Pre work and project structure

Get Started

Recommended way to create a cluster is via ARM scripts. Cluster can also be created using Azure portal, but many advance features are only available in ARM

Following are pre-requisites before your start provisioning your cluster.

Plan for cluster nodes + capacity + OS
Plan for placement constraints and node types
Securing cluster
1. Create Azure AD applications – To secure access to cluster it is recommended to use AAD authentication. Create Cluster and client AAD applications. Cluster application will have 2 roles, Admin & ReadOnly to cluster application.
2. Create cluster management SGs that you will assign to these 2 roles. You would require 2 SGs, one for admins and other for read only access.
3. Add security groups to you AAD application role. If you work for an enterprise or if you are not Azure AD administrator, adding security group or users to app role is generally not allowed. You would have to request your AAD administrator to add SGs to AAD application roles.
Get certificates for SSL, Encryption and any other application certificate that your service needs
1. make sure you add all alternate names to your cluster certificate during request creation
Identify PORTS that will be open on load balancer.
Use powershell to create the cluster

https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-creation-via-arm

Project Structure

API code and service fabric code should not be mixed together in one solution.

For example, if you have 2 APIs that you want to containerize and then host on service fabric;
- You can have one solution with both API code projects added. If you desire more separation, each API can be created as a different project
- Each project will contain a DOCKERFILE that will define how container image will be created for that respective project
- Below image shows a solution containing 2 web APIs, Gateway API and User API. Docker support is added to both of these projects using Visual Studio (right click project –> add –> docker support).

None of above 2 projects have any reference or code related to Service Fabric
Please note, adding docker support from Visual Studio also adds docker-compose file to your project. Orchestration platforms can either use this docker-compose file to manage container or can use it’s own way. While writing this content, Service Fabric does not fully support docker-compose (https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-docker-compose). For my projects, I will configure orchestration settings directly in my Service Fabric project.
Using docker command line tools or visual studio publish features, above 2 projects will result in 2 images that can be pushed to a container registry. For most of my applications I will use Azure Container Registry

To use service fabric as an orchestrator for hosting your contained images, we need to create a new Service Fabric project,
- Create new service fabric project

Add 2 new container services to the SF project. After adding your project should look like this:

Each service will define, Code, Config and Data. Each of this component is versioned independently.
- Code – Container image information
- Config – Any settings or environment variables
- Data – Any static data that is required by the service

You can override config values in ApplicationManifest.xml which also allows you to use environment specific parameter files. Typically these parameter files are modified using build release pipeline.

Containers + service fabric

Why Containers?

In an ongoing effort to streamline infrastructures, maximize server resources, and ensure that applications run smoothly and securely, there is a push to adopt containerization of applications. Containerization offers a more efficient alternative to virtualization and it’s heavily influencing the future of cloud computing and the direction of Infrastructure-as-a-service (IaaS).

Following are some good resources to get you up to speed on container technology.

Role of Docker

Containerization as a technology is quite old and existed in Linux base OS. Although it was available for use in Linux, it started gaining traction only after emergence of Docker platform. In simple terms, Docker provides an abstraction layer/ platform that allows developers and system administrators to use containers with ease.

First presentation of Docker – 2013

Role of an Orchestrator

While Docker meets the needs of managing one container on one host, it does not take care of managing multiple containers deployed on multiple hosts. This is where Orchestration tools comes into picture.

Orchestration tools extend lifecycle management capabilities to complex, multi-container workloads deployed on a cluster of machines. By abstracting the host infrastructure, orchestration tools allow users to treat the entire cluster as a single deployment target.

Following are services that a typical orchestration platform/ tool should provide:

Application/ Container life cycle – Deploy, start, update, stop etc..
Declarative configuration
Rules and constraints
Provisioning
Discovery
Health Monitoring

There are many container orchestrators available in market today. Typically, orchestrator products are the same products that provide cluster infrastructure, like Mesosphere DC/OS, Kubernetes, Docker Swarm, and Azure Service Fabric.

All of my workload currently runs on Windows and Azure Service Fabric is a best fit for my requirement. I will be using Service Fabric as an container orchestrator.

