Tyler's Azure Blog

Azure DevOps Git Credential Issues

2019-12-13T00:00:00Z

Accessing multiple Azure DevOps Organizations from the same PC

I am not sure if this is a common problem. It was difficult to find forum posts or articles on the exact issue.

I use many Azure DevOps organizations on a daily basis, some are attached to the Microsoft corp. Azure AD tenant, a customer's tenant, or using my personal Microsoft Account (aka Live ID)

Even though I use the Git Credential Manager for Windows, it is common to get the following error when using a personal repo.

git pull
remote: TF401019: The Git repository with name or identifier Wyam-Blog does not exist or you do not have permissions for the operation you are attempting.
fatal: repository 'https://dev.azure.com/tylerd/Blog/_git/Wyam-Blog/' not found

Near as I can tell, a silent process in the background is authenticating to Azure DevOps using my corporate account (logged into my PC), acquiring a PAC (Personal Access Token), and storing the token in the Windows Credential vault. However, the problem is I don't want to use my corp credentials when accessing my personal projects.

If there is a better way to configure this, or git command to run, please leave a comment below, but for now I will fast-forward to a workaround.

Workaround

If you open the Windows Credential Manager after attempting to access the repo, you will notice that the Git Credential Manager has added a "Generic Credential" to access Azure DevOps

Get new PAC

Login to the Azure DevOps project you are trying to access.
Under your user settings, open the Personal access tokens screen

Create a new token
Set the permissions, for the Git CLI you mainly need Code: Read & write
Copy the new token value
On you PC, open Control Panel > Credential Manager
Switch to Windows Credentials
Under Generic Credentials, find the Azure DevOps organization credential that was created. In my case that was "git:https://tylerd@dev.azure.com/tylerd"
Click Edit

Replace the Password with your new Personal Access Token
Click Save
All done!

Try running the Git command again and you should have access to your repo.

Deploying Azure resources to multiple resource groups

2019-08-07T00:00:00Z

Azure Resource Manager (ARM) templates provide an excellent, built-in resource configuration and deployment solution. You can find a wealth of templates for deploying anything from a Wordpress site on Azure App Service, to a full HDInsight cluster on a private VNET.

Often I work with customers that need to go beyond the basics of ARM Templates, deploying complex solutions across multiple Resource Groups, with different RBAC permissions.

So here I will share some tips-and-tricks you may find helpful when authoring complex templates.

Deploying to multiple Azure Resource Groups

First, a very common question, and the title of this post, deploying Azure resources across multiple Resource Groups. You can accomplish this in 3 ways:

Deploy multiple times using a script or deployment engine (Azure DevOps Pipeline)
Deploy to a "primary" Resource Group with nested templates deploying to other Resource Groups
Use a Subscription-level resource template to define all Resource Groups and nested templates

Using a script (#1)

This is by far the simplest solution, however it is also the most error-prone. You will have to code features that the Azure deployment system would otherwise handle for you, like dependencies, failures, and ordering. Most likely need a script, however it is best to keep it as simple as possible, adding all of the configuration into the ARM Template.

Resource Group deploying other Resource Groups (#2)

This is accomplished using the "resourceGroup" property which you can set on the "Microsoft.Resources/deployments" type, otherwise known as a nested template. Overall this is a minimal change if you are already using nested templates.

You can also deploy to multiple subscriptions using the "subscriptionId" property.

There are a couple of gotchas here, one is that the child Resource Groups need to exist before the nested deployment (just like how you need to define an existing RG when executing a template deployment). You can either script the creation of all of the RGs before running the deployment on the "primary" RG, or use the "Microsoft.Resources/resourceGroups" resource type, with the dependsOn property on the nested template.

