Every session I deliver end up with a different experience for me where not only attendees but even I get to learn multiple things from the people who attend my session and this is what I learn the most..!!(always a roller coaster)

As there is famous saying:
..by doing what you love, you inspire and awaken the hearts of others..

In this event I presented Deep Dive on Microsft Azure and Serverless Computing at App Innovation Circle 2018 event held at Microsoft IDC, Hyderabad

App Innovation Circle 2018 Agenda:

Few pics from the Event: https://www.flickr.com/gp/kraghu_306/t05j15

Few helpful links on Function Apps, Logic Apps, ASP.NET Core, and Container:
Links, PPT

Finally, thanks Pranav, Shravan, Swetha(Microsoft) and the complete App Innovation Team for the assistance and each and every attendee for patiently listened to my session :P

Happy Learning...!! Do follow my blog for Azure Content :)

Global Azure Bootcamp is always a huge event all around the world user groups and communities who want to learn about Azure and Cloud Computing.

The event was a huge success with 8 speakers covering 8 different topics covering Azure Bot Service, DevOps using VSTS, Cloud Design Patterns, Deep Learning and Azure Encryption with over 300+ Azure enthusiast attendees.

Event details: https://themugh.github.io/gabc2018/

Few pics from the Event: https://twitter.com/imkraghu/status/987747758336430080

Special thanks to Shravan Kumar Kasagoni and all Microsoft User Group Hyderabad Organisers for the opportunity.

Thanks to Global Azure Bootcamp Global Team and all the attendees who attended.

Keep Rocking on Cloud ☁

Had an amazing experience in presenting Deep Dive on Microsft Azure and Serverless Computing at App Innovation Circle 2018 event held at Microsoft IDC, Hyderabad

App Innovation Circle 2018 Agenda:

Few pics from the Event: https://www.flickr.com/gp/kraghu_306/37C1Cm

Few helpful links on Function Apps, Logic Apps, ASP.NET Core, and Container:
Resources

Finally, I want to end this blog with an inspirational quote by a famous American writers William Arthur Ward who once said: "Curiosity is the Wick in the candle of Leaning".

Happy Learning...!! Do follow my blog for Azure Content. :)

Prerequisites:

1. Download Visual Studio Code
2. Install Node.js and npm
   Note: To enable local debugging, you need to install the Azure Functions Core Tools.

3. Operating Systems:

   • For macOS, install using Homebrew.

   $ brew tap azure/functions

   $ brew install azure-functions-core-tools

   • For Windows, install using npm.

   $ npm install -g azure-functions-core-tools@core

Once you have the prerequisites we can proceed by Installing the Azure Function Extension

Install the Azure Functions extension

Once the extension is installed, log into your Azure account - in the AZURE FUNCTIONS explorer, click Sign in to Azure... and follow the instructions.

Once logged in we should see our Azure email address in the status bar and the subscriptions in the AZURE FUNCTIONS explorer.

Verify that you have the Azure Functions tools installed by opening a terminal and running $ func

Once we have all set up we can quickly create a Function App

Follow the below image and choose an empty directory for the app and then select JavaScript for the language of your Functions App.

Next, Choose a HTTP trigger Function for your function app and choose Anonymous authentication.

Function app includes index.js and functions.json files. The index.js file contains the source code that responds to the HTTP request and functions.json contain the binding configuration for the HTTP trigger.

Once done, let's run the function app locally by pressing F5 which will launch the app locally and attach to the Azure Functions host(which is the same runtime that runs on Azure).

Now we can navigate to http://localhost:7071/api/HttpTriggerJS and pass the query parameter for the response, add ?name=<yourname> to the localhost URL in the browser to see the response.

NOTE: You can also set a breakpoint(by pressing F9) when running locally to test any changes just as we do in Visual Studio.

To deploy we can deploy from the Command Palette (Ctrl+Shift+P) by typing 'deploy to function app' and running the Azure Functions: Deploy to Function App command or use the Azure Function extension:

Follow the prompts in VS Code and Choose the directory of Function App, select your target Azure subscription, and then choose to Create New Function App or select an existing Function App, but if selected to create a new function app you might have to provide more details like below:

1. Typing a unique name for the Function App.

2. Choose Create New Resource Group, type a resource group name, like myResourceGroup and press Enter.

3. Choose a location in a region near you or near other services you may need to access.

4. Choose to Create New Storage Account, type unique name for creating new storage account which will be used by the function app.