Service Fabric for containers

Basic Principles

Make of service agnostic of orchestrator. In other words, your application code should not depend on any SDK or platform libraries. For example, if you are developing containerized web API and using Service Fabric as an orchestrator, your project should not have references to any service fabric assemblies. This will allow us to easily move to other orchestrators in future without making any changes to our application code.
Single Azure Container Registry for all applications
For disaster recovery, each cluster environment will have 2 set of clusters in different region with ATM active -active configuration
Sharing of cluster by multiple services based on service load
Use reverse proxy for inter service communication within one cluster/ Service fabric app
MSI (IMDS) should be used to access Azure Resources like Key Vault, SQL Azure. This will help in reducing usage of certificates and secrets.

In next few posts I would provide a problem solution approach covering project structure, development, release and maintenance.

Service fabric cluster security

What’s Service Fabric?

If you are aware about the concept of micro services and keep yourself up-to-date with latest technologies, it is highly probable that you would have heard about Service Fabric. When you break your monolith applications into micro services or design brand new micro services, you would like to have an orchestrator that can manage service reliability, lifetime, scaling, upgrade mechanism, versioning, service discovery etc. Service Fabric is an orchestrator for micro services (and containers) developed by Microsoft. As per Microsoft, Service fabric is not new, it already powers many of existing highly scalable Azure services. This blog post is not about what service fabric is, but what it takes to secure your service fabric cluster (environment). One last thing, Service Fabric cluster is a collection of nodes that are used to host your services. Let’s see how to secure your cluster.

Cluster Security

When you create your cluster your should be aware available security options. Most of the advance things that are essential for security are not doable from Azure Portal (at-least they were not when I last checked) and can only be done via ARM scripts. Best time to do these things is during initial provisioning of the cluster.

Cluster Authentication

When you create your cluster there is always a scare that random nodes can join your cluster. To prevent this to happen we can use X509 certificates. Certificates are added to all valid nodes during provisioning and Service Fabric is made aware of this certificate. Only nodes with the certificate are allowed to communicate with each other and are accepted as being part of cluster. At the end I’ll provide a simple ARM script to provision a secure cluster.

Diagram of node-to-node communication

Server Authentication

You can connect to cluster from multiple clients like Visual studio, Powershell or Cloud Explorer. When you connect you have to provide your cluster endpoint, for example: https://mycluster.com:19000/. You can push binaries, secrets etc. using clients to your cluster. What about getting some guarantee that you are actually communicating to the real cluster that you indented to connect? During provisioning of the cluster you can define a server authentication certificate and while connecting you can provide thumbprint of that certificate. Service Fabric will make sure the cluster you are trying to connect has certificate (pfx) with same thumbprint. If not then connection will be declined.

Diagram of client-to-node communication

Role Based Access

Azure Active Directory is used to secure access to the service fabric cluster management endpoints. A Service Fabric cluster offers several entry points to its management functionality, including the web-based Service Fabric Explorer and Visual Studio. Thus, we create two AAD applications to control access to the cluster, one web app and one native application. For fine grained authorization, web app registered in AAD will have 2 app roles; ADMIN and READONLY.

Two SGs will be created in AAD tenant, one for cluster admins and other one for read only access to cluster. These SGs will be added to AAD application roles as follows:

ReadOnly security group should be added to READONLY app role
Admin security group will be added to ADMIN app role

To check more details around RBAC for service fabric cluster please check service fabric documentation. You can use script available at – http://servicefabricsdkstorage.blob.core.windows.net/publicrelease/MicrosoftAzureServiceFabric-AADHelpers.zip to create these AAD applications. if executed correctly with proper parameters, you will get following output that can be used in cluster creation ARM script.

Reverse Proxy, SSL and Service Fabric explorer.

