SLAs in Nines

When we talk about various service up-time in Cloud, the discussion ultimately boils down to the Service Level Agreement (or SLA) which your cloud provider is committed to provide. This is generally expresses in Nines. Here what it actually means.

It is also very important to keep these downtime metrics in mind while designing a cloud architecture  comprising of various cloud services 👍

Azure Key Vault Referencing

Company: We have a simple web application developed in Asp.Net (.aspx pages) with few users and want to migrate that to Azure quickly with no changes.
Me: OK. Will simply host that web application to Azure App Service (Web App) 😊

Company: But the application has secrets hard-coded in the web-config file
Me: OK.. no problem. Will put those secrets in Azure Key Vault and will get rid of those hard coded values from the config 😊

Company: But that will need hard coding of the Key Vault access requirements back in web.config
Me: OK.. will use Azure Managed Identity to access the Key Vault and bypass this hard coding issue all at once. 😊

Company: But that will introduce code changes in the application which we do not want
Me: 😏💥

Ha Ha!! a great design conversation, right! and what will be your answer this time. Take a pause and think for 10 secs.... If you are thinking about the new Key Vault referencing feature ... you are bang on target 👍

Let's dive and see what's it all about.

Assuming the web application  have a configuration settings as below

<appSettings>
    <add key="TopSecret" value="Top Secret message from Application configuration" />
</appSettings>

And its accessing this value in the Page_Load event

protected void Page_Load(object sender, EventArgs e)
{
   var secretMsg = ConfigurationManager.AppSettings["TopSecret"];
   ViewState["TopSecret"] = secretMsg;
}

And displaying the value in the page

<div>            
   <span style="font-weight:bold; font-size:larger;"><% =ViewState["TopSecret"] %></span>  
</div>

Now our challenge is to deploy this application in the cloud without any code changes.

• Create an Azure Web App and deploy this application. Now go to the Identity under Settings  and make sure you switch on the System Assigned status as below

• Create a Key Vault and then add a new access policy (Settings >> Access policies >> + Add Access Policy. Make sure you give Secret permissions as 'Get' to your application and create a policy similar as below. Click Add and then Save.

• Add a secret now to your Key Vault. I have given the name as "TopSecret' and value as "Top Secret message from KeyVault configuration". You can give anything as per your choice. Click Create.

• Now click "TopSecret" from the "Secrets" dashboard and copy its version number

• OK.. Now open notepad and generate a string like this below. 

@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/TopSecret/ec96f02080254f109c51a1f14cdb1931)

Replace the highlighted (red) parts with your values. These are nothing but the name of your Key Vault, name of the Secret and the version number of that secret you just copied.

• Now go to your web app and open Settings >> Configuration and add a new application settings. Give the name same as it was there under in the web.config file (scroll up to see that section). This is important. In our case it's "TopSecret". The value of this settings should be the string you just constructed above. Click OK and Save.

• Run the application in the cloud and voila ... the application is reading data from the Key Vault and not from the application web.config anymore. And that too with noooooo code changes.

Great Job and Congratulations! for coming this far. Hope this article will help you to further explore this feature.

Do share with me about your experience and what you have built upon this foundation. You can take it up to any level and integrate. I would love to hear from you.