Mysterious Nightly CPU Spikes on App Service Plans (22:00-10:00) Despite Low Traffic
For several months now, all of our Azure App Service Plans have been experiencing consistent CPU spikes during off-peak hours, specifically from approximately 22:00 PM to 10:00 AM. This pattern is particularly puzzling because: This timeframe corresponds to our lowest traffic and activity periods We've conducted thorough investigations but haven't identified the root cause No scheduled timer functions or planned jobs are running during these hours that could explain the spikes What we've already checked: Application logs and metrics Scheduled functions and background jobs Traffic patterns and user activity Has anyone encountered similar behavior? What could be causing these nightly CPU spikes on otherwise idle App Service Plans?π Securing Azure Workloads: From Identity to Monitoring
Hi everyone π β following up on my journey, I want to share how I approach end-to-end security in Azure workloads. - Identity First β Microsoft Entra ID for Conditional Access, PIM, and risk-based policies. - Workload Security β Defender for Cloud to monitor compliance and surface misconfigurations. - Visibility & Monitoring β Log Analytics + Sentinel to bring everything under one pane of glass. Through my projects, Iβve been simulating enterprise scenarios where security isnβt just a checklist β itβs integrated into the architecture. Coming soon: - A lab demo showing how Defender for Cloud highlights insecure configurations. - A real-world style Conditional Access baseline for Azure workloads. Excited to hear how others in this community are securing their Azure environments! #Azure | #AzureSecurity | #MicrosoftLearn | #ZeroTrust | #PerparimLabs
Built a Real-Time Azure AI + AKS + DevOps Project β Looking for Feedback
Hi everyone, I recently completed a real-time project using Microsoft Azure services to build a cloud-native healthcare monitoring system. The key services used include: Azure AI (Cognitive Services, OpenAI) Azure Kubernetes Service (AKS) Azure DevOps and GitHub Actions Azure Monitor, Key Vault, API Management, and others The project focuses on real-time health risk prediction using simulated sensor data. It's built with containerized microservices, infrastructure as code, and end-to-end automation. GitHub link (with source code and documentation): https://github.com/kavin3021/AI-Driven-Predictive-Healthcare-Ecosystem I would really appreciate your feedback or suggestions to improve the solution. Thank you!
Scaling Smart with Azure: Architecture That Works
Hi Tech Community! Iβm Zainab, currently based in Abu Dhabi and serving as Vice President of Finance & HR at Hoddz Trends LLC a global tech solutions company headquartered in Arkansas, USA. While I lead on strategy, people, and financials, I also roll up my sleeves when it comes to tech innovation. In this discussion, I want to explore the real-world challenges of scaling systems with Microsoft Azure. From choosing the right architecture to optimizing performance and cost, Iβll be sharing insights drawn from experience and Iβd love to hear yours too. Whether you're building from scratch, migrating legacy systems, or refining deployments, letβs talk about what actually works.Comparision on Azure Cloud Sync and Traditional Entra connect Sync.
Introduction In the evolving landscape of identity management, organizations face a critical decision when integrating their on-premises Active Directory (AD) with Microsoft Entra ID (formerly Azure AD). Two primary tools are available for this synchronization: Traditional Entra Connect Sync (formerly Azure AD Connect) Azure Cloud Sync While both serve the same fundamental purpose, bridging on-prem AD with cloud identity, they differ significantly in architecture, capabilities, and ideal use cases. Architecture & Setup Entra Connect Sync is a heavyweight solution. It installs a full synchronization engine on a Windows Server, often backed by SQL Server. This setup gives administrators deep control over sync rules, attribute flows, and filtering. Azure Cloud Sync, on the other hand, is lightweight. It uses a cloud-managed agent installed on-premises, removing the need for SQL Server or complex infrastructure. The agent communicates with Microsoft Entra ID, and most configurations are handled in the cloud portal. For organizations with complex hybrid setups (e.g., Exchange hybrid, device management), is Cloud Sync too limited?