   Note: Storage account names must be less than 24 characters in length and should contain lower case and valid characters.

VS Code will create the Function app along with storage account.

We can check the Output panel which displays all the Azure resources that were created in the subscription.

Once deployed successfully we can navigate to the Function App endpoint and pass the query parameter for the response, add ?name=<yourname> to the Function Endpoint URL in the browser to see the response.

Finally, we've successfully completed the creation and deployment of Function App using VS Code..!

Few resources on Function Apps:

1. Create a function that runs on a schedule
2. Create a function triggered by Storage queue messages
3. Create a function triggered by a generic webhook
4. Create a function triggered by a GitHub webhook
5. Add messages to an Azure Storage queue using Functions
6. Store unstructured data in Azure Cosmos DB using Functions

Thanks for Reading..!! Do follow my blog for more stuff on Azure.

With just a few clicks, we can use Global VNet Peering to connect virtual networks across Azure regions to share resources or create a global, private peered virtual network. This enables a variety of scenarios such as data replication, disaster recovery, and database failover through private IPs alone.

You can now peer across the following regions:

• Korea South
• UK South
• UK West
• Canada East
• India South
• India Central
• India West

The new regions add to the previously announced regions:

• US West Central
• Canada Central
• US West 2

For more information, refer to our
documentation and pricing.

It's always been a pleasure to present on Microsoft Azure Cloud.

Special thanks to Pranav Ainavolu, Shravan Kumar Kasagoni and Microsoft folks for the opportunity

Had a wonderful time presenting Azure Infrastructure at App Innovation Circle 2017 at Microsoft Hyderabad, India.

Few pics from the Event: https://1drv.ms/f/s!AqdZd4hXkLdlD5wPPojtm9wIa1

Just in time virtual machine (VM) access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

JIT VM feature is more like an automated Azure Network Security Group rule set for accessing to any Azure specific VM(s) for a temporary period which can be enabled any set of ports restricted from and to IP/Network range.

Typically, Azure Security Center locks down the inbound traffic to any specific ports and opens a port by creating a Network Security Group rule(s) for an appropriate time and from approved IP addresses(which in most cases would be our Public IP address for our local machines), and only for users with proper permissions.

All the requests are also logged in the Azure Activity Log, so we can easily monitor and audit the access.

How the Azure VM JIT Access works ?

When a user requests access to a VM, Security Center checks that the user has Role-Based Access Control (RBAC) permissions that provide write access for the VM. If they have write permissions, the request is approved and Security Center automatically configures the Network Security Groups (NSGs) to allow inbound traffic to the management ports for the amount of time you specified. After the time has expired, Security Center restores the NSGs to their previous state.

NOTE: The Free Tier does not include the JIT VM Access, but you should get an option for a 60 day trial for the Standard Tier that does.

Automating Azure VM Just in Time Access via PowerShell:

# Import Azure RM PSM
Import-Module AzureRM  
# Import Azure SecCenter PSM
Import-Module Azure-Security-Center

# resource group name
$resourceGroup = "ResourceGroupName"
# VM that will be started after updating the NSG
$VMName = "VM-01"
# Get my Public IP - Navigate to "https://www.whatismyip.com/" and get the Public IP
$ipAddress = "183.83.222.243"
# paste the local RDP File
$RDPFile = "C:\Users\raghu\Downloads\vs2017-win2016.rdp"
# Hours for access
[int]$hours = 3

$cred = $null
$cred = Get-Credential -Message "Please enter the credentials to Login to Azure"

$SubscriptionId="4f98b0d0-a2bd-4389-bea7-31faae224077"

Login-AzureRmAccount -Credential $cred –SubscriptionId $SubscriptionId -ErrorAction Stop | out-null

# Main powershell script
# Requesting Access to the Azure VM for current public IP Address for RDP for 2 hours
Invoke-ASCJITAccess -ResourceGroupName $resourceGroup -VM $VMName -Port 3389 -Hours $hours -AddressPrefix $ipAddress

