Monthly Archives: March 2014

Microsoft Azure Data Center Regions in Mainland China now in Production (that makes 12!), #AzureMap updated

Coming one month after a pair of new data center regions went into production in Japan, another set of Windows Microsoft Azure data center regions have moved into production – in mainland China this time. There was a press release detailing how this is done in partnership with 21Vianet, “the largest carrier-neutral internet data center services provider in China” (source).

The addition of these two new data center regions – in Beijing and Shanghai areas – increases Microsoft’s footprint for Azure data center regions to 12 – joining these 10: Asia Pacific East, Asia Pacific Southeast, Japan East, Japan West, Europe North, Europe West, US West, US East, US South Central, US North Central.

There are also 3 more in the works – one in Brazil and a pair in Australia. In addition there is a pair of US Government-specific Fedramp data center regions.

Sorry, something went wrong. Reload?

Sorry, we cannot display this file.

Sorry, this file is invalid so it cannot be displayed.

view raw azuremap.geojson hosted with ❤ by GitHub

Sorry, something went wrong. Reload?

Sorry, we cannot display this file.

Sorry, this file is invalid so it cannot be displayed.

view raw azuremap.topojson hosted with ❤ by GitHub

	[
	{ "Geo" : "Asia Pacific", "Region": "Asia Pacific East", "Location": "Hong Kong", "Failover Region" : "Asia Pacific Southeast", "Status" : "Production" },
	{ "Geo" : "Asia Pacific", "Region": "Asia Pacific Southeast", "Location": "Singapore", "Failover Region" : "Asia Pacific East", "Status" : "Production" },
	{ "Geo" : "Asia Pacific", "Region": "Shanghai China", "Location": "Shanghai China", "Failover Region" : "Beijing China", "Status" : "Production" },
	{ "Geo" : "Asia Pacific", "Region": "Beijing China", "Location": "Beijing, China", "Failover Region" : "Shanghai China", "Status" : "Production" },
	{ "Geo" : "Australia", "Region": "Australia East", "Location": "Sydney, New South Wales, Australia", "Failover Region" : "Australia SE", "Status" : "Production" },
	{ "Geo" : "Australia", "Region": "Australia SE", "Location": "Melbourne, Victoria, Australia", "Failover Region" : "Australia East", "Status" : "Production" },
	{ "Geo" : "South America", "Region": "Brazil South", "Location": "Brazil", "Failover Region" : "US South Central", "Status" : "Production" },
	{ "Geo" : "Europe", "Region": "Europe West", "Location": "Amsterdam, Netherlands", "Failover Region" : "Europe North", "Status" : "Production" },
	{ "Geo" : "Europe", "Region": "Europe North", "Location": "Dublin, Ireland", "Failover Region" : "Europe West", "Status" : "Production" },
	{ "Geo" : "Japan", "Region": "Japan East", "Location": "Saitama, Japan", "Failover Region" : "Japan West", "Status" : "Production" },
	{ "Geo" : "Japan", "Region": "Japan West", "Location": "Osaka, Japan", "Failover Region" : "Japan East", "Status" : "Production" },
	{ "Geo" : "United States", "Region": "US North Central", "Location": "Chicago, IL, USA", "Failover Region" : "US South Central", "Status" : "Production" },
	{ "Geo" : "United States", "Region": "US North Central", "Location": "Chicago, IL, USA", "Failover Region" : "US South Central", "Status" : "Production" },
	{ "Geo" : "United States", "Region": "US Central", "Location": "Iowa, USA", "Failover Region" : "US East 2", "Status" : "Production" },
	{ "Geo" : "United States", "Region": "US East", "Location": "Bristow, Virginia, USA", "Failover Region" : "US West", "Status" : "Production" },
	{ "Geo" : "United States", "Region": "US East 2", "Location": "Virginia, USA", "Failover Region" : "US Central", "Status" : "Preview" },
	{ "Geo" : "United States", "Region": "US West", "Location": "San Francisco, California, USA", "Failover Region" : "US East", "Status" : "Production" },
	{ "Geo" : "United States", "Region": "US Gov-Iowa", "Location": "Iowa, USA", "Failover Region" : "US Gov-Virginia", "Status" : "Preview" },
	{ "Geo" : "United States", "Region": "US Gov-Virginia", "Location": "Virginia, USA", "Failover Region" : "US Gov-Iowa", "Status" : "Production" }
	]

view raw region_meta.json hosted with ❤ by GitHub

Microsoft Azure is New Brand

This all comes on the heels of Microsoft recognizing its cloud brand is bigger than just “Windows” and rebranding from Windows Azure to Microsoft Azure. With Linux VMs available, tons of services available over APIs, SDKs for PHP, Python, Ruby, Java, .NET, Node.js, iOS, Android, Windows 8, and Windows Phone, the platform has taken on a decidedly cross-technology feel, with a focus on features rather than on Windows.