Here is an example

{
    "type": "Microsoft.Resources/resourceGroups",
    "apiVersion": "2018-05-01",
    "location": "[parameters('location')]",
    "name": "[parameters('msiResourceGroup')]",
    "properties": {}
},
{
    "name": "msiDeployment",
    "type": "Microsoft.Resources/deployments",
    "apiVersion": "2017-05-10",
    "resourceGroup": "[parameters('msiResourceGroup')]",
    "dependsOn": [
        "[resourceId('Microsoft.Resources/resourceGroups/', parameters('msiResourceGroup'))]"
    ],
    "properties": { ... }
}

Also, depending on how you nest templates, the resourceGroup() function will behave differently. If you have an embedded template "template": {} the resourceGroup() function will refer to the parent RG. Alternatively, if you have a linked template "templateLink": { "uri": "..."} the resourceGroup() function will refer to the child RG. The same applies to the subscription() function.

Subscription-level Templates (#3)

This may be my preferred method of deploying complex, multi-RG solutions. Most of the concepts are the same as cross-RG deployments, however there is no "primary" RG. With this method you can deploy to a completely blank Subscription, which is why this is often used in combination with Azure Blueprints as a "Subscription Factory" pattern.

To author Subscription Templates, you need to use a different template schema https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json# and execute the deployment using the New-AzDeployment or az deployment create command.

Here is an Azure docs article for the details: Create resource groups and resources at the subscription level

The Subscription template will be fairly light, with most of the heavy lifting in the nested templates. There are a few functions that are not available in the Subscription Template, like resourceGroup() which means you can't use resourceGroup().location as a default deployment location.

You will need to add a "location" parameter to the template, and use the value when creating the Resource Groups.

Here is an example:

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.1",
    "parameters": { 
        "hdiResourceGroup": {
            "type": "string",
            "defaultValue": "DL-HDI"
        },
        "msiResourceGroup": {
           "type": "string",
           "defaultValue": "DL-MSI"
        },
        "location": {
            "type": "string",
            "defaultValue": "westus2"
        } ...
    },
    "variables": {...},
    "resources": {
        {
            "type": "Microsoft.Resources/resourceGroups",
            "apiVersion": "2018-05-01",
            "location": "[parameters('location')]",
            "name": "[parameters('hdiResourceGroup')]",
            "properties": {}
        },
    }
    ....
}

Extra Tip: Using the `templateLink.uri` property

I am not a big fan of using additional parameters for Nested Template URLs and SAS Tokens. You may have seen them in examples with underscores in front, like "_sasToken" or "_templateRoot"

When you create a deployment using a template link URL (on raw.githubusercontent.com or Azure Blob Storage) you have access to a templateLink property on the Deployment model

If you are using public urls, you can just use the uri() function for nested templates.

"msiTemplate": "[uri(deployment().properties.templateLink.uri, 'dl-msi.json')]

If you want to secure the templates using Azure Blob Storage SAS Tokens, you can use some String functions to pull the SAS token out of the TemplateLink property.

For example:

"variables": {
  "templateRoot":"[deployment().properties.templateLink.uri]",
  "hasToken":"[not(equals(indexOf(variables('templateRoot'),'?'), -1))]",
  "sasToken":"[if(variables('hasToken'),substring(variables('templateRoot'),indexOf(variables('templateRoot'),'?')),'')]",
  "msiTemplate": "[concat(uri(deployment().properties.templateLink.uri, 'dl-msi.json'), variables('sasToken'))]",
}

Note that this example supports both public and access token URLs, which adds complexity with conditional statements. I tried to keep it as simple as possible.

This practice assumes that you are deploying the templates before running any deployments. This does not work with local files or inline JSON deployments.

Authentication using Azure Management SDK

2018-12-27T00:00:00Z

If you want to programmatically update Azure Resource configurations you have a number of options.

Use the PowerShell or Python command line tools
Use the .NET Fluent libraries
Use the .NET Management SDK
Call the REST API directly

Each of those options have pros and cons depending on how you are using them. Overall I would suggest using the PowerShell module if possible.

However, you may need to integrate the Azure SDK directly into you application or tool with the Management SDK.

Getting Started with the .NET Management SDK

Like other SDK libraries, the Azure Management SDK is meant to be at the "core" of the tool or system you are building. As such, the libraries are highly configurable and not very prescriptive. Also, there is very little documentation on how to use this library. Most articles I have seen assume you have created an application in Azure AD and generated an access token somehow.