$vmDetails = Get-AzureRmVM -ResourceGroupName $resourceGroup -Name $vmName -Status -ErrorAction Stop

# Starting the Azure Virtual Machine if in Deallocated status.
$VMPowerState = (get-culture).TextInfo.ToTitleCase(($vmDetails.statuses)[1].code.split("/")[1])

if ($VMPowerState -eq "Deallocated"){  
    #Starting Azure Virtual machine
    $vmstatus = Start-AzureRMVM -ResourceGroupName $resourceGroup -Name $vmName              
    # Connecting to Azure Virtual Machine by using RDP Settings File
    if($vmstatus.Status.Equals("Succeeded")){
        # Script Sleeps for 2 mins to start the Azure VM.
        Start-Sleep 120
        Start-Process "$env:windir\system32\mstsc.exe" -ArgumentList $RDPFile
    }
    else{
        Write-Host "Something went wrong when starting Azure VM Name: $VMName at - $(Get-date -format "dd-MMM-yyyy HH:mm:ss")" -foregroundcolor "red" -backgroundcolor "yellow"
    }
} else {
    Start-Process "$env:windir\system32\mstsc.exe" -ArgumentList $RDPFile
}

#End of the script

From the above the script we are trying to import two modules:

1. AzureRM Module
2. Azure-Security-Center

Where Invoke-ASCJITAccess cmdlet is from Azure-Security-Center Powershell module for requesting the Just in Time Access.

For execution with proper logs, please find the automated powershell script which enables Just-In-Time Access for the Azure Virtual Machine for Security Center: Technet Script Center Link

• Application Security Groups,
• Service Tags,
• Augmented Security Rules

Application Security Groups:

We can use application security groups to configure network security as natural extension of an application’s structure, by arbitrarily grouping VMs and defining network security policies based on those groups. You can reuse your security policy and scale without manual maintenance of explicit IP addresses. The platform handles the complexity of explicit IP addresses and multiple rule sets, so you can focus on your business logic. For more information, see the documentation.

Service tags for NSGs:

Service Tags simplify security for Azure Virtual Machines and Azure Virtual Networks by enabling you to easily restrict network access to just the Azure services that you use. You can use service tags in your NSG rules to allow or deny traffic to a specific Azure service globally or per Azure region. Azure provides the maintenance of IP addresses underlying each tag. This preview includes Storage, Sql, and AzureTrafficManager tags. For more information, see the documentation.

Augmented security rules for NSGs:

Augmented rules for NSGs simplify the security definition for Virtual Networks, so you can define larger, more complex network security policies with fewer rules. Multiple ports, multiple explicit IP addresses, service tags, and application security groups can all be combined into a single, easily understood security rule. For more information, see the documentation.

Application security groups is in-preview in US West Central.

Service Tags and Augmented Security Rules are in preview in the following regions:

• US West Central
• US East
• US West
• US West 2
• Australia East
• Australia Southeast
• UK South

Event details: https://themugh.github.io/gabc2017/

Few pics from the Event: https://1drv.ms/f/s!Aqd_Zd4hXkLdkkzWuLgda38WbFPw

Special thanks to Shravan Kumar Kasagoni and all Microsoft User Group Hyderabad Organisers for the opportunity.

Thanks to Global Azure Bootcamp Global Team and all the attendees who attended.

And also thanks Ravi for your feedback on my session.

Keep Rocking on Cloud ☁

VPN is generally a Client and Server architecture where we have VPN Servers and VPN Clients. Software which allows client machines to securely connect over the VPN Servers.

To understand how VPN is more secure we need to understand the mechanism which VPNs follow to make the communication secure and encrypted.

Man In The Middle attack(MITM attack): In cryptography and computer security, MITM attach is where Intermedia Hacker secretly tries to read the data packets which are sent from the source to destination i.e, Server to Victim from the image below.

Tunneling Protocol: It creates a tunnel between source-destination an encrypts the data transferred between them.

The tunnel will try to detect the penetration done by hackers & the tunnel will shut down and create an alternate way to reach the destination.

Most tunneling protocols operate at layer 4, which means they are implemented as a protocol that replaces something like TCP or UDP. VPN tunnels allow remote clients to tunnel into our network.

