Run Microsoft Sqlserver Container On Mac With Azure Data Studio.

Run Microsoft Sqlserver Container On Mac With Azure Data Studio.

Azure Data Studio, a cross-platform database development tool originally branded as SQL Operations Studio and provide seamless database management experience, regardless of whether users are connecting to on-premise or Azure-based data platforms.

Azure Data Studio is a cross-platform database tool for data professionals using the Microsoft family of on-premises and cloud data platforms on Windows, MacOS, and Linux.

–Microsoft

For many standards functions, Azure Data Studio offers a much richer experience that Microsoft’s flagship database management tool, SQL Server Management Studio (SSMS).

Azure data studio has better intelligence as compare to microsoft sql server management studio and more extensive with support for keywords and useful TSQL snippets. For example, with a few key presses you can locate and open the snippet for a CREATE PROCEDURE statement.

once you press tab then complete stored procedure creation base script automatically come and make changes as per requirement.

Download sql server docker image & Run Container

First you have to pull docker image for sql server from docker container registry, here i have selected sql server linux image.

Command: docker pull microsoft/mssql-server-linux

check docker image status by issue docker image command which list all downloaded images from docker registry.

Command: docker images

In Docker we can “install” an image by running it. And that creates the actual Docker Container, which is finally the executable that you are executing. Let’s run our Docker Image with the docker run command:

Command: docker run -d –name homer -e ‘ACCEPT_EULA=Y’ -e ‘SA_PASSWORD=<YourPassword>’ -p 1433:1433 <imageName>

  • -e ‘ACCEPT_EULA=Y’ With the -e option you set an environment variable, on which SQL Server is dependent on. In our case we have to accept the EULA to be able to use SQL Server.
  • -e ‘SA_PASSWORD=Password@123‘ With the SA_PASSWORD environment variable we set the password for the SA login.
  • -p 1433:1433 With the -p option we bind a port on our host machine (in my case on the Mac) to a port in the Container. The port on the left side of the colon is the port on the host machine, and the port on the right side of the colon is the port in the Container. In my case I bind the default SQL Server port of 1433 within the Container to the port 1433 on my Mac.
  • –name : With the –name option we assign a custom name to our Docker Container.
  • -d :And with the -d option we specify the Docker Image that we have pulled previously, and that you want to run the Docker Container detached from the Terminal. This just means that you can close your Terminal, and your Docker Container is still running in the background.

After you have executed that Docker command, your Docker Container is up and running and ready to use.

Connect Azure Data Studio With Container.

we can connect azure data studio with running container here directly to localhost, because in the last step we have exposed the port 1433 of the Docker Container to our host machine.

Once connection established successfully,you can see server details on home pane where you can verify that container id is coming as computer name on azure data studio which means you have successfully connected to running sql server container and now you can execute sql server queries.

Execute Sql Quries

after successfully connection with sqlserver container,right click on database and choose new query option. A query window will option and now you can execute sql queries and run it .

Summary

Run sqlserver on mac is always very tedious task and tools which is available for mac is not easy to use and not much responsive.But docker made developer life easy to run sqlserver on mac os with better user experience.

it’s now real. You can now run natively SQL Server on the Mac, and with the help of Azure Data Studio you can even access SQL Server with a native MacOS.

Filtered Subscriptions with Azure Service Bus Topics

Filtered Subscriptions with Azure Service Bus Topics

Download Complete Project: AzureTopicSubscriptionfilters

Azure Service Bus topics allow multiple subscribers to receive the same messages. So if we post an message to a topic, then one subscriber might send an order confirmation email, while another subscriber to the same event might handle payments.

The way this is done is that you create multiple “subscriptions” on the topic, and then you can listen for messages on those subscriptions, in the same way that you would listen for messages on a regular queue.

But what if your subscription is only interested in a subset of messages that are posted to that topic? Well, this is where filters come in. When we create a subscription, we can specify the properties of the messages we are interested in.

