Azure Tools VSTS extension to bridge Dev & Ops a little more


I have just released the v1.0 of Azure Tools that is an open source initiative available on Github. The idea is to bring a set of tools to bridge VSTS with tools that are typically used by infrastructure and operational teams.

This first version comes with two tasks allowing to call Azure Automation Runbooks from VSTS in a very secure way since the webhook used to trigger the runbook is a one-time one. The other task is to write logs into Log Analytics which has become prominent and is a first class citizen in the Azure monitoring story.

Feel free to try it out and share ideas on what could be useful additions for future releases.


Happy deployments!


Posted in Azure, vsts | Tagged , , , , | Leave a comment

Azure API Management – VSTS – V2.0 release


A while ago, I have published a free VSTS extension to automate deployments towards Azure API Management.

I got a rather good feedback and some change requests as well as the involvement of some external contributors on the GitHub Repo. In a nutshell, the purpose of this extension is to bring Azure API Management into VSTS as part of your release lifecyle. Whether you use API Management to monetize APIS or for internal purposes, it is good to associate the release of your backends APIs with their corresponding facade APIs published against the API Gateway. The extension now comes with the following features: Continue reading

Posted in Azure | Leave a comment

Azure policies & Azure firewall


I recently blogged about the new Azure Firewall that gives you the possibility to control outbound traffic from resources hosted inside of a VNET. At the time of writing, although the firewall is defined at VNET level, it does not apply automatically to all resources defined in that VNET. Indeed, routing is enforced through a route table that you have to associate to some or all subnets. Continue reading

Posted in Azure, Security | Tagged , , , | Leave a comment

Azure Connectors, the DMZ 2.0?


I wanted to write this blog post because I’m often facing hard resistance from customers working with the Cloud and Hybrid Architectures regarding some security aspects.

A very well-known way to secure access to on-premises resources is by using a buffer perimeter called a DMZ, which is something everybody knows, including junior developers because it’s probably as old as the Internet. While this way of working is usually very effective, it is certainly not the most efficient since it usually takes more time to have something new added to the DMZ than to the regular data center or directly in the Cloud (PaaS, Faas). Continue reading

Posted in Azure, Azure Active Directory Proxy | Tagged , , , | Leave a comment

Understanding Azure MSI (Managed Service Identity) tokens & caching


Now that Azure MSI turned generally available for App Services and Azure Functions, there is no more excuse not to use it. As a recap, Azure MSI is a great way to develop more secure applications and to setup more secure environments. The reason for this is mostly because it saves you from having to generate credentials (Service Accounts or Apps) yourself. Continue reading

Posted in Azure | 2 Comments

Azure Firewall, a step towards a “managed” NVA?


Microsoft recently made Azure Firewall available in public preview. This Firewall as a Service offers a new way to protect and control network traffic via both network and application rules. At the time of writing, Azure Firewall is used to control outbound traffic only. Network rules are similar to what you can do with NSG but application rules allow URL based rules as shown below:

Continue reading

Posted in Azure | Tagged , | 1 Comment

Integrating On-Premises Jenkins with VSTS to deploy to an ILB ASE


I recently had to work on integrating an on-premises Jenkins with VSTS in order to use VSTS’s out of the box capabilities to deploy resources to Azure. Although there is quite a good documentation on this topic, you must be able to read between the lines. So, with this blog post, I’m not going to repeat was is described in the article but I’m going to try to fill the gap when it comes to integrating with an on-premises Jenkins and not with a Cloud-based Jenkins, as assumed by the Microsoft documentation. Since an image tells more than a lengthy speech, here is one that sum it up all:

Continue reading

Posted in Azure, DevOps, vsts | Tagged , , , | Leave a comment

My recipe to build secure applications hosted in Azure


Here are some tips that might help you building and hosting secure applications in Azure.

Application Architecture: Clients and APIs

Make sure to make a clear segregation between clients and APIs. I’m not a great fan of MVC where the C part is often used as an API layer by developers. I advocate for a clear separation between the client part (could be a mobile APP, a SPA, etc.) and the API layer. The clients and APIs should be hosted in different App Services.

Continue reading

Posted in Azure, Azure Active Directory, Azure Key Vault, Security | Tagged , , | 2 Comments

Azure Security Cheat Sheet


Cybersecurity is a concern for everyone today as more and more workloads are connected in a way or another, meaning exposed in a way or another. When it comes to the Cloud, things turn wilder as PaaS, CaaS, FaaS and even IaaS to some extent, represent a paradigm shift. Organizations tend to rely on good old recipes that are perfectly suitable for traditional on-premises systems but not especially a good fit for the Cloud, even when talking IaaS, since the underlying network plumbing does not have much in common with on-premises networks. Moreover, insiders represent a severe security risk but some organizations still think their premises is way more secure than the Cloud, just because, it is within the walls.

Continue reading

Posted in Azure | Tagged , , | Leave a comment

Deploy Azure App Services to multiple regions within the same subscription – VSTS trick


Most of the times, when deploying App Services such as a webapp to a single region, you simply use the Azure App Service Deploy task, that is currently in version 3.0 and whose a preview of the next version is to come.

However, using the very same task to deploy an App Service to multiple regions, in case you have a HA setup is a little more challenging. Looking at the below screenshot:


you can easily specify the name of the App Service. The problem is that, when working with multiple regions, the name will most probably be the same in the other region, therefore, the task cannot distinguish which service is targeted.  So, ideally, we should be able to select the resource group to make this distinction.

It turns out that one can select the resource group when ticking the Deploy to slot option:


but what if you don’t use slots??? Then, the easy fix is to put the value “production” in the Slot field.

Credits to Thomas Browet (@thomas_brw), one of my colleagues, for the tip.

Happy deployments!

Posted in Azure, DevOps, vsts | Tagged , , , | 2 Comments