Azure Map Updated

For the Azure Map I am maintaining, I updated the JSON meta data in the Azure Map project to promote these two data center regions to “Production” then re-generated and re-posted the GeoJSON and TopoJSON maps. All data is in GitHub. For more info, see these two posts:

Stupid Azure Trick #5 – Got a Penny? Run a Simple Web Site 100% on Blob Storage for a Month – Cost Analysis Provided – this uses the Azure Map as its example app
Where’s Azure? Mapping Windows Azure 4 years after full General Availability. – this also offers historical context

The full interactive single-page Azure Map is here: http://azuremap.blob.core.windows.net/apps/bingmap-geojson-display.html

Stupid Azure Trick #9 – Embrace SSL During Development when authenticating with Azure Active Directory

2 Replies

If you are developing applications that authenticate users or handle sensitive personal or business data, you should be using SSL for your whole site. That’s the most secure approach. Plain old HTTP is not gonna cut it, and flipping between HTTP and HTTPS exposes undesirable vulnerabilities.

So let’s suppose you are building a Windows Azure Web Site using ASP.NET MVC and you want to take advantage of Azure Active Directory for authentication. Maybe you create an Azure Active Directory account, add some users, now you are ready to use it for authentication within your application.

Using SSL during development will help you smoke out issues – one might be cross-protocol warnings – while also keeping your credentials secure on the wire (if you develop locally using AAD, logins still travel over public internet). It’s just good hygiene. But there is a nuisance factor because, by default, using SSL locally (in the latest tool stack for ASP.NET development) uses the SSL certificate that ships with IIS Express, and that’s not trusted by your web browser, so you get a warning every time. This tip today will show you how to easily fix that. (To skip all the context and get right to the main point, search for the word ‘core’ below.)

Certificate Store on Windows

The Certificate Storage on Windows (desktop and server) is a trusted location for storing digital certificates for all kinds of reasons, including those used by Web Browsers to trust whether or not to trust an SSL connection to a web site, or whether to give a warning.

Only certificates that live in a special location in your local Windows Certificate Store – or digital certificates signed by those certificates (or in a signing chain) – are allowed to be used without a warning. This special location is called Trusted Root Certification Authorities. If your certificate is not in there, or itself was not signed by a certificate in there, and so on, then the browsers will show the users a stern warning.

You can view the certificates in your Trusted Root Certification Authorities store by running certmgr.msc from a command program. Here’s what it looks like on my machine.

We’ll come back to this tool later.

Create a Simple ASP.NET MVC app that authenticates with Azure Active Directory

You can skip this section if you already know how to do this. This is a quick walkthrough showing how to use Visual Studio 2013 to create simple ASP.NET MVC application and connect it to an existing Azure Active Directory. (You can easily create an AAD either from the Windows Azure portal, or outside it. You can also substitute an Office 365 directory since that automatically uses AAD.)

File | New Project, choose as below:

Click OK.

Click Change Authentication.

Slect Organizational Accounts in the radio button on the left, and type in your AAD domain (could also be Office 365). Choose Single Sign On for Access Level for simple authentication, or choose Single Sign On, Read directory data if you also plan to use AAD for authorization (such as RBAC). Click OK.

After authenticating as a Global Administrator user on the specified domain, you will be back to your New ASP.NET Project dialog, though with a new value for Authentication setting.

Click OK. Now your project will be generated. If you display the Project Properties window for your project, as shown below, notice the configuration options for SSL. You also have both an SSL endpoint and a regular HTTP endpoint.

Simply hit F5 now to debug. The default configuration here will bring up the SSL endpoint. Let’s explore what happens below.

Web Browser, Please Protect Me!

Once you’ve started to debug, you won’t see your app directly, but rather you’ll see something like the following:

This is because of this entry in Web.config:

<system.web> … <authorization> <deny users="?" /> </authorization>… </system.web>

This says, in a nutshell, only allow authenticated users access to my site, and if they are not authenticated already, send them to the configured AAD login screen.

(It is possible to selectively disable this for certain pages or areas, but we won’t cover that here. But you can see an example in you web.config that uses the location element.)

Also note that the login screen is using SSL. After logging in, we stay on SSL, and get the following warning:

Click the Continue to this websites (not recommended). link and you get your application page, but without the trusty padlock:

What does this mean – SSL without the padlock? It means your data is cryptographically secure on the wire (safe from snooping, because the channel is encrypted), but you are sending your data to a web site whose identity has not been independently verified.

The experience with Chrome and Firefox is similar:

Warning from Chrome – “The site’s security certificate is not trusted!”