What is Rule Filter

As the filter’s type implies, it allows for defining a SQL92 standard expression in its constructor that will govern what messages are filtered out.

There are following types of filters :

  1.  SQLFilter – The filter that a number of other filters derive from such TrueFilter and FalseFilter
  2. TrueFilter – This is the default filter provided through the default rule that is generated for us when a rule or filter is not explicitly provided when creating a subscription.  Ultimately, this generates the SQL92 expression 1=1 and subscribes to receive all messages of the associated topic.
  3. FalseFilter – The antithesis of a TrueFilter that generates a SQL92 expression of 1=0; a subscription with this filter will never subscript to any messages of the associated topic.
  4. CorrelationFilter – This filter subscribes the subscription to all messages of a particular CorrelationId property of the message.
    Note:Be aware that the comparison values in your SQL expression are case-sensitive, while the property names are not (e.g. “Zone= ‘East’” is not the same as “zone= ‘east’”)

In earlier post we have seen how default rules works and how same message broadcast to all subscriptions. Now we will see how custom rules works and how specific message subscribe by the subscriber with custom filtering rules.

Example:

Let’s consider order processing system where some orders need to publish to topics and some region wise subscriptions are also setup in the topic.Instead of broadcast all orders to all subscriptions,only region wise orders will broadcast to specific subscriptions.

In our case orders belongs to two regions (East and North) and two subscriptions are setup to subscribe these messages,i.e East Subscription only receives east region orders and north subscription receives north region orders.

T18

Adding rules to the subscriptions:

Subscriptions are not limited to one rule however. We can add additional rules to an existing subscription.


public static void CreateTopicUnderServiceBus()
{
var TopicName = "OrderTopic";
string[] arrSubsription = new string[] { "NorthSubscription", "EastSubscription" };

//Create Topic
if (!nameSpaceManager.TopicExists(TopicName))
{
nameSpaceManager.CreateTopic(TopicName);
}

//CreateSubscription
foreach (string subsription in arrSubsription)
{
if (!nameSpaceManager.SubscriptionExists(TopicName, subsription))
{
SubscriptionDescription subscriptionDesc = new SubscriptionDescription(TopicName, subsription)
{
EnableDeadLetteringOnMessageExpiration = true,
EnableDeadLetteringOnFilterEvaluationExceptions = true,
DefaultMessageTimeToLive = TimeSpan.FromMinutes(5),
LockDuration = TimeSpan.FromSeconds(60),
};
var zone = subsription.Replace("Subscription", "");

// Rule for EastSubsrciption to recieve those message that belongs to specific zones.
RuleDescription ruleDescForSubscriptions = new RuleDescription("ZoneFilter", new SqlFilter("Zone='" + zone + "'"));

nameSpaceManager.CreateSubscription(subscriptionDesc,ruleDescForSubscriptions);
var ss = SubscriptionClient.FormatDeadLetterPath(TopicName, subsription);
}
}

}

Here RuleDescription class is used to create a filter rules. Above code will add two filter rules  in  subscriptions which are  “Zone=’East’ and “Zone=’North'”.

An additional properties also need to send with broker message along with creating filter rules.


public static void PublishOrder(TopicClient topicClient, Order order)
{
String Displaytext = string.Format("Order : orderId={0},customerName={1},ProductName={2},DeliveryAddress={3},Zone={4} " +
" Sent To Topic Successfully \n\n",
order.OrderId, order.CustomerName, order.ProductName, order.DeliveryAddress, order.Zone);

//Create broker message for order
BrokeredMessage brokerMessage = new BrokeredMessage(order);
brokerMessage.Properties.Add("Zone", order.Zone);
topicClient.Send(brokerMessage);
Console.Write(Displaytext);

}

See the “Zone” property set in broker message.

