implement the business and technology strategies necessary for your organization to succeed in the cloud. It provides best practices, documentation, and tools that cloud architects, IT professionals, and business decision-makers need to successfully achieve their short- and long-term objectives. We will be focusing on topics like the Cloud Adoption Framework and the new Enterprise-Scale landing zone architecture. Azure Architecture Best Practices Virtual Event Agenda: Introduction Why Azure Architecture? Introduction to the Cloud Adoption Framework What is Enterprise-Scale? Build landing zones with Enterprise-Scale Critical design areas Deployment using AzOps Demo Build on top of Enterprise-Scale – Well-Architected Framework for workloads and apps Q&A
Move on-prem environment to Azure migration
Hi there, I'm working on a customer with a traditional Windows AD domain. The customer wants to have all their Windows VMs (now running on VMWare) to Azure. For the clients we recently managed to make all devices Azure AD Joined only. M365 suite is used for Teams/SharePoint/ExchangeOnline, Defender for endpoint and Endpointmanager for client management. We have no domain joined computers anymore. All the users are still in Azure AD Connect that syncs to Azure AD. Printers are on universal print and files to Teams/SharePoint. We now have a large file share that we could not migrate to sharepoint. We would like to have this on Azure Files. Right now we are in the start of creating an Azure subscription. What should be the best route to take for this? On-prem there are a couple Windows (apps) VMs that we would like to 'lift and shift' to Azure. These app servers are used for legacy/history checking... If there is any clear path or documentation that we can consult, would like to know. Thanks in advance!