Packages

Rather than one large library or package for all of the Azure services, the Management SDK has a package per resource type.

Here is a full list of the NuGet Packages

Along with the specific resource package, you should also install the following common packages.

Microsoft.Rest.ClientRuntime.Azure

Microsoft.RestClientRuntime.Azure.Authentication

Logging In

Each library will contain one or many "Client" classes. Instantiating the client class will require an implementation of the ServiceClientCredentials abstract class.

Rather than implement that class yourself, you can find a few implementations in the Microsoft.Rest.Azure.Authentication namespace. Let's go over a few of the Providers in that namespace.

Add Using:

using Microsoft.Rest.Azure.Authentication

Application Token

You can use the ApplicationTokenProvider class when your application interacts with the Azure API directly as an application, without user context.

Setup

For this token provider you need to go to Azure AD and create an application. After creating that application you can either generate a Secret Key or upload a certificate.

There are two different sets of Static methods on the ApplicationTokenProvider class. LoginSilentAsync and LoginSilentWithCertificateAsync

LoginSilentAsync

ServiceClientCredentials creds = ApplicationTokenProvider.LoginSilentAsync("mydomain.onmicrosoft.com", "<appId/clientId guid>", "<secret>");

LoginSilentWithCertificateAsync

X509Certificate2 localCert = ...

ClientAssertionCertificate certAssertion = new ClientAssertionCertificate("<appId/clientId guid>", localCert);

ServiceClientCredentials creds = ApplicationTokenProvider.LoginSilentWithCertificateAsync("mydomain.onmicrosoft.com", certAssertion);

If you are building a .NET Full Framework application (using .NET 452 or above) you can use the UserTokenProvider.LoginWithPromptAsync static method.

Again this requires that you have registered an Azure AD Application

LoginWithPromptAsync

var settings = ActiveDirectoryClientSettings.UsePromptOnly("<clientId>", new Uri("http://myRedirectUri"));

var cred = UserTokenProvider.LoginWithPromptAsync(settings);

That is the simplest signature, which uses the common tenant. If know which Tenant the user is logging into and want to reduce the redirects you can use a method with the TenantId parameter.

Elevate Access to Root Management Group

2018-07-03T00:00:00Z

Management Groups

Recently a new Azure resource type was introduced called Management Groups, which allows users to group Azure Subscriptions under the same Azure AD Directory (aka. Tenant) for ease of access and policy management.

Azure Docs Article: Organize your resources with Azure management groups

Root Management Group

By default all of the subscriptions attached to the Directory (your_organization.onmicrosoft.com) will be under the "Tenant Root Group". However, when you first enable Management Groups you will not have access to the Root Group. To get full Owner access to the group you need to use a Directory Global Admin to assign the Owner role to a user.

This article generically outlines how to elevate access for a Global Administrator. Once you follow the first set of steps you can run the following PowerShell commands to setup your permissions.

Only a Global Administrator will be able to get elevated access.

Owner Role Assignment

Note: This requires AzureRM.Resources Module version 6.1.0 or above

Verify that you have User Access Administrator permissions

Get-AzureRmRoleAssignment | 
    where {$_.RoleDefinitionName -eq "User Access Administrator" `
        -and $_.SignInName -eq "<username@example.com>" `
        -and $_.Scope -eq "/"}

Get the "Tenant Root Group" Id property using Get-AzureRmManagementGroup

It will be of the form /providers/Microsoft.Management/managementGroups/94c40a73-c82f-47f0-8244-aed167ae33a0 where the GUID is the Directory ID of the Azure AD Directory.