Complete Code For Message Publisher:


using Common;
using Microsoft.ServiceBus;
using Microsoft.ServiceBus.Messaging;
using System;
using System.Threading;

namespace MessageSender
{
class Publisher
{
static NamespaceManager nameSpaceManager;

static void Main()
{
nameSpaceManager = NamespaceManager.CreateFromConnectionString(TopicConfigurations.Namespace);
CreateTopicUnderServiceBus();

TopicClient tClient = TopicClient.CreateFromConnectionString(TopicConfigurations.Namespace, "OrderTopic");

Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("======================================================");
Console.WriteLine("-----------Publishing Start---------------------------");
Console.WriteLine("======================================================");

Console.ForegroundColor = ConsoleColor.Green;
PublishOrder(tClient, new Order()
{
OrderId = 5656,
CustomerName = "Vivek Jadon",
ProductName = "Iphone6",
DeliveryAddress = "MG Road Gurgaon",
Zone = "East"
});
PublishOrder(tClient, new Order()
{
OrderId = 5657,
CustomerName = "Rakesh ",
ProductName = "Samsung S8",
DeliveryAddress = "12/3 Ring Road Delhi",
Zone = "East",
});
PublishOrder(tClient, new Order()
{
OrderId = 5658,
CustomerName = "Prakash Nayal",
ProductName = "OnePlus 5T",
DeliveryAddress = "12/3 Ring Road Delhi",
Zone = "North",
});
PublishOrder(tClient, new Order()
{
OrderId = 5659,
CustomerName = "Gautom Anand",
ProductName = "Samsung S8",
DeliveryAddress = "12/3 Ring Road Delhi",
Zone = "North",
});

Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("-----------Publishing End---------------------------");
Console.ReadLine();
}

public static void CreateTopicUnderServiceBus()
{
var TopicName = "OrderTopic";
string[] arrSubsription = new string[] { "NorthSubscription", "EastSubscription" };

//Create Topic
if (!nameSpaceManager.TopicExists(TopicName))
{
nameSpaceManager.CreateTopic(TopicName);
}

//CreateSubscription
foreach (string subsription in arrSubsription)
{
if (!nameSpaceManager.SubscriptionExists(TopicName, subsription))
{
SubscriptionDescription subscriptionDesc = new SubscriptionDescription(TopicName, subsription)
{
EnableDeadLetteringOnMessageExpiration = true,
EnableDeadLetteringOnFilterEvaluationExceptions = true,
DefaultMessageTimeToLive = TimeSpan.FromMinutes(5),
LockDuration = TimeSpan.FromSeconds(60),
};
var zone = subsription.Replace("Subscription", "");

// Rule for EastSubsrciption to recieve those message that belongs to specific zones.
RuleDescription ruleDescForSubscriptions = new RuleDescription("ZoneFilter", new SqlFilter("Zone='" + zone + "'"));

nameSpaceManager.CreateSubscription(subscriptionDesc,ruleDescForSubscriptions);
var ss = SubscriptionClient.FormatDeadLetterPath(TopicName, subsription);
}
}

}
public static void PublishOrder(TopicClient topicClient, Order order)
{
String Displaytext = string.Format("Order : orderId={0},customerName={1},ProductName={2},DeliveryAddress={3},Zone={4} " +
" Sent To Topic Successfully \n\n",
order.OrderId, order.CustomerName, order.ProductName, order.DeliveryAddress, order.Zone);

//Create broker message for order
BrokeredMessage brokerMessage = new BrokeredMessage(order);
brokerMessage.Properties.Add("Zone", order.Zone);
topicClient.Send(brokerMessage);
Console.Write(Displaytext);

}
}
}

Complete code for message receiver:


using Common;
using Microsoft.ServiceBus;
using Microsoft.ServiceBus.Messaging;
using System;

namespace MessageReciever
{
class Subscriber
{
static NamespaceManager nameSpaceManager;

static void Main()
{
nameSpaceManager = NamespaceManager.CreateFromConnectionString(TopicConfigurations.Namespace);
ReadMessageFromSubscription("OrderTopic");
Console.ReadLine();
}

public static void ReadMessageFromSubscription(string TopicName)
{

foreach (SubscriptionDescription description in nameSpaceManager.GetSubscriptions(TopicName))
{
SubscriptionClient sClient = SubscriptionClient.CreateFromConnectionString(TopicConfigurations.Namespace,"OrderTopic", description.Name);

Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("=======================================");
Console.WriteLine("---Order Recieving From [" + description.Name + "]---");
Console.WriteLine("=======================================");
while (true)
{
BrokeredMessage bmessgage = sClient.Receive(TimeSpan.FromSeconds(2));

if (bmessgage != null)
{
Order order = bmessgage.GetBody<Order>();
Console.ForegroundColor = ConsoleColor.Green;
Console.Write(" Request Recieved, ProductName: {0},Zone : {1},CustomerName: {2},DeliveryAddress: {3} \n\n",
order.ProductName, order.Zone, order.CustomerName, order.DeliveryAddress);

Console.ForegroundColor = ConsoleColor.Yellow;

bmessgage.Complete();
}
else
{
break;
}
}
sClient.Close();
}

}
}
}

Once the messages are sent to Topic, the subscriber should start showing the appropriate message count. In our case if we send a message with East and North as Zone, as per the rules set, EastSubscriber should receive only 2 message which is East region messages and Northsubscriber should receive also 2 messages as north region has 2  messages.

Let’s run complete application and then talk about the output.

Here we can see there are 4 orders publish to order topic,there are 2 orders that belongs to East region and 2 orders for North reagion.Important thing that this time all 4 messages has not broadcast to both subscriptions because we have created 2 filters rule for both regions.

t19

Take a look on azure portal , here we can see each subscriptions received 2 messages according to their filter rule.

t20.jpg

Now see topic & subscription details with azure service bus explorer.We can see custom filters with name “ZoneFilter” has created in both subscripiton with filter rule.

t21.jpg

Of course, you can get away without using filters at all, if you just set up plain subscriptions and only respond to messages of interest in your handlers. But using the filters will reduce network traffic and save unnecessary work processing messages that aren’t of interest.

Read more about service bus explorer :Link

Microsoft Azure: Service Bus Topic & Subscription With Default Filtering Rule.

Microsoft Azure: Service Bus Topic & Subscription With Default Filtering Rule.

Download complete project : AzureTopicSubscription

In contrast to queues, in which each message is processed by a single consumer,topics and subscriptions provide a one-to-many form of communication, in publish and subscribe pattern.

Useful for scaling to very large numbers of recipients, each published message is made available to each subscription registered with the topic. Messages are sent to a topic (and delivered to one or more associated subscriptions) and received from subscriptions. Filter rules can also be set on a per-subscription basis.

t1

Default Filters in topic:

When the subscriptions were created in the topic, no filter was defined for them, and they subscribe to all messages that are sent to the topic.

True Filter  is the default filter provided through the default rule that is generated for us when a rule or filter is not explicitly provided when creating a subscription.  Ultimately, this generates the SQL92 expression 1=1 and subscribes to receive all messages of the associated topic.

Default Rule Name:  “$Default”

Default Filter Name : “True Filter”

Default Sql Expression=”Filter=1=1″

There are multiple ways to create topic and subscription in Azure service bus.

  1. Azure Portal
  2. PowerShell
  3. language specific SDK. ex: C# azure sdk

1. Create Topic & Subscription Through Azure Portal

login to azure portal and choose “New” option from left menu.

t2

once you navigate to service bus navigation pane then fill all required information like service bus name (should be unique across the global),choose appropriate price tire ,Resource group (new or existing created group) and location.

t3

Once you press create button,your newly created service bus list down in your resource list and you can go inside it for further configuration.

for this demonstration i have created service bus with name “Rakesh-ServiceBus”.As we can see below there are two options  available ,one for Queue and another is Topic.

t4

Click on “Topic option” from top menu and enter few details like topic name,topic max size( default size is 1 GB) and define number of days to message live etc.

t5

2. Create Topic & Subscription Through C# Azure Sdk:

let’s say you have already created service bus in azure account and now you have to create topics and subscriptions through C#.