While provisioning your cluster you should be aware of reverse proxy concept. If you enable reverse proxy on your cluster (say on port 19088), you should know that all services hosted on your cluster can be accessed from outside by browsing https://mycluster.com:19088/service/api/operation. This means, service might be running on some random port (say 2000) and you would think that as port 2000 is blocked on firewall, your service is hidden. If you have enabled reverse proxy and reverse proxy port is open on firewall then all you services are free to be browsed from outside. Scary… is it not?
Always use SSL to host your services
Management endpoint that is exposed by default on port 19080 should not be exposed to public internet. You can use jump box and only allow access to management endpoint (service fabric explorer) via jump box. This means, if anyone wants to browse service fabric explorer to manage your cluster, they will have to first remote desktop into jump box and access the explorer.

Microsoft has some good documentation on cluster security. Take some time and check that as well. In next post I’ll share a cluster ARM script using which you can manage majority of above mentioned steps.

~cHeErS~
Currently listening to – ALL THE STARS [KENDRICK]

DJ APP – THE STORY

Couple of years back, during my free time, I started working on an application which can be used as a basic music mixing application by novices and budding DJs. It took over an year for me to actually develop something that I thought was good enough to be published to Windows Store. Actual development time was quite less. Oh yes! application was developed for Windows 8. This is how the application looks.

You can download it from Windows Store – Mix’n Play Download and it is free.

Some Statistics [last 12 months]

13,000 downloads in last 12 months. Everyone looks for 5 star rating for their apps, but still 3.8 is not bad and looks like majority of users think good about the app.

Once application is published in app store, it can be downloaded by any interested user. This is one of the most important thing that you get out of common app stores. Reach of your app is amazing. Following are some stats that shows the markets where app is downloaded the most:

I expected some of above countries like US, UK and India to be in top markets, but not Mexico. Mexico is a surprise for me. Other than this, thing that made me smile was the name of countries which came last in the list, in other words, where only one or two downloads happened.

I don’t even know where exactly on globe few of these countries are and it is quite astonishing that there is someone in these countries who has downloaded my app and (hopefully !) using it as well.

Usage of application is also good. Users are not only downloading but also using the app. This is very encouraging. Following are top user session numbers:

Again, all above numbers are for last 12 months.

Reviews – The Motivation

Bad Reviews ( or )

Reviews are generally a source of inspiration and introspection. Majority of the bad ratings (one star) that I got did not give me any clue about what users missed in the app or what went wrong for them. I was not able to fully understand why few folks are giving single star as most of them did not provide any textual feedback. I think they disliked the app so much that they did not even think that it can be improved. Few bad rating + review that I got are:

It is not possible to save

Couldn’t find the record button to mix songs together, and after adding my songs to my playlist not all of them came up, which was frustrating because I had to go searching for them through my folder, otherwise pretty easy to use just wasn’t as good as I expected.

The interface is good. The problem is that it only supports mp3 music, we miss to select music without loss.

Hmm, I agree that you can not save it and it sucks. This was not possible with Windows 8 API (programming interface) that was available 2 years ago. Not sure if it is there now. About supporting other file formats, I’ll surely add other lossless formats if I start working on the application again. Till that time MP3 is the only format supported.

Good Reviews ( or more)

You need positive reviews to get motivated. Honestly, the reviews I got are so amazing and I never expected anything like this. All I expected was start rating and some text, like good job, useful app etc. Below are few:

Mixes folders, playlists in sequence, at random, BPS. Nice cross fader too. Basic yes, but if you just want to mix songs on the fly this is the thing. A gem! Wish list: volume limiter.

Program standards for beginners everything convenient and understandable.

The fact that it delivers audio crisp sound without any distortions. Other apps are all scratchy and annoy you with popup ads and others.

Good, simple usage application. Very good for a party…

mix on beat like If you can refine beat counter but I love the rest of the software thank you for making if thanks very muah

Simple but equally powerful. Good!!!

Easy access to the play list and library, easy simple and fast.

A very good and functional program for on the go. Nice would be if the title in the player to pause would remain, instead of immediately running out and the controls were slightly larger (for slightly stronger fingers) – but otherwise top!

This is only app that is designed for touch. Very easy to mix tracks indeed. Love auto mix…

Direct User Emails

I never imagined that someone will take the pain of writing an email and ask for features they want. Some folks also followed up and asked when is the next release. Some of the comments in the mails were:

After someone asked few questions and I helped them
Thank you. This was very helpful. That may be good to put a tutorial video for this app as Windows 8.1 is a completely different ball game from the previous OS systems. I knew I could swipe right, but never noticed it showed settings for the apps.