Create a new Owner role assignment

New-AzureRmRoleAssignment `
    -ObjectId $userObjectId `
    -RoleDefinitionName "Owner" `
    -Scope $rootManagementGroupId

Clean Up

Once you have verified access to the Root Management Group, go back to Azure Active Directory and disable the "User Access Administrator" role assignment by setting the directory property to No or running the following script

Remove-AzureRmRoleAssignment `
    -SignInName "<username@example.com>" `
    -RoleDefinitionName "User Access Administrator" `
    -Scope "/"

Azure Application Insights and Static Content

2018-03-20T00:00:00Z

As you may have noticed, this site uses Wyam as a static site generator to produce what you see here from a set of .md Markdown files checked into a Git repository.

The site is hosted on Azure Web Apps which is basically IIS under-the-hood.

There are some little tricks in the web.config file to make this work properly. Which you can find more info on the Azure hosting Wyam documentation page.

I noticed that even after instrementing Application Insights into the client side JavaScript I was not getting any server side telemetry. The reason for that is that the default Web App extension assumes that you are using ASP.NET which with a Static Site you are not.

Enabling Application Insights for Static Content

If you are using Azure Web Apps. Add the Applications Insights Extension to the Web App. This will add the proper DLLs to the Bin directory of your site.

Add the following code to your web.config file

 <configuration>
     <system.webServer>
         <modules runAllManagedModulesForAllRequests="true">
             <remove name="ApplicationInsightsWebTracking"/>
             <add name="ApplicationInsightsWebTracking" 
             type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web"
             preCondition="managedHandler"/>
         </modules>
     </system.webServer>
 </configuration>

The key difference in this code compared to the Application Insights default settings is the runAllManagedModulesForAllRequests="true" flag on the Modules configuration.

And you are done! You should now see some server side telemetry for .png or .js requests in your Application Insights portal.

Thanks for reading.

Azure KeyVault your ASP.NET

2016-12-02T00:00:00Z

I am sure there are many projects with protected secrets and keys, and many more that should. One of the main hindrances of key protection is ease of use. Often teams skip over security features because of the time it would take away from building functionality.

With that I wanted to outline a very quick and easy way to start consuming secrets in a KeyVault store.

Note: The regular documentation for using KeyVault in an ASP.NET page can be found here.

Microsoft Extensions Configuration

Microsoft.Extensions.Configuration (GitHub) is a .NET Core project to help users manage configuration settings from a variety of sources. You can load JSON, XML, INI, and even Cmdline Args.

Fortunately the libraries target both .NETStandard 1.5 and .NETFramework 4.5.1, so they can be used in your existing ASP.NET projects.

Microsoft.Extensions.Configuration.AzureKeyVault (NuGet) adds a UseAzureKeyVault extension method to the base library.

Implementing this is very easy.

var builder = new ConfigurationBuilder();

builder.AddAzureKeyVault(
	ConfigurationManager.AppSettings["Vault"],
	ConfigurationManager.AppSettings["ClientId"],
	ConfigurationManager.AppSettings["ClientSecret"]);

config = builder.Build();

Then to access the secret.

config["ConnectionStringKey"];

Web.config

<add key="ClientId" value="" />
<add key="ClientSecret" value="" />
<add key="Vault" value="https://{name}.vault.azure.net" />

Where ClientId is the Guid for the Azure AD Application with authorized access to the Azure KeyVault. ClientSecret is the secret key generated by the AD Application for service level authentication.

More Details on KeyVault access setup here.

Resources

Source Code
Ronin Building Blocks – Configuration blog post by Chris Clayton

azure-cli on Bash Windows 10

2016-08-10T00:00:00Z

Once you get the Anniversary Update for Windows 10 you will be able to run Bash on Windows provided by Ubuntu. Very excited about this! It will make managing Linux machines that much easier.

Installing azure-cli

Install NPM - sudo apt-get install -y nodejs
Install azure-cli - npm install -g azure-cli
Create symbolic link between nodejs and node - sudo ln -s /usr/bin/nodejs /usr/bin/node

Note: The reason for step 3 is that Ubuntu installs nodejs rather than node, since the azure-cli is programmed to use node, you will get an error without this link

And you are done. After running azure you should see this...

AspNetCore - Get current access token

2016-07-14T00:00:00Z

Recently I was doing some fiddling with Fitbit authentication using the AspNet Security OAuth Providers to see if I could authenticate a website user with a Fitbit OAuth token and then use that access key to display some statistics on the amount of steps they have in a given work week.