Here’s a simple example of how to achieve this with C# programming.

Creating Topics:

Topic creation is straight forward approach and below are the code to create .


nameSpaceManager = NamespaceManager.CreateFromConnectionString(TopicConfigurations.Namespace);

var TopicName = "OrderTopic";
//Create Topic
if (!nameSpaceManager.TopicExists(TopicName))
{
nameSpaceManager.CreateTopic(TopicName);
}

Creating Subscriptions:

Here two subscriptions (NorthSubscription and East Subscription) will created under the topic name “OrderTopic” .


//CreateSubscription
if (!nameSpaceManager.SubscriptionExists(TopicName, "NorthSubscription"))
{
nameSpaceManager.CreateSubscription(TopicName, "NorthSubscription");
}
if (!nameSpaceManager.SubscriptionExists(topicPath: TopicName, name: "EastSubscription"))
{
nameSpaceManager.CreateSubscription(TopicName, "EastSubscription");
}

Deleting a Topic:


var TopicName = "OrderTopic";
//Create Topic
if (nameSpaceManager.TopicExists(TopicName))
{
nameSpaceManager.DeleteTopic(TopicName);
}

Deleting a Subscription:


//Delete a subscription
if (nameSpaceManager.SubscriptionExists(TopicName, "NorthSubscription"))
{
nameSpaceManager.DeleteSubscription(TopicName, "NorthSubscription");
}

Putting all together with publisher scenario:

Taking simple order processing example where publisher send the order details to the specific topic and there are multiple subscriber (receiver) that reads order details from the topic.

As i already mentioned that default filter 1=1 applied to topic and subscription then same message will sent to both subscription because we have not defined any specific filter (will see in next article in details).

t6

Sending Order Details to Topic:

A console application  named as “MessageSender” is created to send order details to azure topic.Below are the code to send message. I will show code in parts but you can download complete sample project.


using Common;
using Microsoft.ServiceBus;
using Microsoft.ServiceBus.Messaging;
using System;
using System.Threading;

namespace MessageSender
{
class Publisher
{
static NamespaceManager nameSpaceManager;

static void Main()
{
Thread.Sleep(1000);
nameSpaceManager = NamespaceManager.CreateFromConnectionString(TopicConfigurations.Namespace);
CreateTopicUnderServiceBus();

TopicClient tClient = TopicClient.CreateFromConnectionString(TopicConfigurations.Namespace, "OrderTopic");

Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("======================================================");
Console.WriteLine("-----------Publishing Start---------------------------");
Console.WriteLine("======================================================");

Console.ForegroundColor = ConsoleColor.Green;
PublishOrder(tClient, new Order()
{
OrderId = 5656,
CustomerName = "Vivek Jadon",
ProductName = "Iphone6",
DeliveryAddress = "MG Road Gurgaon",
Zone = "East"
});
PublishOrder(tClient, new Order()
{
OrderId = 5657,
CustomerName = "Rakesh ",
ProductName = "Samsung S8",
DeliveryAddress = "12/3 Ring Road Delhi",
Zone = "East",
});
PublishOrder(tClient, new Order()
{
OrderId = 5658,
CustomerName = "Prakash Nayal",
ProductName = "OnePlus 5T",
DeliveryAddress = "12/3 Ring Road Delhi",
Zone = "North",
});
PublishOrder(tClient, new Order()
{
OrderId = 5659,
CustomerName = "Gautom Anand",
ProductName = "Samsung S8",
DeliveryAddress = "12/3 Ring Road Delhi",
Zone = "North",
});

Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("-----------Publishing End---------------------------");
Console.ReadLine();
}

public static void CreateTopicUnderServiceBus()
{
var TopicName = "OrderTopic";
string[] arrSubsription = new string[] { "NorthSubscription", "EastSubscription" };