Challenges for VPN:

We have to check the upload connection at destination network where the VPN Server is trying to connect otherwise it will be very slow.

There is a famous saying "Understanding is always a two-way street".

Today we will be understanding in more detail on what actually meant by Provisioning, Automation, Configuration Management and their use cases in traditional and cloud world.

Consider a scenario where we want to host a web application:

First, we need a Server which can be a physical or a Virtual Machine using a Hypervisor or a Container. If it's a single pet project it might be manual but in an enterprise, they might have their own procedure to request servers.

Later in the next blog will see how to create a virtual machine using Vagrant but nowadays everyone uses cloud by which we can simply create or delete any number of servers in very little time.

Provisioning - In any Data Center or even on a single Physical Server we can set-up a logical server by using a script or using a manual process to create a virtual server which utilizes the resources of the Physical Server. We can also automate the provisioning of a server process by passing the necessary parameters to PowerShell, Terraform, etc to create servers in an easy and quick way.

• There is always a huge difference between Cloud and On-Premises.
• Cloud is flexible, On-Demand, API Support.
• Can also use Hybrid Solution - Partial Cloud and Partial On-Prem

Once we have our machines spun up we can install different services to run on our servers which can be Web Server Software like Apache, IIS, PHP, and .NET at this place we talk about Automation & Configuration Management. All the application will have their unique configuration files and upon which we will have our application code.

So what is Configuration Management ?

Configuration Management (CM) is a system engineering process for maintaining establishing and maintaining consistency of a product's performance, functional and physical attributes with its requirements, design and operational information throughout its life.

Maintaining consistency of software and configuration. i.e, we create a pipeline where we provision servers in an automated way and then maintaining the consistency of the software configuration.

Automation is necessary when:

• Easy to create any number of servers without any human error.
• Infrastructure is unmanageable.

Some tools we can use are Chef, Puppet, Ansible, SaltStack.

Do follow my blog for more posts on cloud and related concepts...

Happy Reading :)

Azure Storage provides the capability to take snapshots of blobs.

You might me wondering what is a Snapshots ?

In Hyper-V Environment the configuration, memory, and supporting process information is saved and a differencing disk is created to store future disk changes. When you delete a VM, all the snapshots are deleted. However, the virtual hard disk (VHD) is not deleted, which means all content stored in the differencing disks associated with the snapshots must be merged with the original VHD, as the following diagram shows.

In Azure its similar where Azure capture the blob state at that point in time. Lets dig down the scenario of how we can maintain backups of virtual machine disks using snapshots.

What is a Blob Snapshot?
A blob snapshot is a read-only version of a blob that is captured at a point in time. Once a snapshot has been created, it can be read, copied, or deleted, but not modified.

Note: Snapshots can be copied to another storage account as a blob to keep backups of the base blob. You can also copy a snapshot over its base blob, which is like restoring the blob to an earlier version. When a snapshot is copied from one storage account to another, it will occupy the same space as the base page blob. Therefore, copying whole snapshots from one storage account to another will be slow and will also consume lot of space in the target storage account

Steps for Implementing a full snapshot copy:

1. First, take a snapshot of the base blob using the Snapshot Blob operation.
2. Then, copy the snapshot to a target storage account using Copy Blob.
3. Repeat this process to maintain backup copies of your base blob.

For execution, please find the Automated Powershell Script which Create Snapshot for unmanaged Virtual Machines in a resource group: Link

The above script is for creating Blob Snapshots for all Azure IaaS VMs(includes root volume and Data volumes) for Azure Resource Manager VM(unmanaged disks). This is intended to run only for Virtual Machines with TagName as "Environment" and TagValue as "Production". You can also automate the process of Blob Snapshot by publishing the script in Azure Automation as well with few changes.

See the corresponding article for details and instructions:https://docs.microsoft.com/en-us/azure/storage/storage-blob-snapshots

NOTE: It is suggested that you download the script file from this page instead of copying and pasting the script code below, in order to avoid any formatting issues that may affect script execution.

Thanks for reading. Following to this blog we will have a detailed blog explaining how to restore an unmanaged VM in Azure using Powershell Scripts.