The authentication component was relatively easy, just adding the dependency to the Fitbit security provider from NuGet and it worked. However, normally in the OWIN providers the code would add the Access Token to the current set of Claims in the ClaimsIdenitity object. In AspNetCore that was not the case.

app.UseFitbitAuthentication(options =>
{
    options.ClientId = "";
    options.ClientSecret = "";
    options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.Scope.Add("profile");
    options.Scope.Add("activity");
    options.SaveTokens = true;
});

So long story short, this is a basic HttpContext extension method to retrieve the Access Token from the AuthenticationManager

public static string GetFitbitUserAccessToken(this HttpContext context)
{
    var authInfo = context.Authentication.GetAuthenticateInfoAsync("Fitbit").Result;
    var tokens = authInfo.Properties.GetTokens();
    var accessToken = tokens.FirstOrDefault(t => t.Name == "access_token");

    return accessToken.Value;
}

Error handling removed for length

The key component here is the GetAuthenticateInfoAsync call. In a security configuration there could be multiple Auth "Schemes" you need to specify the one you are retrieving, some basic debugging will allow you to find the right one.

Hope this helps.

Thanks for reading.

Harp on Azure Web Apps

2015-12-31T00:00:00Z

Recently I have been trying out different frameworks like Ghost running on Azure Web Apps. I was trying to get away from just the standard ASP.NET or PHP solutions, branching out to Node.js or static site generators (more to come on that).

Harp

Harp is a Node.js / npm web platform that uses common template formats like Jade and Markdown to make it easier to author pages. Rather than providing a user interface for authoring, the process flow includes editing local files for content and layout.

Harp seems to be both a Static Site Generator and a Node.js hosting platform. For the purposes of this post I will be going through how to run Harp as a hosting platform.

Initialize Harp directory
```
 harp init my-harp-app
 cd my-harp-app
```

Initialize your app as a Git repo

 git init
 git commit -am "initial commit"

Create a new Azure Web App
Enable Continuous Deployment with a Local Git Repository
Copy the repository clone url and add it as a remote repository
```
 git remote add azure https://user@my-harp-app.scm.azurewebsites.net:443/my-harp-app.git
```
Note: my-harp-app will be replaced by your site name.

Add package.json and server.js

 {
  "name": "harpapp",
  "version": "0.0.0",
  "private": true,
  "dependencies": {
    "harp": "0.19.0"
  },
  "engines": {
    "node": "4.1.x",
    "npm": "3.5.1"
  }
 }

Then, use Node Package Manager to install the dependencies:
```
 npm install
```

Next, create server.js, which should contain the following:

 require('harp').server(__dirname, { port: process.env.PORT || 5000 })

Create a iisnode.yaml file which should contain the following
```
 node_env: production
```
Commit any changes to Git
```
 git commit -am "adding node files"
```
Deploy your Harp app to Azure
```
 git push azure master
```

At this point your site should be running on Azure at http://my-harp-app.azurewebsites.net, but with the subdomain you specifed instead of my-harp-app.

This article shows you how to create and deploy your Harp application to Azure using the Azure Command Line Interface (azure-cli) tool.

Stay tuned for more articles on web platforms and static site generators like middleman, Jekyll, Hexo, and more.

Thanks for reading.

Web Apps - Tools and Tips

2015-12-20T00:00:00Z

After doing some tinkering with Azure Web Apps I thought I would write a quick post outlining some quick tips. This will be mostly related to NodeJS as that was the platform I was working with.

Kudu

Kudu is the open source platform that powers deployments, configuration, logging, and extensions for Azure Web Apps. You can access it via a link in the tools menu of the new portal or by adding ".scm." in the middle of your URL.

yoursite.scm.azurewebsites.net

Some of the tasks that I use Kudu for:

Browsing and editing files on the site
Command Line (CMD or PowerShell)
Checking Environment Variables
Streaming Logs

Visual Studio Online [VSO]

Not to be confused with TFS-as-a-Service which has now been renamed to Visual Studio Team Services (VSTS), VSO is an online, web-based, programming IDE. You can install it on your site using Site Extensions either through the portal or Kudu. If this tool reminds you of Visual Studio Code it is because they use the same underlying JavaScript visual engine.

