Handcrafted, AI-free blog posts about DevOps, DevSecOps, application security, web development, Azure and similar topics
Configuring a custom domain for an Azure App Service including a App Service Managed Certificate is the kind of task where I constantly have to look up the details. For this reason, and because a colleague asked me to blog about it, I decided to briefly document the process here.
I aimed to enable Defender for Storage on a dedicated storage account using Terraform, updating the existing configuration. Although the Terraform apply succeeded, the feature was not enabled. After research, I resolved the issue by adjusting user roles, allowing a subsequent Terraform apply to produce the desired outcome.
An application’s pentest revealed weak SSL/TLS cipher suites in Azure App Services. To enhance security, non-forward-secrecy cipher suites must be disabled. Utilizing Terraform and the azapi provider, a workaround was implemented to configure the Minimum TLS Cipher Suite, enforcing modern cryptographic standards.
The error "Failed to get existing workspaces: containers.Client#ListBlobs: Failure responding to request: StatusCode=403" in Terraform with an Azure backend indicates a permission issue. To resolve this, assign the Storage Blob Data Contributor or Owner role to the user or service principal. After assignment, use 'az logout' and 'az login -t [tenant id]' commands to refresh the token.
In a project involving infrastructure as code (IaC) with terraform, Microsoft Entra ID security groups were manually created in the Azure portal. To avoid recreation, the import feature in terraform was used to bring existing groups into terraform state. This involved obtaining object IDs and descriptions, adding the groups as resources in terraform code, and importing them into terraform state.
This blog post guides the configuration of Serilog for a .NET Core Web API running on an Azure App Service. It covers logging requirements and implementation, including Serilog setup in Program.cs and appsettings.json. It also provides instructions for querying logs in Azure Application Insights and streaming them using Log Stream in Azure App Service.
During a penetration test preparation, an issue arose where multiple test accounts couldn't be invited as guest users to Microsoft Entra ID. The problem was due to all emails being redirected to one address. The takeaway is to ensure that the email addresses invited are not redirections to an existing user account.
A colleague at work is currently working on a prototype for Azure OpenAI Services integration. He deployed the prototype application directly from Azure OpenAI Studio to an Azure App Service. When he tried to access the application for the first time, he received the following error message. Authentication Not ConfiguredThis app does not have authentication... Continue Reading →
When working with Azure Monitor alerts that trigger email notifications, there is a tiny little detail to consider to make sure the email notifications get delivered as expected. But let's first have a look at the setup of an Azure Monitor alert. In my case, I set up an Azure Monitor metric alert and action... Continue Reading →
Lately I nearly got crazy when working with Visual Studio Credential in ASP.NET Web API project. For Test, Int and Prod environments I usually use Managed Identity and for local development I prefer using Visual Studio Credential for i.e. accessing Azure Key Vault or Azure Storage Account services. In this example, access key authentication is... Continue Reading →
blog.rufer.be 