Category: Microsoft
Category Archives: Microsoft
Creating Azure Container Apps using Azure Python SDK
The Azure Python SDK, also known as the Azure SDK for Python, is a set of libraries and packages that allow developers to interact with Microsoft Azure services using the Python programming language. It simplifies the process of integrating Python applications with Azure services by providing a set of high-level abstractions and APIs. With the SDK, developers can programmatically manage and interact with Azure resources, such as virtual machines, storage accounts, databases, and other cloud services.
To use the Azure Python SDK, developers typically install the required Python packages using a package manager like pip. They can then import the relevant modules in their Python code and use the provided classes and methods to interact with Azure services.
If we talk about Azure Container Apps, Microsoft provides comprehensive documentation and samples to help developers get started with the Azure Python SDK.
In this blog, we will be looking at how to create Container Apps using Azure Python SDK.
Getting Started
Prerequisites
It is assumed here that you are already having an existing Azure Subscription, Resource Group, Container App Environment and a Container Registry available. Also, we will be using a Windows machine here to run the file which has Python version > 3.7 installed.
Here as an example, we will be creating an Azure Container App, testing it, and then deleting it via the Azure Python SDK. To run the file, we would be using Azure CLI. This has been tested with the AZ CLI version 2.56
Package Installation
Install the packages that will be used for managing the resources. The Azure Identity Package is needed almost every time. We would be using the Azure Container App package along with it.
pip install azure-identity
pip install azure-mgmt-appcontainers
Authentication
There are two options that can be used for authenticating. Authentication via Subscription ID and Authentication via Service Principal. In this example, we will be using Subscription ID for authenticating to Azure.
You can specify the Subscription ID as an Environment Variable or use it directly in the code. Both the examples are provided below.
from azure.identity import DefaultAzureCredential
from azure.mgmt.appcontainers import ContainerAppsAPIClient
import os
sub_id = os.getenv(“AZURE_SUBSCRIPTION_ID”)
client = ContainerAppsAPIClient(credential=DefaultAzureCredential(), subscription_id=sub_id)
from azure.identity import DefaultAzureCredential
from azure.mgmt.appcontainers import ContainerAppsAPIClient
client = ContainerAppsAPIClient(credential=DefaultAzureCredential(),subscription_id=”<YOUR_SUBSCRIPTION_ID>”)
Python File
We will be using the following file for our management tasks specified above. I am naming this file as containerapp.py
from azure.identity import DefaultAzureCredential
from azure.mgmt.appcontainers import ContainerAppsAPIClient
def main():
client = ContainerAppsAPIClient(
credential=DefaultAzureCredential(),
subscription_id=”4db72a57-a748-41c7-aabc-1f7a153960cf”
)
response = client.container_apps.begin_create_or_update(
resource_group_name=”defaultrg”,
container_app_name=”containerapp-test”,
container_app_envelope={
“location”: “East US 2”,
“properties”: {
“configuration”: {
“ingress”: {
“external”: True,
“targetPort”: 80,
“transport”: “http”,
“stickySessions”: {
“affinity”: “none”
}
}
},
“environmentId”: “/subscriptions/4db72a57-a748-41c7-aabc-1f7a153960cf/resourceGroups/defaultrg/providers/Microsoft.App/managedEnvironments/defaultcaenv”,
“template”: {
“containers”: [
{
“image”: “docker.io/nginx:latest”,
“name”: “testapp4”,
“resources”: {
“cpu”: 0.25,
“memory”: “.5Gi”
}
}
]
},
},
},
).result()
print(response)
client.container_apps.begin_delete(
resource_group_name=”defaultrg”,
container_app_name=”containerapp-test”,
).result()
if __name__ == “__main__”:
main()
In the above file, we are using a Public Repository (DockerHub) as our image source. If in case you want to use your private Azure Container Registry as an image source, the template section must include the auth configuration.
“template”: {
“containers”: [
{
“image”: “nginx:latest”,
“name”: “containerapp-test”,
“resources”: {
“cpu”: 0.25,
“memory”: “.5Gi”
},
“registries”: {
“server”: “https://<YOUR_ACR_NAME>.azurecr.io”,
“username”: “<YOUR_ACR_USERNAME>”,
“passwordSecretRef”: “acr-password”
}
}
],
“secrets”: [
{
“name”: “acr-password”,
“value”: “<YOUR_ACR_PASSWORD>”
},
],
}
The above configuration assumes that there is an image called “nginx” with the tag “latest” in your ACR. Also, the ACR has admin credentials enabled. (Ref..)
After editing the python management file, we can run it simply by using the command
python containerapp.py
On successful run, the result will be printed in json format on the cli.