Once you setup the extension you can access VSO by adding /dev to the Kudu sub-domain.

your site.scm.azurewebsites.net**/dev**

For the project that I was working on I did not bother installing/upgrading different versions of Node and NPM on my machine but rather created a development site and used VSO for editing.

Some of the tasks I use VSO for:

File editing and debugging
Committing changes to the Git repository
Running commands (NPM, Git, static site gen)

iisnode.yml

This is the configuration file for the IIS Node module. This file complements the normal web.config with node-specific settings. Normally you would configure items like "node_env" in this file rather than the web.config so it can be easily checked into source control and maintain more human-readability. The web.config file will be generated by the Kudu deployment process when you sync changes, so most of the time there is no need to add it to the Git repo.

Occasionally you will find a node project, like Ghost Blog, where the log output will not be picked up by the normal log streaming feature of Azure Web Apps. In this instance I have added entries to iisnode.yml to enable alternate logging directly from IIS Node.

Here is an example iisnode.yaml file

node_env: production 
loggingEnabled: true 
logDirectory: iisnode

This example config file gives a description of the possible settings.

I hope some of this information proves useful, I may be adding some tips as I write out further blog posts so check back for more later on.

Thanks for reading.

Ghost on Azure Web Apps

2015-12-15T00:00:00Z

Every so often I like to try out different blogging platforms and Ghost is one that I have looked at multiple times since the project started. Even though it has been getting easier, the experience is not great when running Ghost on Azure.

There are a number of ways you can accomplish this, everything from forking the Ghost repo and building it to hosting Ghost on a Docker container.

I decided to deploy Ghost as an NPM module for a few reasons.

The ability to update a version number and re-deploy without dealing with Git forks, pulls, or commits from any other repos
I was not going to edit the Ghost platform itself, the only changes to the site would be related to content, themes, and configuration

For some of the other ways you can host Ghost on Azure, check out this post by Andrew Zay.

Now here is the step by step guide to creating a Ghost site on Azure using NPM.

Prerequisites

Install NPM
Install Git
Install Azure CLI - npm install -g azure-cli
(Optional) Install Visual Studio Code

Setup Local Environment

Create a new directory for your Ghost app
Initialize an npm package with npm init
Fill in the require information

Add the following to package.json

"engines": {
    "node": "0.10.32"
},
"dependencies": {
    "ghost": "0.7.4"
}

Create a server.js file

Add the following

 var ghost = require('ghost');
 var path = require('path');

 ghost({
     config: path.join(__dirname, 'config.js')
 }).then(function (ghostServer) {
     ghostServer.start();
 });

Create an iisnode.yml file

Add the following to iisnode.yml

 node_env: production
 loggingEnabled: true
 logDirectory: iisnode

Initialize a Git repository

Create Local Content and Config

Create config.js file based on the content here
Update production > url to your Azure Web App url
Update production > server > port to process.env.PORT

Add the content path after the server config

 paths: {
     contentPath: path.join(__dirname, '/content/')
 }

Copy /content/ directory from here to the root directory

Copy the casper theme from here to the /content/themes/casper directory (this was a sub-module so it was not included on the github zip download)
Commit to Git repository

Deploy to Azure

Using the Azure CLI tool create a new Azure Web App

 azure site create --location "West US" my-ghost-app --git

Commit the new .gitignore file to your repository

Push changes to Azure
```
 git push azure master
```

At this point the deployment script should output to the console.

The first time you hit the site, node will be running some db migrations to initialize the data store. You should be able to see the stdout or stderr logging in the site/wwwroot/iisnode sub-directory.

Note: I chose the node version and ghost version specifically. I have had issues related to node, npm, ghost, and other dependencies in the past.

Thanks for reading.