π₯The Power of Azureβs Security Arsenal π₯
β Using a Public IP without securing your Azure applications and resources exposes you to security threats. Today, weβll explore the most powerful security solutions from Azureβs arsenal. β Azure provides a multi-layered approach (more than one layer of protection) to secure your resources when using a Public IP. Organizations can now transform this open gateway into a fortified checkpoint. Hereβs how these tools work together to mitigate risks: π Azure DDoS Protection π β Protects your resources and services from being overwhelmed by malicious traffic. This excellent service is available for Network & IP Protection SKUs. β Uses Machine Learning to distinguish between normal traffic patterns and malicious flooding attempts (such as SYN floods or UDP amplification attacks) before they impact your applications and services ensuring availability. π Azure Web Application Firewall (WAF) π β Adds application-layer protection, intercepting HTTP/HTTPS traffic for inspection. β Blocks suspicious attacks like SQL injection or XSS by applying OWASP core rule sets, which define how attacks occur and how to defend against them, with continuous updates. β Enhances security for customer-facing services, ensuring trust and protection for your website and users. π Network Security Groups (NSGs) π β Acts as a virtual firewall at the subnet or network interface level, filtering traffic based on predefined rules. β Can allow only trusted HTTPS (port 443) connections while blocking unsolicited RDP or SSH attempts. β Implements the critical security principle of reducing attack surface, ensuring only authorized traffic reaches your target resources. π Azure Private Link π β In some scenarios, avoiding Public IPs altogether is the best security approach. This powerful service allows secure access to Azure SQL Database or Storage via Private Endpoints inside your virtual network. β Helps organizations minimize external exposure while maintaining secure, private connections to necessary services. π Azure Bastion π β Provides secure access to Azure VMs without Public IPs, using RDP/SSH over encrypted TLS 1.2 traffic. β Uses a browser-based HTML5 web client to establish RDP/SSH sessions over TLS on port 443, fully compatible with any firewall. β Connects to VMs via Private IPs while enforcing NSG rules to allow access only through Azure Bastion. If you found this valuable, consider sharing so more professionals can benefit. Let's keep the conversation growing! ππ Azure Control, Data, & MGMT Planes: The Backbone of Cloud Efficiency π
Azure operations can be divided into Three categories (Control Plane - Data Plane - Management Plane) This post describes the differences between those three types of operations. Tip : Suppose that the word "plane" means "function" understand this definition like this !! # Control Plane (Function) # @ The Control Plane is responsible for managing and configuring Azure resources. @ It handles administrative tasks such as creating, updating, and deleting resources. @ All requests for control plane operations are sent to the Azure Resource Manager URL For Azure global, the URL is " https://management.azure.comm. " @ Azure Resource Manager handles all control plane requests. It automatically applies the Azure features you implemented to manage your resources, such as: Azure role-based access control (Azure RBAC) - Azure Policy - Management Locks - Activity Logs @ After Azure Resource Manager authenticates the request, it sends the request to the resource provider, which completes the operation. @ The control plane includes two scenarios for handling requests - "green field" and "brown field". @ Green field refers to ---> new resources. Brown field refers to ---> existing resources. # Data Plane (Function) # @ The Data Plane is responsible for interacting with the actual data within Azure resources. @ Once a resource is created, operations like reading, writing, and processing data occur in the Data Plane. @ Requests for data plane operations are sent to an endpoint that's specific to your instance. Ex : "myaccount.blob.core.windows.nett " ---> for storage account @ Operates independently of the Control Plane, meaning even if the Control Plane is unavailable, the Data Plane remains accessible. # Management Plane (Function) # @ The Management Plane oversees monitoring, security, and configuration of Azure services. @ It ensures that resources are operating efficiently and securely. Ex : Azure Monitor: Collecting logs and metrics from resources Ex : Azure Security Center: Managing security policies and compliance. Ex : Azure Automation: Running scheduled tasks for resource management.
Application Gateway, Geo-blocking, not working
Hello We've found a possible bug where we apply a FW policy with our WAF_v2 enabled Application Gateway instance. We have compliance demands where certain regions should not be allowed, this is applied by a custom rule with Geo-matching, blocking on remote addresses. According to all existing documentation, we have the correct set up and we can see that some regions are blocked - but not all. How do I come in contact with the AppGW / FW team? How can we highlight this and get some help? We can't really report this on a public forum like this. We need to get in touch with someone on the Microsoft side. Thankful for any response Niklas
Network Monitoring
Hi, I recently applied Network Security Groups on Virtual Networks (NSG). Now my question is, is it possible to monitor / record the network traffic? For example, I've configured many rules on the NSG, now a application on a Server won't work and my first guess is the NSG is blocking the communication. How do I see now which port the application is using so I can set a new rule to the NSG? I know when you already know the port you can check it in Network Watcher "IP flow verify and NSG diagnostics" as a whatif state. Traffic Analytics isn't the right answer too or am I seeing it wrong? Vnet Flow Logs should be the right thing. I configured it, applied traffic analytics and a account storage. Applied it for testing on a nic but I don't see anything practical for my use? The only thing Iwish is to see live or logged the traffic if the NSG blocked anything and troubleshoot.Custom permission to enable diagnostic setting in Entra ID
Custom permissions doesnt works when tried to enable diagnostic settings, in Microsoft Entra ID portal. Error: "does not have authorisation to perform action 'microsoft.aadiam/diagnosticSettings/write' over scope '/providers/microsoft.aadiam/diagnostic Settings/resourcename" Selective permissions that I applied to user account. My approach is to use custom role specific permissions. Appreciate your help to knows the right permission required. Regards, Rajkumar