//Create Topic
if (!nameSpaceManager.TopicExists(TopicName))
{
nameSpaceManager.CreateTopic(TopicName);
}

//CreateSubscription
foreach (string subsription in arrSubsription)
{
if (!nameSpaceManager.SubscriptionExists(TopicName, subsription))
{
SubscriptionDescription subscriptionDesc = new SubscriptionDescription(TopicName, subsription)
{
EnableDeadLetteringOnMessageExpiration = true,
EnableDeadLetteringOnFilterEvaluationExceptions = true,
DefaultMessageTimeToLive = TimeSpan.FromMinutes(5),
LockDuration = TimeSpan.FromSeconds(30)
};

nameSpaceManager.CreateSubscription(subscriptionDesc);
}
}
}

public static void PublishOrder(TopicClient topicClient, Order order)
{

String Displaytext = string.Format("Order : orderId={0},customerName={1},ProductName={2},DeliveryAddress={3},Zone={4} " +
" Sent To Topic Successfully \n\n",
order.OrderId, order.CustomerName, order.ProductName, order.DeliveryAddress, order.Zone);

//Create broker message for order
BrokeredMessage brokerMessage = new BrokeredMessage(order);
topicClient.Send(brokerMessage);
Console.Write(Displaytext);

}

}
}

Let’s run the message sender console application only (not executing any messaging receiving application) and see what type of resources and activity happens on azure portal.

Few things captured before executing sender application,you will see there is no topic and subscription created in service bus “Rakesh-Service Bus”.

T10.jpg

Now Execute message sender application and  see what happens.

  • As you see in below snapshot ,order details successfully publish to azure topic.

t11.jpg

  • go to azure portal and you find an topic with name “OrderTopic” with two subscription “EastSubscription” and “NorthSusbcription” created successfully and one thing also noticed that both subscriptions received both 4 order details because we have created subscriptions without and filter rules and if you not create any rule then default rule (1=1) applied.

t12.jpg

let’s see more in-depth by using azure service bus explorer.Service explorer provide rich user interface to know more details about messages as compare to azure portal.we can see message state weather in active state or in dead letter queue.Create and modify filter rules.

T17.jpg

 

Subscribe message from topic:

subscribers never directly connected with azure topics.Any subscriber wants to receive the message from topic then first they have to subscribe any subscription under the same topic and read messages from these subscriptions.

Putting all together with Subscriber scenario:

Again taking console application and install necessary nuget packages to support azure service bus SDK.


using Common;
using Microsoft.ServiceBus;
using Microsoft.ServiceBus.Messaging;
using System;

namespace MessageReciever
{
class Subscriber
{
static NamespaceManager nameSpaceManager;

static void Main()
{
nameSpaceManager = NamespaceManager.CreateFromConnectionString(TopicConfigurations.Namespace);
ReadMessageFromSubscription("OrderTopic");
}

public static void ReadMessageFromSubscription(string TopicName)
{
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("======================================================");
Console.WriteLine("-----------Order Recieving Start---------------------------");
Console.WriteLine("======================================================");
foreach (SubscriptionDescription description in nameSpaceManager.GetSubscriptions(TopicName))
{
SubscriptionClient sClient = SubscriptionClient.CreateFromConnectionString(TopicConfigurations.Namespace,"OrderTopic", description.Name);
while (true)
{
BrokeredMessage bmessgage = sClient.Receive();
if (bmessgage != null)
{
Order order = bmessgage.GetBody<order>();
Console.ForegroundColor = ConsoleColor.Green;
Console.Write(" Request Recieved, ProductName: {0},Zone : {1},CustomerName: {2},DeliveryAddress: {3} \n\n",
order.ProductName, order.Zone,order.CustomerName,order.DeliveryAddress);

Console.ForegroundColor = ConsoleColor.Yellow;
bmessgage.Complete();
}
}
}
Console.WriteLine("-----------Publishing End---------------------------");
}
}
}

Now execute sender and  receiver applications together and you find that sender start publishing messages to topic and receiver application start reading those message from both subscriptions.