App Services vs Cloud Services

2015-11-30T00:00:00Z

This blog article has been migrated from my old blog and updated. You can read the original post here

Update 2015: Cloud Services as it exists today is undergoing a significant change. If you want to deploy to stateless VMs like Cloud Services you can use VM Scale Sets

The question of the week is. When do you use Azure Web Apps as your web platform and when do you use Cloud Services. These two platforms provide similar functionality in that you can deploy your ASP.NET or other IIS based web application projects to either of these platforms. There are some general cases of when to use one over the other and some specific differences that may help in making that decision. In this post I am going to go through these differences and attempt to give some guidance on what to use when.

When to use Web Apps

You Are Just Starting - Compared to Cloud Services, Web Apps may not be as flexible but it is definitely easier. You can build your website using Visual Studio, WebMatrix, or any other IDE of your choice without the need for an SDK or any other additional software.

You can deploy to Azure Web Apps using WebDeploy, FTP, or even DropBox. You can sync your site code straight from GitHub, BitBucket, Codeplex, or TFS Online. It is incredibly easy and require little to know buy-in to Azure if you want to create an IIS website.

You Have a Single Compute Tier - If you are running an application that does not require internal communication then it would be much easier to use Web Apps . Again, the stance that I usually take is use the easiest option until you are required to change. If you need multiple machines that talk to each other over a private network, then you cannot use Web Apps and you need to use Cloud Services (or Virtual Machines).

With Web Apps you can have multiple servers handling requests if you have a high load, however those servers know nothing of each other and do not have internal addresses or endpoints.

Your Site is Written in PHP, Python, or Node.js - This point is not to say that you cannot use these platforms on Cloud Services, it is just easier with Web Apps because the machines are configured beforehand. With Cloud Services you get a base Azure Image to deploy onto. The Azure Website system uses that same base image however extra software has been installed to IIS for your convenience.

When to use Cloud Services

You Need Machine Level Access - If you compare the underlying platform of Web Apps and Cloud Services, Cloud Services provides you with a completely provisioned, unique, stateless virtual machine whereas Web Apps provides pre-configured IIS application pool, and you may be on the same machine as other sites. With IIS there are many restrictions, not the least of them is machine level access. This restriction could affect the base functionality of .NET like using PFX certificates to sign network tokens, or accessing local user profile data.

When deploying to Cloud Services there is no shared option, this deployment owns the entire virtual machine for its lifetime (which could vary, it is not a state-full instance). This gives you much more control over the deployment environment compared to Web Apps .

You Perform Background Processing - The Cloud Services platform has two different Role Types, a Web Role, and a Worker Role. If you are familiar with on-premise architectures you can compare the two to an IIS Application and a Windows Service. Azure Web Apps is all IIS, the web server provides the entire platform, there is no room for long running processes or threads that can sit and wait for communication on another port outside of IIS.

Note: For regularly scheduled or triggered operations you can use Azure Web Jobs which run as a sub-set of an Azure Web App.

If those Windows Service type scenarios are sounding familiar to you, you may need to consider using Cloud Services for the Worker Role capabilities.

Your Application Requires Internal Communication - With Windows Azure services there is a general level of scaleability. Both Cloud Services and Azure Web Apps can scale up and down as needed, even automatically. However, if you want to use 2 web front-end machines and they need to communicate to each other, you need to use Cloud Services Roles and Instances. Azure Web Apps take routed requests in a farm of IIS hosting servers, they have no knowledge of other machines in the same site.

Cloud Services however runs as an overall deployment with multiple Roles and each of those Roles can contain multiple Instances. You can scale different components of your system separate from others. Cloud Service deployments also have an internal network all to themselves to use to communicate between the Roles and Instances. The Azure SDK contains .NET Libraries to determine which machine is the current instance and where to contact the others.

Feature Breakdown

For those more specific features that may sway your decision one way or the other, here is a quick table comparing the two.