Thank you very much for the support. I am every more grateful for your app. It is saving my wedding as my DJ friends have flaked on me. However, I will also use this in the future for my other events too.

After someone reported an issue and I released a fix
Just had a quick look at it very well done on your enhancements so far. I like it, but on the surface 2 it is not as good as on the laptop but I’m sure you can iron out those kinks I’m sure.

keep up the good work in developing the good dj app into a long term success and I will report back on bugs and enhancements to it.

Feedback on my blog

Surprisingly users also went to app page on my blog and gave comments there as well. You can check them our here.

The Journey

Starting from inception of this idea, to publishing of app and constantly releasing fixes, there are some things that I think I did right.

Identify that one thing that your app will be best at. I wanted Mix’n Play to be the most easy application to use with touchscreen devices and I think I was able to achieve this(based on user feedback).
Build an easy mechanism using which users can provide feedback and share error reports. Have something to identify application version as well with error report. Last point is essential as many people might not be updating applications regularly and are still using older versions.
Test for majority of screen sizes where your application can run. Identify your target resolution and identify a device which is mostly used by users which has touchscreen and Windows OS.
Respond to user queries quickly. If you help your users, either by telling how to use feature X or taking their feedback and releasing an update, they will feel more connected and there is high chance for positive word of mouth.
Understand platform limitations and your skill limitations. I spent good amount of time on learning how to make good Windows apps. I was also aware what all you can do and things that are not allowed. You can develop apps without knowing anything, but I think to build good quality apps, you should know the platform and it’s design language.
To know actual rating and user feedback, never share your apps first within your friend circle. They will oblige and give 5 stars with all positive feedback, but they will never use the application. Open it for public and see what actual users are saying about your app.

Challenges

Sometimes things can get frustrating and challenging due to various reasons. Few of them were:

Maturity and feature support provided by Windows media API was very basic. You can’t do majority of actual DJ related tasks without going deep in C++. I have to restrict scope to very very basic things and tried my best to do them well. It get’s very frustrating when you know something is important but sadly there is no API for that.
I still use obsolete Windows media API in my app. I wanted to update to newer API but realized that apart from fixing things, somehow, new API is also missing some features I was using in the older API.

What’s Next?

I did not do any active development this year on the app and somehow I’m not able to get motivation to do a new Universal Windows application for this. Universal Windows app looks like natural progression from Windows 8 app. Let’s see what next year brings to the table.

Till then, celebrate things you did in 2016 and start 2017 with a smile. If you are planning to do a party, don’t forget to checkout, Mix’n Play on Windows Store.

Happy New Year Smile

Azure AD–Using App roles for authorization

Role based authorization

In intranet applications, AuthZ is generally implemented using Windows security groups with ASP.NET IsInRole() functionality. Following is a list of steps we take to make this work:

Define high level application roles. For example; in an expense application we can have approver and administrator as two roles with higher (or different privileges) than normal user.
Identify initial set of Windows security groups that will be mapped to app roles. This list should be dynamic and will probably change.
Use a mapping mechanism, either DB or configuration file, to keep a mapping of application roles and security groups.
In your application, once you get the token after authenticating the user, write code to check group claim and assign appropriate role claim (based on your mapping) to the user.
Indicate to ASP.NET pipeline that you want to use Role claim for IsInRole functionality.
That is pretty much it. Now, you can just place Authorize attribute wherever you want to check for that role or call IsInRole() to do the same.

Here comes Azure Active Directory

Now we want to move our on-premises (intranet) application (Windows Auth) to cloud. I’m skipping ADFS (STS) here, as at a high level the claims you get in the SAML token are similar to claims present in Kerberos token.

As of today, recommended service for AuthN and AuthZ on cloud is Azure AD (AAD). Moving your app to AAD bring some challenges as well as provide some opportunities to improve things.

Challenge

Tokens that you receive from AAD does not contain group claims by default. You have to enable it using these steps.
Even if you enable, there is a limit to groups that you can get in the token. I will not go into those details. Please check this for more info around this.