T15.jpg

 

We’ve learned that two of the most powerful features in Topics and Subscriptions is the ability to distribute messages to multiple interested parties (subscriptions) and those parties are able to filter out what messages they are specifically interested in.  There is still a good bit to cover on the topic of Azure Service Bus.

A full code example attached with this and you can find link at top of the blog.

 

 

Securing Sensitive App Settings Using Azure Key Vault.

DownLoad Complete Project: WebApiWithAzureKeyVault

Why Azure Key Vault?

Almost every Azure app has some kind of cryptographic key, storage account key, sensitive setting, password, or connection string.

For example, consider a web app that requires a connection string to an Azure SQL Database.Storing this sensitive information in an App.config file could result in it being checked in to a source-code control system and unintentionally exposed to many developers.

Compare this to using Azure Key Vault, where the App.config file only contains a reference to this sensitive data, and is controlled by the access policy of Azure Key Vault.

Below is insecure way which is commonly used in azure based solutions:

A1

you can see here all secret information is clearly mentioned in webconfig.cs file in plain text from and think if some one got access on server and stolen all sensitive information easily. Usually these configuration files also checked in on repository systems like TFS,GitHub etc along with other project files.Any team who have access to these repositories can also see these secret information.

By using Key Vault you can securely store data and avoid having these sensitive pieces of information stored in source code which may then be compromised.

The Microsoft Azure cloud platform provides a secure secrets management service, Azure Key Vault, to store sensitive information. It is a multi-tenant service for developers to store and use sensitive data for their application in Azure.

The Azure Key Vault service can store three types of items: secrets, keys, and certificates.

  • Secrets are any sequence of bytes under 10KB like connection strings, account keys, or the passwords for PFX (private key files). An authorized application can retrieve a secret for use in its operation.
  • Keys involve cryptographic material imported into Key Vault, or generated when a service requests the Key Vault to do so. An authorized cloud service can request the Key Vault perform one or more cryptographic operations with a key on its behalf.
  • An Azure Key Vault certificate is simply a managed X.509 certificate. What’s different is Azure Key Vault offers life-cycle management capabilities. Like Azure Keys, a service can request Azure Key Vault to create a certificate. When Azure Key Vault creates the certificate, it creates a related private key and password. The password is stored as an Azure Secret while the private key is stored as an Azure Key. Expired certificates can roll over with notifications before these operations happen.

Application flow with key vault

A30

Steps Required:

  1. Create A Key Vault
  2. Create a Secret
  3. Register an App in Azure Active Directory
  4. Create an API Key for the App
  5. Give App-Specific Permissions to Access Key Vault
  6. Configure your Dot Net Application

1. Create a key vault

Login on azure portal  and add new service “key vault”. If ‘Key vaults’ is not already in your list, click on ‘More services’ and use the filter to find it. Select ‘Key vaults’.Fill all the mandatory information and press create button.

A2.JPG

A3

2. Create Secrets:

To do this, click on ‘Secrets’ under ‘Settings’ on the left, or under ‘Assets’ in the Overview panel. Once the ‘Secrets’ panel opens up, click the ‘Add’ button at the top so you can create a new one.

Activation and expiry dates can be used if you only want the secret to be accessed for a specific period of time. When you are finished, click ‘Create’.

A4

Key vault DNS name will be used as Key Vault url in application from where key request will initiate.

A15.jpg

3.Register An App In Azure Active Directory

Now You have data protected by Key Vault and You need to give our application (secure) access to this data, first.

Again go to azure portal and search “Azure Active Directory”. inside AD, select ‘App registrations’ from under the ‘Manage’ panel on the left. This is where You will configure the access and permissions.

our application will have when accessing Key Vault programmatically.

