Monday, 26 October 2020

Identity Server - OAuth and OIDC

Overview:  The current version of Identity Server is 4.  Identity server is basically a .NET Core 3.1 application that is an Identify Provider (IdP) similar in role to PingId, SiteMinder, AAD b2C.  Identity server allows application (native mobile, web sites and servers) to securely authenticate users.

OAuth2 Grant Types:

Flow Description Client Grant Type
Authorization with PK Authorization Code Grant Type.  Default choice for authorization. Native mobile Apps, Windows app, Browser Apps Code
Client Credential Server-to-server (S2S) communication also refereed to as Machine-to-machine (M2M). Server,Consoles,Services ClientCredentials
Implicit Rather use the Authorization Code Flow with PKCE Native Apps & SPA's often use Implicit Flow Implicit
Resource Owner Pswd

Scopes: The authorisation Server specifies the "scope" that the user has consented too.  So for an API you can limit the actions the user can perform.  Always name your scopes by the API and the Verb e.g. "" is better than "read".

Monday, 19 October 2020

APIM High Availability and Performance across Regions

Overview:  APIM can be setup in multiple regions and incoming request will be routed to the closest APIM endpoint.  If there is only 1 APIM region, it is best to ensure the API/App Service/Function is hosted in the same region.  With multiple APIM's you can also host a API in the same region.  The routing is either done automatically using Azure Front Door or via policy on the APIM.

Front Door can be substituted with Azure WAF, or Cloudflare or Barracuda's SaaS solution.

WAF Options:
  • Azure WAF simple in 1 region for a WAF especially with APIM and if you are an Azure customer.
  • Competitor  options: Barracuda WAF SaaS Service or Any software firewall KEMP, F5, Check Point, Fortinet/Fortigate, Cloudflare WAF, AWS WAF, AWS Network Firewall, ....  
  • Check WAF service has protection at least for DDoS, XSS, SQL injection attacks, SSL Termination if you need it, Managed RuleSets.
  • Azure Front Door is pretty amazing, Cloudflare is historically the leader with similar functionality.  
  • Cloudflare is a Secure access service edge (SASE).  Cloudflare provides a WAF service at hundreds of endpoints around the globe (for instance there are 5 Cloudflare endpoints in Australia).  WAF functionality like SSL, DDoS (L7), et al. is done close to the user request (nice low latency) and then if successful it is pushed to the backend.

More Info

Friday, 9 October 2020

App Insights - Website and API Monitoring

Overview:  App Insights has functionality to run scheduled web requests and log the output in App Insights.  There are multiple advantages to this including end to end active monitoring of web sites and API's, and keeping the application warm.

Below I show a simple request to my blog (public website) and the results, Azure refers to this test type as a URL Ping test which is basically a URL HTTP GET request.  

Wait a few minutes and Refresh to see the results:

Very easy way to include a constant check that your API or Website is running.  There is also the options to create "Multi-step web test" using Visual Studio.  You can record the authentication and assert for known response content to build advanced constant monitoring.

Tip: The URL does need to be publicly available.

The content I used to test out the functionality comes from the Microsoft Docs site.
Also see Live Metric Stream that is part of App Insights.

More Info: 
App Insights MultiStep Tests  Replacement Option for MultiStep Test based on Azure Functions

Thursday, 1 October 2020

App Insights - Basic Introduction

OverviewAzure App Insights is a great platform for collecting logs and monitoring cloud based applications on Azure.  All Azure Services can push logging information into App Insight instances.  This can be errors, usages, performances logging that in turn is easy to query.  There are SDKs for developers that can be used to add custom logging to applications.  I am a big fan of AppDynamics for logging and monitoring but for SaaS and on a new project I'd go with App Insights.

Retention:  App Insights can keep 730 days worth of logs.  For long term storage, "Continuous Export" can be used to push data into storage accounts as soon as it arrives in AppInsights.  Retaining the App Insight logs for 90 days has no additional cost, so the default to store logs should be set to 90 days at least in most situations.

What is logged and what can be logged:  
  • All Azure Services can be configured to send service logs to a specific App Insight instance.
  • Instrument packages can be added to services to capture logs such as IIS, or background services.  You can pull in telemetry from infrastructure into App insights e.g. Docker logs, system events.
  • Custom code can also call the App Insight instance to add logging and hook into exceptions handling.  There are .NET, Node.JS, Python and other SDK's that should e used to add logging, exception capturing, performance and usage statistics.

App Insights has a REST API to query the logs.  The "API Explorer" tool is awesome for querying App Insights online.  

The data below comes from Microsoft Docs.

"What kinds of data are collected?

The main categories are:

  • Web server telemetry - HTTP requests. Uri, time taken to process the request, response code, client IP address. Session id.
  • Web pages - Page, user and session counts. Page load times. Exceptions. Ajax calls.
  • Performance counters - Memory, CPU, IO, Network occupancy.
  • Client and server context - OS, locale, device type, browser, screen resolution.
  • Exceptions and crashes - stack dumps, build id, CPU type.
  • Dependencies - calls to external services such as REST, SQL, AJAX. URI or connection string, duration, success, command.
  • Availability tests - duration of test and steps, responses.
  • Trace logs and custom telemetry - anything you code into your logs or telemetry."
Application Insights is part of Azure Monitor and makes it easy to trace user interaction.  Independent infrastructure for recording issues and tracing.   App Insights in 3 parts. 
  • Collect: Track infra/PaaS via instrumentation (throughput, speed, response times, failure rates, exceptions etc.), and via SDK (e.g. JavaScript SDK, C#) to add custom logging and tracing.  Blue boxes
  • Store: Stores the data.  Purple Box
  • Insights: Alerts, PowerBI, live metrics, REST API.  Green Box
Extending App Insights:
For long running operations like using queues or ESB you will need to tie the operations together, and it's really easy to connect this in a hierarchy using distributed tracing.  

SPA's:  There is a JavaScript SDK but logging on SPA's needs configuration and understanding as not every operation is logged uniquely for tracing.

Smart Detection: automatically tries to quickly warn you of problems/abnormalities and there root cause.

Snapshot Debugger/profiler: VS remote debugging can be hooked to an issue.  Shows execution traces from your live app.

Transaction Search:  Easy way to query and find data or unique info.