Troubleshooting
On successful run, the result will be printed in json format on the cli. In some cases, during an error, restarting the Azure CLI can help. I am listing some common scenarios that we usually see while working with the SDK.
InvalidAuthenticationTokenTenant
The error message suggests that the access token is from the wrong issuer, and it must match one of the tenants associated with this subscription. It is usually seen when the Subscription ID on the file does not match with the account you’ve logged in. Re-logging with the correct account may help. (az logout & az login)
InvalidParameterValueInContainerTemplate
The error message noted two issues. Possible invalid or missing image or an issue with authentication. Please check on any typo on the ‘registryPassword‘. Apart form that, if you are using any external public registry like DockerHub, please make sure that the full repository URL is mentioned in the ‘image’ parameter. Also, while using ACR, make sure that only the image and the tag is mentioned as its value.
Microsoft Tech Community – Latest Blogs –Read More
Creating Azure Container Apps using Azure Python SDK
The Azure Python SDK, also known as the Azure SDK for Python, is a set of libraries and packages that allow developers to interact with Microsoft Azure services using the Python programming language. It simplifies the process of integrating Python applications with Azure services by providing a set of high-level abstractions and APIs. With the SDK, developers can programmatically manage and interact with Azure resources, such as virtual machines, storage accounts, databases, and other cloud services.
To use the Azure Python SDK, developers typically install the required Python packages using a package manager like pip. They can then import the relevant modules in their Python code and use the provided classes and methods to interact with Azure services.
If we talk about Azure Container Apps, Microsoft provides comprehensive documentation and samples to help developers get started with the Azure Python SDK.
In this blog, we will be looking at how to create Container Apps using Azure Python SDK.
Getting Started
Prerequisites
It is assumed here that you are already having an existing Azure Subscription, Resource Group, Container App Environment and a Container Registry available. Also, we will be using a Windows machine here to run the file which has Python version > 3.7 installed.
Here as an example, we will be creating an Azure Container App, testing it, and then deleting it via the Azure Python SDK. To run the file, we would be using Azure CLI. This has been tested with the AZ CLI version 2.56
Package Installation
Install the packages that will be used for managing the resources. The Azure Identity Package is needed almost every time. We would be using the Azure Container App package along with it.
pip install azure-identity
pip install azure-mgmt-appcontainers
Authentication
There are two options that can be used for authenticating. Authentication via Subscription ID and Authentication via Service Principal. In this example, we will be using Subscription ID for authenticating to Azure.
You can specify the Subscription ID as an Environment Variable or use it directly in the code. Both the examples are provided below.
from azure.identity import DefaultAzureCredential
from azure.mgmt.appcontainers import ContainerAppsAPIClient
import os
sub_id = os.getenv(“AZURE_SUBSCRIPTION_ID”)
client = ContainerAppsAPIClient(credential=DefaultAzureCredential(), subscription_id=sub_id)
from azure.identity import DefaultAzureCredential
from azure.mgmt.appcontainers import ContainerAppsAPIClient
client = ContainerAppsAPIClient(credential=DefaultAzureCredential(),subscription_id=”<YOUR_SUBSCRIPTION_ID>”)
Python File
We will be using the following file for our management tasks specified above. I am naming this file as containerapp.py
from azure.identity import DefaultAzureCredential
from azure.mgmt.appcontainers import ContainerAppsAPIClient
def main():
client = ContainerAppsAPIClient(
credential=DefaultAzureCredential(),
subscription_id=”4db72a57-a748-41c7-aabc-1f7a153960cf”
)
response = client.container_apps.begin_create_or_update(
resource_group_name=”defaultrg”,
container_app_name=”containerapp-test”,
container_app_envelope={
“location”: “East US 2”,
“properties”: {
“configuration”: {
“ingress”: {
“external”: True,
“targetPort”: 80,
“transport”: “http”,
“stickySessions”: {
“affinity”: “none”
}
}
},
“environmentId”: “/subscriptions/4db72a57-a748-41c7-aabc-1f7a153960cf/resourceGroups/defaultrg/providers/Microsoft.App/managedEnvironments/defaultcaenv”,
“template”: {
“containers”: [
{
“image”: “docker.io/nginx:latest”,
“name”: “testapp4”,
“resources”: {
“cpu”: 0.25,
“memory”: “.5Gi”
}
}
]
},
},
},
).result()
print(response)
client.container_apps.begin_delete(
resource_group_name=”defaultrg”,
container_app_name=”containerapp-test”,
).result()
if __name__ == “__main__”:
main()
In the above file, we are using a Public Repository (DockerHub) as our image source. If in case you want to use your private Azure Container Registry as an image source, the template section must include the auth configuration.