Hit F5 from Visual Studio if Chrome is your default browser (or type the appropriate URL into Chrome while debugging from Visual Studio).

Warning from Firefox – “This Connection is Untrusted”

Hit F5 from Visual Studio if Firefox is your default browser (or type the appropriate URL into Firefox while debugging from Visual Studio).

Why Getting Rid of SSL Warnings is OKAYish Here

Before we get rid of the warning, let’s cover a couple of basics.

We get rid of the SSL warnings by telling Windows to trust the IIS Express certificate. In general, this is a Bad Idea™, but in this narrow case it ought to be fine. Here’s the logic:

Your IIS Express certificate is unique to your machine
It only honors ports starting at 44300 (up to, I think, 44399)
You can undo this
You are a developer and Know What You Are Doing™
You would NEVER do this on an internet-facing production machine

We’ll use Internet Explorer to make the fix, but realize that since all browsers are using the same underlying Certificate Store on Windows, you only need to do this ONCE (in IE in our case) and the others will also automatically trust the certificate for SSL.

Getting Rid of SSL Warnings for all Browsers, Courtesy of IE

Here’s the core of the tip in this article, and it starts at the point after you’ve hit F5 in Visual Studio, and assumes IE is configured as the default browser (and, if not, simple load the page into IE before proceeding).

Simple click on Certificate error and you’ll see this popop:

Click on View certificates.

Click on Install Certificate.

Click Next (Current User is desired location).

Click Place all certificates in the following store and click browse:

Choose Trusted Root Certification Authorities. Click OK.

Click Next.

Click Finish.

There will be a Security Warning:

Now read it. If you are cool with it, click Yes.

Now if you run certmgr.msc again, you can see the new entry:

Undoing the Fix

To remove it again, simply select it, as show above, and hit the DELETE key. You’ll get a couple of warnings:

Click Yes.

Back to normal.

[This is part of a series of posts on #StupidAzureTricks, explained here.]

Talk: Meet Windows Azure, Your Next Data Center

Stupid Azure Trick #8 – Take control of Management Certificate names

1 Reply

Examine your Windows Azure MANAGEMENT CERTIFICATES in the Windows Azure Portal (under “SETTINGS” in the left nav, then “MANAGEMENT CERTIFICATES” in the top nav). These are the certificates that control which people or which machines can programmatically manipulate your Windows Azure resources through the Service Management API.

Every time you initiate a Publish Profile file download (whether through the portal, with PowerShell, or through the CLI), a new certificate is generated and added to your list of management certificates. You cannot control these names – they are generated.

Upon examination, you may find that some certificates – like #1 shown below – have generated names. And also look at the several certificates immediately below #1 – they have similar names – also generated. These are hard to distinguish from each other.

But this is okay some of the time – it is convenient to let tools create these certificates for you since it saves time. It may be perfectly adequate on low security accounts – perhaps a developer’s individual dev-test account from MSDN, or an account only used to give demos with. But for a team account running production, you probably don’t want it to have 17 untraceable, indistinguishable certificates hanging off it.

Now look at the names for #2 and 3 shown above. They are custom names.

Managing Your Management Certificates Starts with Meaningful Names

While we can debate whether the custom names shown above are truly meaningful (this is a demo account), you can probably appreciate that seeing a certificate name like “BUILD SERVER” or “Person/Machine” (e.g., “Maura/DRAGNIPUR”) or “Foobar Contractor Agency” might be more useful than “Azdem123EIEIO” to a human.

Controlling Certificate Names

The Windows Azure Management Portal has some heuristics for deciding what to display for a certificate’s name, but the first one it considers is the Common Name, and will display its value if present. So the short answer: take control of the Common Name.

Here we show creating a Service Management certificate manually in two steps – first the PEM (for use locally) and second deriving a CER (for uploading to the portal).

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem -subj "/CN=This Name Shows in the Portal"
openssl x509 -inform pem -in mycert.pem -outform der -out mycert.cer

Note the use of -subj "/CN=This Name Shows in the Portal" when generating a PEM in the first command. The specified text will appear as the description for this certificate within the Windows Azure Portal. OpenSSL is available on Linux and Mac systems by default. For Windows, you can install it directly, or – if you happen to use GitHub for Windows – it gets installed along with it.

For a pure Windows solution, use makecert to create a Management Certificate for Windows Azure.

Considerations

Once you assume responsibility for naming your own certificates, you are simultaneously also taking on generating them, deploying the certificates containing the private keys to the machines from which your Windows Azure resources will be managed using the Service Management API, and uploading the CER public keys to the portal. To make some parts of this easier – especially if you are distributing to a team – consider building your own publish settings file. Also, realize the same certificate can be used by more than one client, and the can also be applied to more than one subscription on Windows Azure; its a many-to-many relationship that’s allowed.