Happy Reading :)

As we know this blog is a part of Microsoft Azure Networking blog series. This blog is Part - 3 where we continue the Networking resources from understanding Azure Application Gateway. If you haven't read the Part - 1 and Part - 2

Azure application Gateway

1. Layer 7 : HTTP/HTTPS load balancing WebSocket support.
2. Web application firewall
3. URL-based routing.
4. Routing based on tuple of source & destination IP addresses.
   • Round Robin
   • Session affinity via cookies
   • SSL decoding/terminations & end-to-end SSL processing.

Services:

1. Two SKU's -> Web Application firewall (WAF) and Standard.
2. Small, Medium & Large services tiers.
3. Differences in pricing for outbound data
4. Small doesn’t support WAF
5. Differenced in speed of putdound data processing.
6. Inbound data is free for all service tiers.

Web Application Firewall

1. Protects from common attacks.
2. SQL Injection & cross-site scripting.
3. Bots & Scanners.
4. HTTP violation/anomalies/forgeries.
5. Server Misconfigurations.

Detection Mode : Detects and logs threats; no direct alerting.

Prevention Mode : Sends 403 response to detected threats.

Pros:

1. Super-simple to use.
   
   • Create it, assign it to an IP address and VNET, add a listener and you’re done.
2. Can protect Web Apps(in a Virtual Network).
3. Public and private IP's load balancing.
4. WAF protects against common attacks.
5. SSL offloading
   
   • Requires additional configuration.
6. Custom health probes.

Cons:

1. Only works for HTTP/HTTPS.
2. Round Robin and URL based routing limits overall routing options.
3. Doesn’t support IP reservations.
4. Laxer rule Vs Load balancer for health probes.

Usage Examples

1. Protest Virtual Machines & Web Apps against Common Attacks(WAF)
2. Routing traffic among several web servers VMs or web apps within a specific
   VNets.
3. In concert with a load balancer for multities application.
4. Maintain session affinity for specific applications (Shopping carts, Web mail, etc.)
5. SSL-intensive workload.

Thanks for reading.. :) Keep following for Part - 4

Thanks for following the blog. As we know we have been covering Microsoft Azure Networking resources. This blog is Part - 2 where we continue the Networking resources. If you haven't read the Part 1, click here

Lets understand about Azure Load Balancer and see why anyone should use, Pros and Cons, and finally few examples of the resource in real world.

Azure Load Balancer

1. Layer 4(transport) : TCP & UDP.
2. Routing for virtual machines & cloud services.
3. Support virtual & hybrid networks(on prem/-- -)
4. Supports reserved IP Addresses.
5. Routing based on tuple of source & destination IP addresses.
   • Supports session affinity.
   • Supports port forwarding.

Internet Facing Load Balancer :- Load Balancer passes public IP request to Virtual Machine. Virtual Machine's response is routed back to client through the Load Balancer, onto the public IP.

Internal Facing Load Balancer :- Traffic within the Virtual Network is passed through the Load Balancer.

1. Virtual Machine to Virtual Machine traffic within the same Virtual Network.
2. Virtual Machine to Virtual Machine within the same cloud services(Classic).
3. On-Premises to Virtual Machine within the same cloud services and Virtual Network.
4. Among tiers in a multi-tier Application.

Pros:

1. Flexible & geared towards performance.
2. Can route any UDP/TCP traffic.
3. Create port forwarding & session present rules
4. Direct server return for bandwidth-intensive requests.
5. Allows for tiered routing in N-tier architecture.
6. Correctly addresses sealed out VM instances.
7. Can be used to pool multiple publicIP.
8. Can customize health probes.

Cons:

1. Difficult to be very granular.
2. Doesn’t support SSL offloading.
3. Can be tempting to misuse.
   
   • Too much specific endpoint routing.
   • Stymied auto-scaling.
4. Requires HTTP health probes on each endpoint.
   
   • Endpoint must respond with HTTP 200 status code.

Usage Examples:

1. Load balance each tier of an N-tier architecture with multiple machines.
2. Load balance all traffic on a specific IP address or group of IP addresses.
3. co-ordinate traffic between a Virtual Network and On-Premise Network.
4. Direct traffic on specific port or from a specific IP address to a specific virtual machine.