A5

In my case i have already created a webapi app named as  “DubaiProperties-Api” which is running under azure app service and i have register the same application in azure active directory to read secure keys/secrets from key vault by this application.

A7

4. Create An Api Key For Registered App

From the ‘App registrations’ menu, you should see your newly created app listed.

A8.JPG

Click on registered application and  Copy the ‘Application ID’ that you should be able to see under ‘Essentials’.

A9.JPG

select ‘Keys’ from the ‘API Access’ section on the right.Give the Key a meaningful description that will explain its purpose, then set an expiration setting. Click ‘Save’ and your API Key ‘Value’ will be presented to you. Copy this key value now as when you navigate away it will never be presented again.

You can always create a new one, if you forgot to copy it.

A10

A11

5.Give App-Specific Permissions to Access Key Vault

Return to key vault and select ‘Access Policies’ under the ‘Settings’ panel on the right. Click the ‘Add New’ button. Click the ‘Select Principal’ option to be presented with a new blade. Enter the Application ID of the app in Azure AD into this field, and select the app when it is presented to you. Click the ‘Select’ button at the bottom to confirm. You can now configure the permissions that you wish to grant the application.

A13.jpg

Only assign the necessary permissions. As it is only Secrets that your app needs access to (and read-only access at that), I would suggest picking ‘Get’ and ‘List’ under the ‘Secret permissions’ option. This is all you need to do, so click ‘OK’ to complete this step.

A14

Now key vault configurations are ready to store secret keys  and refer by  any application.

6.Configure your Dot Net Application

Now all key vault and active directory administration task has completed and now you need to set up dotnet application to use key vault for consuming secret keys instead of define those keys in app.config or some where in application.

Let’s start with Webapi project that needs to use some secrets that is stored in key vault.

Initially there are few things that are required to configure in you application like application Id,Key Vault Url and App Registration keys. All these information already described above at the time of application registration in AD and key Vault Creation.

Below are the settings for webconfig.cs:

A16.jpg

Now add some nuget packages for azure key vault  to the application

A17.jpg

Create a helper class to interact with azure key vault by using Azure SDK and fetch all required secret keys and use in application.

A18.jpg

Now Use this helper class in our webapi controller.

A19.jpg

Now Publish webapi project on azure app service. webapi application should work after deployment.

A21.jpg

Now Check complete swagger url for deployed api and see all api’s controller with all http verbs.

A22

expend Get method of keyvault controller and try to make request to read key vault secret keys value from azure key vault.

A23.jpg

Below is response of webapi with key vault values.

A24.jpg

if you analysis whole code you will not find any secret keys configured in application configuration files or application settings section of azure app service.Keys value directly comes from key vault that is different location.

If you can add new version of same key in keyvault again  then no need to make any changes in your application and application always pick latest version of  key.

let’s create new version of same key with differ value.Go back to secret keys section under key vault  settings pane,here you will found all defined keys.

A25.jpg

click on key for which you want to create new version with new value. choose “DemoSecretKey” to update the value.Once you click on that,you will found all versions of selected key.Currently single version is created.

you never see values of secret keys,its hide to every one.

A26.jpg

Click on “New Version” and select “manual” from the drop down.enter new secret value for key and save it.

A27.jpg

now you can see new version added with updated value,and previous version also maintain by the Azure key vault.

A28.jpg

Let’s test our webapi and it should read new updated value from the key vault.Important thing this is, i have not make any changes in deployed webapi.

A29.jpg

That’s it! This configuration should enable to you to protect your sensitive information in Key Vault and then provide a Dot Net with secure access to that data

Summary

The Azure Key Vault is an excellent service and a welcome addition to the overall Azure services family. It promotes the secure management of cryptographic keys without the associated overhead, which is an important step to adopting and implementing better security within our applications. In the next article, we’ll see how you can set up a Key Vault for our application and use the .NET SDK to create, manage and retrieve keys.