Feature	Web Apps	Cloud Services
Scale Out to Multiple Instances Without Redeploy	Yes	Yes
SSL	Yes	Yes
Visual Studio Integration	Yes	Yes
Deploy from TFS On-Prem or Online	Yes	Yes
WebMatrix Support	Yes	No
Fast Deployment	Yes	No
Instances Share Content and Configuration	Yes	No
Multiple Deployment Environments (Production and Staging)	Yes	Yes
Network Isolation	No	Yes
Support for Windows Azure Traffic Manager	Yes	Yes
Support for CDN	Yes	Yes
Remote Desktop Access	No	Yes
Execute Start-Up Tasks	No	Yes

Summary

If the above information has just left you more confused, here are some basic guidelines that I use for many Azure service match-ups.

Use what you need, until you need more, then switch.

That said, start by creating an Azure Website (hey, it's free right), get your application out into the world. If you find that you require more complexity and you are considering a multi-tier scenario, consider switching to Cloud Services.

As always, thanks for reading!

PFX certificate files and Azure Web Apps

2015-11-29T00:00:00Z

This blog article has been migrated from my old blog and updated. You can read the original post here

How I got burned today ...

I needed to write a simple SAML 1.1 provider that would generate a SAML token and sign it using a .pfx certificate.

So I wrote this code in my MVC4 Controller ...

var cert = new X509Certificate2(pfxFile, "myPassword");

var privateKey = cert.PrivateKey;

Used the private key to sign the token, ran it locally with no issue. However, once I published the site to Azure Web Apps I get this error.

   [CryptographicException: The system cannot find the file specified.]
   System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) +33
   System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx) +0
   System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags) +218
   System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password) +63
   System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password) +58
   WAWSPfxTest.Controllers.HomeController.Index() +180

I confirmed that the file did in fact exist.

What happened ??

Well it turns out that when you load certificates the system will use a local directory to store the key (??)

The default location for the key is the under the local user profile, and with Azure Web Apps, there is no local user profile directory.

Key Storage Flags to the rescue

With some trial and error I found that the MachineKeySet flag worked on my Azure Web App. So with a quick change to the code it was working again.

var cert = new X509Certificate2(pfxFile, "myPassword", X509KeyStorageFlags.MachineKeySet);

var privateKey = cert.PrivateKey;

Note: This Azure Blog Article outlines how to upload and use certificates with Azure Web Apps.

I hope this helps someone.

Old Blog Posts

2015-11-28T00:00:00Z

This new blog is running on Azure and generated by Wyam. Previously I was running Ghost on Azure also. If you would like to view all my posts from 2010 up to 2014 please follow this link.

Tyler's Azure Blog

Azure DevOps Git Credential Issues

Accessing multiple Azure DevOps Organizations from the same PC

Workaround

Get new PAC

Deploying Azure resources to multiple resource groups

Deploying to multiple Azure Resource Groups

Using a script (#1)

Resource Group deploying other Resource Groups (#2)

Subscription-level Templates (#3)

Extra Tip: Using the templateLink.uri property

Authentication using Azure Management SDK

Getting Started with the .NET Management SDK

Packages

Logging In

Application Token

Interactive Login

Elevate Access to Root Management Group

Management Groups

Root Management Group

Owner Role Assignment

Clean Up

Azure Application Insights and Static Content

Enabling Application Insights for Static Content

Azure KeyVault your ASP.NET

Microsoft Extensions Configuration

azure-cli on Bash Windows 10

Installing azure-cli

AspNetCore - Get current access token

Harp on Azure Web Apps

Harp

Web Apps - Tools and Tips

Kudu

Visual Studio Online [VSO]

iisnode.yml

Ghost on Azure Web Apps

Prerequisites

Setup Local Environment

Create Local Content and Config

Deploy to Azure

App Services vs Cloud Services

When to use Web Apps

When to use Cloud Services

Feature Breakdown

Summary

PFX certificate files and Azure Web Apps

How I got burned today ...

What happened ??

Key Storage Flags to the rescue

Old Blog Posts

Tyler's Azure Blog - Wordpress.com

Extra Tip: Using the `templateLink.uri` property