“template”: {
“containers”: [
{
“image”: “nginx:latest”,
“name”: “containerapp-test”,
“resources”: {
“cpu”: 0.25,
“memory”: “.5Gi”
},
“registries”: {
“server”: “https://<YOUR_ACR_NAME>.azurecr.io”,
“username”: “<YOUR_ACR_USERNAME>”,
“passwordSecretRef”: “acr-password”
}
}
],
“secrets”: [
{
“name”: “acr-password”,
“value”: “<YOUR_ACR_PASSWORD>”
},
],
}
The above configuration assumes that there is an image called “nginx” with the tag “latest” in your ACR. Also, the ACR has admin credentials enabled. (Ref..)
After editing the python management file, we can run it simply by using the command
python containerapp.py
On successful run, the result will be printed in json format on the cli.
Troubleshooting
On successful run, the result will be printed in json format on the cli. In some cases, during an error, restarting the Azure CLI can help. I am listing some common scenarios that we usually see while working with the SDK.
InvalidAuthenticationTokenTenant
The error message suggests that the access token is from the wrong issuer, and it must match one of the tenants associated with this subscription. It is usually seen when the Subscription ID on the file does not match with the account you’ve logged in. Re-logging with the correct account may help. (az logout & az login)
InvalidParameterValueInContainerTemplate
The error message noted two issues. Possible invalid or missing image or an issue with authentication. Please check on any typo on the ‘registryPassword‘. Apart form that, if you are using any external public registry like DockerHub, please make sure that the full repository URL is mentioned in the ‘image’ parameter. Also, while using ACR, make sure that only the image and the tag is mentioned as its value.
Microsoft Tech Community – Latest Blogs –Read More
ZoomIt v8.01
Microsoft Tech Community – Latest Blogs –Read More
ZoomIt v8.01
Microsoft Tech Community – Latest Blogs –Read More
ZoomIt v8.01
Microsoft Tech Community – Latest Blogs –Read More
ZoomIt v8.01
Microsoft Tech Community – Latest Blogs –Read More
ZoomIt v8.01
Microsoft Tech Community – Latest Blogs –Read More
ZoomIt v8.01
Microsoft Tech Community – Latest Blogs –Read More
ZoomIt v8.01
Microsoft Tech Community – Latest Blogs –Read More
ZoomIt v8.01
Microsoft Tech Community – Latest Blogs –Read More
ZoomIt v8.01
Microsoft Tech Community – Latest Blogs –Read More
ZoomIt v8.01
Microsoft Tech Community – Latest Blogs –Read More
ZoomIt v8.01
Microsoft Tech Community – Latest Blogs –Read More
ZoomIt v8.01
Microsoft Tech Community – Latest Blogs –Read More
ZoomIt v8.01
Microsoft Tech Community – Latest Blogs –Read More
ZoomIt v8.01
Microsoft Tech Community – Latest Blogs –Read More
ZoomIt v8.01
Microsoft Tech Community – Latest Blogs –Read More
Nominations are now open for this year’s Microsoft Partner of the Year Awards!
Celebrated annually, these awards recognize the incredible impact that Microsoft partners are delivering to customers and celebrate the outstanding successes and innovations across Solution Areas, industries, and key areas of impact, with a focus on strategic initiatives and technologies. Partners of all types, sizes, and geographies are encouraged to self-nominate. This is an opportunity for partners to be recognized on a global scale for their innovative solutions built using Microsoft technologies.
In addition to recognizing partners for the impact in our award categories, we also recognize partners from over 100 countries/regions around the world as part of the Country/Region Partner of the Year Awards. In 2024, we’re excited to offer additional opportunities to recognize partner impact through new awards – read our blog to learn more and download the official guidelines for specific eligibility requirements.
Visit the Microsoft Partner of the Year Awards page to see the full list of awards and to submit your nomination in advance of the April 3, 2024, deadline. To ensure you create a strong entry, we encourage you to explore the provided resources and expert advice on the nomination process. We look forward to receiving another amazing set of nominations this year and are excited to celebrate another round of incredible partner innovations!
Read more on the Partner Blog
Microsoft Tech Community – Latest Blogs –Read More
Become a Microsoft Defender Vulnerability Management Ninja
Do you want to become a ninja for Microsoft Defender Vulnerability Management? We can help you get there! We collected content with multiple modules. We will keep updating this training on a regular basis.
In addition, we offer you a knowledge check based on the training material! Since there’s a lot of content, the goal of the knowledge checks is to help ensure understanding of the key concepts that were covered. Lastly, there’ll be a fun certificate issued at the end of the training: Disclaimer: This is not an official Microsoft certification and only acts as a way of recognizing your participation in this training content.
