In an earlier blog post I discussed the decision criteria in selecting a VM. In that post I also showed a tool called “VMchooser“. Today’s post will be on the architecture I used to build this one. As you might have guessed, it’s built on Azure components. Let’s get to it and check the anatomy of this application.
High Level Architecture
VMchooser has the following high level architecture ;
- Web App : The front-end of the application is hosted on an Azure Web App.
- Azure Functions : The back-end API & batch parser are built with Azure Functions. Which unlocks insane scaling possibilities.
- Storage Account : The storage account serves as decoupled/central storage component for the batch parsing. And it could also be used for hosting the “database” (flat file).
- Application Insights : Application insights is used to have the needed insights into the usage & other metrics.
- Github : All code for this project is open-source and publically hosted. You can run your own VMchooser if you want… 😉 Every change is immediately pushed towards the front-end, back-end & database.
- API Management : As the back-end API is decoupled from the application, I’ve also linked this api with api management. This would provide me with the option to allow 3th party application integrations via an API subscription plan.
Continue reading “The anatomy of “vmchooser”… Adding some serverless into the architecture!”
In my previous post I talked about integrating Azure MySQL with a PHP webapp. Today we’ll elaborate on that one a bit further and see how we can setup CodeIgniter to use the Azure MySQL.
Prep the webapp
First thing, set all your database variables as app settings (read: environment variables) ;
That’s it as preparation 😉
Continue reading “Setting up Azure MySQL with CodeIgniter by having SSL enforced”
Sometimes we come across applications that needed some basic form of protection, but (sadly enough) the code base did not allow it. Today we’ll see how we can enable authentication / authorization on your web app, -without- altering any code! We’ll be doing this capability from the web app service itself, without the code noticing anything of this.
Enable / Configure the Azure Active Directory Authentication
Let’s start by doing to our web app and looking for the “Authentication / Authorization” section.
We’ll enabling the “App Service Authentication”. As we do not want guests, we’ll select “Log in with Azure Active Directory” as a way to force authentication. Next up we’ll configure the Azure Active Directory ;
Continue reading “Protecting your webapp with Azure Active Directory WITHOUT adjusting any code…”
As a hobby effort, I wanted to create a small poc where any user would be able to login with their AAD user, grant access to an application, after which that application could query their subscriptions.
In all honesty, I’ve been struggling more than I like to admit with getting this working… So this post will cover all the steps that you need to do to get this working!
Oauth & Azure AD
Before getting our hands dirty, read up on the following post ; Authorize access to web applications using OAuth 2.0 and Azure Active Directory
Ready it thoroughly! To be honest, I didn’t at first and it cost me a lot of time. 😉
Anyhow, the flow looks as follows…
- We’ll redirect the user to sign-in (and if this hasn’t been done, grant our application access)
- If all went well, we’ll receive an authorization code
- We’ll use this code to get a bearer (and refresh) token
- Next up we’ll use the bearer code to connect to the Azure REST API for getting the list of subscriptions for that user.
Continue reading “Azure : Using PHP to go all oauth2 on the management API!”
Ever heard of the azure application gateway? No… I understand. It is (strangely enough) a component that is often overlooked. In essence, what does it do? Look at it as a load balancer on security steroids. The basic form will help you in terms of SSL offloading, where the advanced form will turn it into a WAF.
Continue reading “Azure Application Gateway : Often overlooked…”
A quick tip on hardening your SQL database in combination with an Azure Webapp. Browse to the properties of your webapp. Copy the “outbound ip addresses” to your text editor.
Now browse to the “SQL Server” you have provisioned in Azure. Click on “Show firewall settings” and enter the IP addresses you just noted down.
A small pointer ; You have to enter this an address at the time and save after each entry… Annoying as hell, though this is how the UI works.
Anyhow, let’s see how our webapp behaves…
As you probably do not believe my right off the bat. So let’s clear up the firewall rules…
and test again!
Now we notice that the access to the database was denied. The address listed there is the one that was present in the outbound ip addresses listing from earlier on.
Have fun hardening!
Developing a website… ; Open up “notepad++”, browse to your web server via FTP and edit the files. Then refresh to see the changes…
Sounds familiar? Probably… It’s a very straight forward and easy process. The downside however is that you have no tracking of your changes (Version Control) and that the process is pretty manual. So this becomes a problem when you aren’t the only one on the job or if something goes wrong.
So let’s step it up and introduce “version control”… Now we have an overview of all the revisions we made to our code and we are able to revert back to it. Yet suddenly, we need to do a lot more to get our code onto the web server. This brings us to the point where we want a kind of helper that does the “deployment” for us.
The basic process
- Local Development : The development will happen here. Have fun… When you (think you) are happy with what you have produced, you update the files via your version system.
- Source Repository : The source repository will contain all the versions of your code. Here you can configure it to send a notification to your deployment system whenever a new version has been introduced.
- Deployment System : The deployment system will query the source repository and retrieve the latest code. This code will be packaged, transmitted and deployed onto the target system(s).
- Target Systems : The systems that will actually host your code and deliver the (web) service!
Real Life Example?
- Create a private repository at BitBucket
- Pull/push the repository between BitBucket & your local SourceTree
- In GitHub, go to “Settings”, “Deployment Keys” and generate a key for your automation. Copy it to your clipboard…
- In DeployHQ, go to “Settings”, “General Settings” and copy to key into the “Public Key Authentication” textbox.
- In DeployHQ, go to “Settings”, “Servers & Group” and create a new server.
- In the same screen, Enable “Auto Deploy” and copy the url hook.
- Now go to “Settings” in GitHub, and then “Hooks”. Add a “POST” hook containing the url hook you just copied.
- Now every time you do a commit on your workstation, the code will be deployed to your server!
In fact, this is the mechanism I utilize for my own (hobby) development projects. An example of here, is my own homepage, which is deployed via the system as described above.