Thanks for reading.. :) Keep following for Part - 3

Today we will cover how to Authenticate a Client Application with Azure Key Vault using Azure Active Directory Application and how to set various access policies for the applications. Each application should be given minimum set of permissions that it requires to operate on. A Security Administrator would be given full permission so that it could modify the Vault Key/Secret as required and an Azure Developer will have limited permissions on Keys and Secrets. For Such a scenarios, it is best to have two or more AD applications created and have separate permissions provided.

Process flow:
1) The application first uses the AD application credentials to authenticate and once obtained the Access Token is used for further interactions with the Key Vault. Using the Key Identifier that is available we get the details of the key. We have to provide the appropriate permissions by Set-AzureKeyVaultAccessPolicy, against the key vault. In C# we generally Encrypt data with the System.Security.Cryptography.RSA algorithm.

To implement Azure Key Vault to our applications we have 4 Steps:

• Create an Azure AD Application
• Creating Key Vault and associate the Service Principal
• Create a Key and Secret in Key Vault
• Using Key Vault from a Web Application

Step 1: Create an Azure AD Application

We have to create an AD Application that will authenticate using Client ID and Client Secret, generating the credentials can be done using either Powershell or Azure Portal.

In this Step we cover Powershell way to create an Azure AD Application

Pre-Requisites:

• Powershell with Azure Module Installed.
• Required Permissions needed to create an AD Application.
• Azure Portal Access.

Procedure:

• Run the below powershell code to create an Azure AD Application. When the script starts running a pop-up appears where we have to specify the username and password for Azure Account. Once its authentication then an AD Application is created.

#Login to Azure Module from powershell.
Login-AzureRmAccount

$aadClientSecret = 'ramClientSecret'
$appDisplayName = 'ramKvApp'

#To Create an AD Applicatication with a custom Password
$aadApp = New-AzureRmADApplication -DisplayName $appDisplayName -HomePage 'http://ramKvApp' -IdentifierUris 'http://ramKvApp' -Password $aadClientSecret

$appID = $aadApp.ApplicationId

#Creating a Service Principal to the Application
$aadServicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $appID

• Once the script completes running successfully we can navigate to Azure Portal and Search for App Registrations and select.

• Search by AD Application Name and note the Application ID which is our Client ID and the Client Secret from the above Script(in our case its 'ramClientSecret').

Step 2: Creating Key Vault and associate the Service Principal

Pre-Requisites:

• Powershell with Azure Module Installed.
• Required Permissions needed to create an AD Application.
• Azure Portal Access.

Procedure:

• Run the below powershell script to create a Resource Group in an Azure Subscription. In the above step as we have logged in to Azure Subscription, we create a Resource Group to place Key Vault resource inside it.

$kvName = 'ramKV'
$rgName = 'ramRG'
$location = 'South India'

#selecting target Subscription
Select-AzureRmSubscription –SubscriptionName ‘<SubscriptionName>’

#creating a Resource Group from the above values
New-AzureRmResourceGroup -Name $rgName -Location $location  
#creating an Azure Key Vault from the above values.
New-AzureRmKeyVault -VaultName $kvName -ResourceGroupName $rgName -Location $location

#assigning the Access policy to the Key Vault
Set-AzureRmKeyVaultAccessPolicy -VaultName $kvName -ServicePrincipalName $appID -PermissionsToKeys all –PermissionsToSecrets all  

• In the above script we create a resource group and also assign an access policy to the target key vault.
• Once the script run successfully we can navigate to Azure Portal and search for the Resource Group and click on Key Vault.

Step 3: Creating and Deleting Key and Secret in Azure Key Vault

As we have created AD Application and Key Vault let now create Key and Secret in Key Vault(for more info on Keys and Secret)

It walks you through the process of accessing a secret from an Azure Key Vault so that it can be used in your web

• Adding a Key or Secret to Vault:

#creating a Software protected Key
$key = Add-AzureKeyVaultKey -VaultName ‘ramKeyVault' -Name 'softProtectKey' -Destination 'Software'

• If we have an existing software-protected key in a .pfx file saved at local machine named “KeyCert.pfx” that can be uploaded to Azure Key Vault:

# .pfx certificate password
$securepfxpwd = ConvertTo-SecureString –String 'Password@123' –AsPlainText –Force

#import the key from the .PFX file, which protects the key by software in the Key Vault service
$key = Add-AzureKeyVaultKey -VaultName 'ramKeyVault' -Name 'CertificateKey' -KeyFilePath 'C:\keyCert.pfx' -KeyFilePassword $securepfxpwd

• To add a secret say SQL Password which is sqlpassword to the Key Vault, firstly we convert it to SecureString by typing the following:

#convert password to Secure String 
$secretvalue = ConvertTo-SecureString 'sqlpassword' -AsPlainText –Force

#assigning a Secret to Key Vault
$secret = Set-AzureKeyVaultSecret -VaultName 'ramKeyVault' -Name 'SQLPassword' -SecretValue $secretvalue

• To display the URL of the Secret, the below URL is also called as Key Identifier which can be found from Azure Portal as well:

#which will be similar to https://ramkv.vault.azure.net/secrets/demFinals/f2b508e89d3f44b6a184f97dd967e51d
$secret.Id

• To get all available Keys & Secrets in the Key Vault:

#List of keys in the Key vault named 'ramKeyVault'
Get-AzureKeyVaultKey –VaultName 'ramKeyVault'

#List of Secrets in the Key vault named 'ramKeyVault'
Get-AzureKeyVaultSecret –VaultName 'ramKeyVault'  

• Delete the Key Vault and associate keys and Secrets:

#remove Azure Key Vault from the subscription 
Remove-AzureRmKeyVault -VaultName 'ramKeyVault'  

Link for More Powershell Key Vault Modules: https://docs.microsoft.com/en-us/powershell/resourcemanager/azurerm.keyvault/v2.1.0/azurerm.keyvault?redirectedfrom=msdn

Step 4: Using Key Vault Secret from Web Application

Pre-requisites:

• A URI to a secret in an Azure Key Vault
• A Client ID and a Client Secret for a web application registered with Azure Active Directory that has access to your Key Vault
• An ASP.NET MVC application deployed in Azure as a Web App/Virtual Machine

Procedure:

• There are two packages that your web application needs to have installed. Both of these packages can be installed using the Package Manager Console using the Install-Package command.

Add Nuget Packages:

// this is currently the latest stable version of ADAL
C:\> Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory -Version 2.16.204221202  
C:\> Install-Package Microsoft.Azure.KeyVault  

• Modify Web.Config

• Add a Method to get an Access token.

//add these using statements
using Microsoft.IdentityModel.Clients.ActiveDirectory;  
using System.Threading.Tasks;  
using System.Web.Configuration;

public static string EncryptSecret { get; set; }

public static async Task<string> GetToken(string authority, string resource, string scope)  
{
    var authContext = new AuthenticationContext(authority);
    ClientCredential clientCred = new ClientCredential(WebConfigurationManager.AppSettings["ClientId"],
                WebConfigurationManager.AppSettings["ClientSecret"]);
    AuthenticationResult result = await authContext.AcquireTokenAsync(resource, clientCred);

    if (result == null)
        throw new InvalidOperationException("Failed to obtain the JWT token");

    return result.AccessToken;
}

• Retrieve the secret on Application Start Now we need to get the secret from Azure Key Vault by calling the Key Vault API and retrieve the secret. We can place the below code at application start (in our case its Global.asax).

using Microsoft.Azure.KeyVault;  
using System.Web.Configuration;

// I put my GetToken method in a Utils class. Change for wherever you placed your method.
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(Utils.GetToken));

var sec = kv.GetSecretAsync(WebConfigurationManager.AppSettings["SecretUri"]).Result.Value;

//I put a variable in a Utils class to hold the secret for general application use.
Utils.EncryptSecret = sec;

• Run the application which will fetch the Connection String Secret from Azure Key Vault and pass the Key Vault Secret (ConnectionString) at runtime to the application

Summary

From the above blog we can learn how Azure Key Vault can be used to store Application Secrets(API Keys/Connection Strings, etc) and how we can retrieve the secret from Key Vault.

Privacy and encryption works, but it's too easy to make a mistake that exposes you. So let's leverage Key Management System and stay safe with your application secrets.

Thanks for reading and keep learning :)