Module 1- Getting started
What is Microsoft Defender Vulnerability Management
Prerequisites & permissions
Supported operating systems, platforms and capabilities
Compare Defender Vulnerability Management plans and capabilities
Interactive Guide – Reduce organizational risk with Microsoft Defender Vulnerability Management
Defender Vulnerability Management trial
Defender Vulnerability Management add on trial
Defender Vulnerability Management standalone trial
Frequently asked questions
What’s new in Public Preview
Module 2 – Portal Orientation
Onboard to Defender Vulnerability Management
Dashboard overview
Device inventory
Software inventory
Browser extensions assessment
Certificate inventory
Firmware and hardware assessment
Authenticated scan
Module 3 -Prioritization
Vulnerabilities in my organization
Exposure score
Microsoft Secure Score for Devices
Assign device value
Security recommendation
Mitigate zero-day vulnerabilities
Module 4- Remediation
Remediate vulnerabilities
Request Remediation
Create and view exceptions for security recommendations
View remediation activities
Block vulnerable applications
Module 5 – Posture and Compliance
Microsoft Secure Score for Devices
Security baselines assessment
Module 6 – Data access
Hunt for exposed devices
Vulnerable devices report
Device health reporting in Defender for Endpoint
Monthly security summary reporting in Defender for Endpoint
API’s
Export assessment methods and properties per device
Export secure configuration assessment per device
Export software inventory assessment per device
Build your own custom reports
Are you ready for the Knowledge check?
Once you’ve finished the training and passed the knowledge check, please click here to request your certificate (you’ll see it in your inbox within 3-5 business days.)
Microsoft Tech Community – Latest Blogs –Read More
Firewall considerations for gMSA on Azure Kubernetes Service
This week I spent some time helping a customer with a gMSA environment on which they were finding some issues in deploying their app. The issues started when they were trying to figure out why the Kerberos ticket was not being issues for the Window pod with gMSA configured in AKS. I decided to write this blog post to list some of the firewall considerations for different scenarios on which security rules might block the authentication process.
gMSA and its moving parts
To use gMSA on AKS, you must understand that there are many moving parts in play. First, your Kubernetes cluster on AKS is comprised of both Linux and Windows nodes. Your nodes will all be part of a virtual network, but only the Windows nodes will try to reach the Domain Controller (DC).
The DC itself might be in another virtual network, in the same virtual network, or even outside of Azure. Then you have the Azure Key Vault (AKV) on which the secret (username and password) is securely stored. Your AKV should only be available to the proper Windows nodes, no one else.
The problem though, comes when you have Windows nodes on AKS and DCs running on different networks or even sites, and you need to open the proper ports between the Windows nodes and the Active Directory DC.
Ports to open for Active Directory and gMSA
We have had documentation on which ports to open for Active Directory for a while. That is relatively well known and can be leveraged here.
The thing to understand is that when using gMSA on AKS, not all these ports need to be opened, and allowing unnecessary traffic might expose you to threats without a need for it. For gMSA, there’s no computer or user account being used interactively, and thus we can compile the following list:
Protocol and port
Purpose
TCP and UDP 53
DNS
TCP and UDP 88
Kerberos
TCP 139
NetLogon
TCP and UDP 389
LDAP
TCP 636
LDAP SSL
Keep in mind this list of ports does not take into consideration ports that your application might need to query AD or perform any other action with the DC. You might need to check for those with the application owner.
Domain Controllers in Azure
You might mitigate a lot of firewall issues by simply adding one (or more) DC to Azure as a VM. By doing that, you have two things that play in your favor:
You keep the authentication process within Azure. Your Windows pods and nodes don’t need to reach to an on-premises environment – unless the DC(s) in Azure is down.
You have a better understanding of ports to open between NSGs in Azure rather than traffic between workloads on Azure and DCs on-premises.
On the other hand, you must consider that the DCs in Azure do need to replicate to the DCs on-premises. However, this is a preferred scenario because you know who the DCs are, versus workloads machine that might scale-out or even new workloads/clusters be added in the future. At the end of the day, the scope for opening ports is lower, which minimizes exposure. Please refer to the documentation to understand ports for AD replication as well.
Hopefully this will help you fix any issues you might be having with gMSA caused by blocked traffic. Keep in mind the ports listed above might not be the full list of ports you need to open, but the minimal set of ports and traffic for the proper authentication. As always, let us know in the comments what are your thoughts and if you have a different scenario.
Microsoft Tech Community – Latest Blogs –Read More