Opportunity

Did you notice all work that is required to make application roles really work even in traditional (intranet) application?
You have to have mechanism to map app roles with security groups, fetch the mapping and add role claim.
Just like authentication, all this should ideally be offloaded to some common service.
Let’s see how we can improve this.

Solution

AAD provides application roles that can be used for authorization. I’ll show you in detail how it is done. This is a step by step guide and will have lot of screen shots.

Note: Make sure you have a valid subscription before you proceed beyond this point.

Set up your infrastructure

Create User and Group in AAD

Select your directory
Add 2 users. For example, add a users Bob and add another user Samantha.
Add a group.
Add Bob to the group.
At the end of this step you should have 2 users and a group. One of the user should be part of the group.

Create Application in AAD

Add application to the directory using Application option from top menu and then clicking Add link in the bottom menu. For more details use this link.
Give a friendly name, sign on URL and app id URI. For more details use this link.
Note down client ID from configuration tab. This we will use in our web app to set up authentication.

Create web app and make authentication work

Create a simple ASP.NET MVC web app and update OWIN Auth configuration with your application’s client ID and tenant name.
Download completed code from github
After updating required values, try to run the sample. I used the Individual account template while creating the project due to which there are few extra files and steps before login. From home page, click login and then click OpenIDConnet button. This will initiate login process with AAD.
You can put breakpoint in Contact action method in Home Controller to check available claims. Notice that there is neither group nor role claim.

Add role to AAD application

Open application in AAD and download manifest file. Currently, you can not add application roles from portal UI. We will use manifest file to add roles.
Open manifest in a text editor (preferably JSON editor). App roles will be blank.
Add following text to app roles section in manifest file. This is the place where we are adding 2 roles.
“appRoles”: [
            {
                “allowedMemberTypes”: [
                    “User”
                ],
                “description”: “Approvers can mark expenses as approved”,
                “displayName”: “Approver”,
                “id”: “8F29F99B-5C77-4FBA-A310-4A5C0574E8FF”,
                “isEnabled”: “true”,
                “value”: “approver”
            },
            {
                “allowedMemberTypes”: [
                    “User”
                ],
                “description”: “Administrators can change all settings and do all other operations”,
                “displayName”: “Administrator”,
                “id”: “0866623F-2159-4F90-A575-2D1D4D3F7391”,
                “isEnabled”: “true”,
                “value”: “administrator”
            }
        ],
Resulting manifest should look like this
Upload the manifest back to the application.

Assign group to a role

Go to application in AAD and open Users and Group option. Please note, I’m using a premium subscription to do this. In a non premium subscription only user can be assigned to a role. This is just a UI limitation and can be worked around by using Graph API. I’ll show how to do this in my next post. But for now, for simplicity, I’ll use portal UI.
Search for the group you want to assign to the role. For now use the group we created above. Select the group from the grid and click Assign from bottom menu. Choose the role and complete the process.
We are done with infrastructure changes. Most of these are one time things and going forward we just have to change assignments based on requirements.

Final changes to web app and test

In your OWIN Auth configuration, add following code snippet to tell ASP.NET pipeline to use role claim for Authorization
Modify controllers to use Authorize attribute and IsInRole() as required.
We are done. We successfully offloaded our authorization infrastructure to Azure AD.
Inspect the claims by logging in with the user who is member of group assigned to role as well as the user who is not a member of that group.

Caution & other important stuff

User should be direct member of the group which is assigned to the role. If a user is member of inner group, claims will not contain relevant roles.
Apart of groups, users can also be assigned to the roles.
Current portal UI only supports assigning a group to only one role. What if you want a group to have multiple roles? For example, our group can be used for both approvers and administrators. Good thing is, this is just a portal UI limitation and we can easily do this via Graph API. I’ll add a sample in my next post.
As I told earlier, groups can only be assigned to roles from portal UI if you have premium subscription. Again this is just portal UI limitation and can be easily done via Graph API. I’ll add a sample in my next post.

That is it. I think it is pretty simple and powerful way to offload authorization infrastructure of your application.

References:

think.then.code

Because you can, it doesn’t mean you should